How To Disable AuthRelay in Exim to block Spammers

BlackRain

Well-Known Member
May 28, 2003
51
0
156
USA
cPanel Access Level
Root Administrator
Server Setup: cPanel 11.25.0-C42399 - WHM 11.25.0 - X 3.9, CENTOS 5.4, PHP 5.3.1, Exim 4.69-23.1, CSF Firewall, Mailscanner/MSFE.

Problem: Spammers are finding a way to AUTH RELAY spam with BCC multiple recipients through our server on domains that have no email accounts.

Example of spammer attempt:

2010-01-08 13:32:28 [23527] 1NTOJg-00067T-FN <= [email protected] H=host.SPAMMER.net ([10.97.XX.XXX]) [SPAMMERIPADDRESS]:38538 I=[OURIPADDRESS]:25 P=esmtpa A=fixed_login:user S=3893 [email protected] T="Your Response is Needed" from <[email protected]> for [email protected] [email protected] [email protected] [email protected]
Note the fixed_login part. We have NO email accounts on this domain. How could it be a fixed log in?

Fixes used : Enabled most Exim security options via Cpanel/WHM. Changed domain passwords. We added log_selector = +all and host_lookup = 0.0.0.0/0 to the exim.conf. SPF, rDNS, Domainkeys installed. Tested our IP's at abuse.net to make sure we were not an open relay.

Reviewed logs to make sure no one but our IP has logged into the server, Cpanel, or domains.

The only way we can block these attempts currently is to rate limit AUTH RELAY in CSF Firewall to "0".

I know that standard line is that Exim is not setup to relay mail by default but spammers have figured out a way.

Any ideas?
 
Last edited: