The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

is there some vulnerability with exim?

Discussion in 'General Discussion' started by matt621, Mar 11, 2004.

  1. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Yesterday I got 2 spamcop reports. The account ID in the notice was one of my accounts, not a clients. I know I didn't spam. Then this morning, exim got shut down and restarted.

    Is there some vulnerability being used to send spam thru exim maybe? Anyone else notice something like this?
     
  2. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    yes, there is a vulnerability because the standard cpanel/exim configuration does not require authorization to send out emails. so basically if I know your email address I can send out hundreds of emails with your from address from your account without needing to know your password!
     
  3. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    How can that be? If it were true, there'd be zillions of spams going thru all exim boxes. email addresses are easy to find and a search by domain is childs play. In fact, the login is easy to find because I know those accounts fill with spam w/in days of going live.

    Every cpanel/exim box out there would be a huge liability.

    If it's as easy as you say, then how come it's only now I'm getting a few spamcop reports? how do we resolve the problem?

    thank you for your reply.
     
  4. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Prove it.

    Big words don't help. They only cause panic over nothing.
     
  5. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    That's a load of BS. It supports pop3 over SMTP. If you don't know what that means, maybe those silly initials in your signature really are as meaningless as most of us think they are.
     
  6. inogenius

    inogenius Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cleveland, Ohio
    cPanel Access Level:
    DataCenter Provider
    It can be done, but anyone with a clue would realize that the headers tell the real truth. And the real truth would show that it wasn't actually sent from your server.
     
  7. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16

    I'm not an expert at reading headers.But spamcop identified us as the sender. Here is what they sent:

    Spam Cop Complaint about spam coming from your server and this is an automated foward of that complaint. You need to take care of this issue, remove the spammer, and communicate with Spam Cop letting them know what you have done. You do not need to email us about this issue, we are just the messenger. If the spam persists we will email you directly Also, please do not reply to this message because we wont get it and it will keep looping back to you. Thanks for your prompt attention to this matter as we have a zero tolerance policy for spam

    [ SpamCop V1.3.4 ]
    This message is brief for your comfort. Please use links below for details.

    Email from [Our IP Number] / Wed, 10 Mar 2004 14:25:54 -0500
    http://www.spamcop.net/w3m?(msg ID0)

    [ Offending message ]
    Return-Path:
    Received: from str-d09.mail.aol.com (str-d09.mail.aol.com [172.18.176.132]) by air-yj02.mail.aol.com (v98.10) with ESMTP id MAILINYJ22-ae8f404f6f96237; Wed, 10 Mar 2004 14:42:16 -0500
    Received: from rly-xk06.mx.aol.com (rly-xk06.mail.aol.com [172.20.83.44]) by str-d09.mail.aol.com (v92.16) with ESMTP id RELAYIN2-3404f6bf92d5; Wed, 10 Mar 2004 14:26:49 -0500
    Received: from server.ourdomain.com (our IP No)) by rly-xk06.mx.aol.com (v98.5) with ESMTP id MAILRELAYINXK64-732404f6bb6254; Wed, 10 Mar 2004 14:25:54 -0500
    Received: from (my login id) by server.ourdomain.com with local (Exim 4.24)
    id 1B19KR-0001Gz-2y; Wed, 10 Mar 2004 12:25:19 -0700
    To: x
    From: HotInvestments949@enternet.com
    X-AOL-ORIG-From:
    To: x
    From: HotInvestments949@enternet.com
    Content-Type: multipart/alternative; boundary=mSCFRaGHruP
    Subject: Stocks to Own for Year End QaZs Z P1o kqicF FVebi E2dt4G C YIq YJJ
    Message-Id:
    Date: Wed, 10 Mar 2004 12:25:19 -0700
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.ourdomain.com
    X-AntiAbuse: Original Domain - aol.com
    X-AntiAbuse: Originator/Caller UID/GID - [32163 32163] / [47 12]
    X-AntiAbuse: Sender Address Domain - server.ourdomain.com
    X-AOL-IP: 172.18.176.132
    X-AOL-SDI: PROFILE
    X-Mailer: Unknown (No Version)


    --mSCFRaGHruP
    Content-Type: text/plain
    Content-Transfer-Encoding: 7bit

    FeBP27 Q9
    bB9xGuPJnBI9SO FjASQ DFl9 f Mhj8ESqc PVhsznxBTy4ksL iP8d tkB

    FZ a8AbcWPCsb6 34NiY8JAM3MqELS j54B iJY 10tqhvh0PEe4Wa6TymHLpqtr9XvZZbI0HjL
    GZO LE0d
    itGP
    1TkBQ3Zo
    Vqykn GmI0uKqO6GBI kg3z
    bv LvS o6Io3f6GTeIHpG mdBeE eoD1hu1ZNd8B Ec
    v6bq2 5D
    EaIJW j

    --mSCFRaGHruP
    Content-Type: text/html
    Content-Transfer-Encoding: quoted-printable

    B*** URGENT INVESTOR TRADING ALERT *=
    **


    I left the other IP no. in there because they are not ours. I bolded where my info was. So does the above indicate the spam originated with my server?
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Who has user id 32163?
     
  9. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    I have no idea. It's certainly not an account ID. Cpanel won't take a user id beginning with a number.
     
  10. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Okay, I figured out how this happened.

    The original spammer used an email address of mine that I killed... (because I was getting too much spam on it.)

    I removed it. But the spam went to it. And the server bounced the spam, and in doing so, it put my login ID @ server.ourdomain.com as the from. But that message went back to the "from" of the original email account, which turned out to be an AOL account. The AOL idiot reported it as "Spam" which Spamcop then sent me a notice.

    This is just insanity. I get ride of a 3 year old email address because it's getting 100's of spams a day, and then it turns out, deleting that email address then winds up getting me accused of spamming!

    Does anyone know what I need to change do prevent this from happening?
     
  11. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    No, check /etc/passwd and find out which username is mapped to that UID..Look for which line has that number on it.
     
  12. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Yes, thanks. I looked that up and it's me. My admin for that domain/account. I think the above "spam bounce spam" scenerio is what happened.
     
  13. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Hello LS_Drew,
    Thanks for the personal attack. Using words like BS in a forum is always a wonderful way to contribute to the real discussion and the problem at hand. And if you think that my initials are meaningless so be it, just speak for yourself and not others!
    And please tell me what pop3 OVER SMTP is, I have never heard of such a thing but I am sure since you do not care about initials you know so much more than I do. Please tell me, I am curious how I could miss this new protocoll!
    I do know SMTP after Pop though just in case you got a little confused.

    Anyway, smtp after Pop is unsafe as pointed out in many articles on the net, simply because it gives the pop connecting ip authorization to send by smtp for a certain period of time. If that ip is for example shared like networks that go through NAT then the mailserver is wide open to be abused. Another problem is the fact that most Outlook clients have a problem with smtp after pop and create error messages if the connection relies on it.

    Proper authentication never relies on another mechanism, it uses a challenge and response over the same transport as smtp auth does for example.
    It would be simple to implement and enforce smtp auth in every standard exim/cpanel installation to make sure others cannot piggy-pack on mail accounts. It would also further restirct the use of outgoing smtp to exactly the authorized account.
    There is documentation out there how Exim can handle this and it is up to the cpanel team (Nick?) to implement this to further secure the smtp mechanism in cpanel.
     
  14. nettigritty

    nettigritty Well-Known Member
    PartnerNOC

    Joined:
    Jan 21, 2004
    Messages:
    194
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore, India
    Very True ! With the number of shared IP cable internet providers now POP before SMTP is starting to seem like a bad idea. How does one turn this off in cpanel?
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Posted the solution in the other thread that you asked the exact same question.
     
  16. nettigritty

    nettigritty Well-Known Member
    PartnerNOC

    Joined:
    Jan 21, 2004
    Messages:
    194
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore, India
  17. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Hacked Headers

    We resolved the entire issue of Hacked Headers using AuthSMTP with great success :)
     
  18. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Can you expand on this? Do you mean you stopped the SMTP after POP function by editing the antirelayd?
     
  19. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    First, I edited my /usr/sbin/antirelayd and changed the line: "$exptime = (time() - (60*30));" (no quotes) to read "$exptime = (time() - (60*5));" (no quotes).

    Then, also via SSH, I typed: "chattr +i /usr/sbin/antirelayd" (no quotes) to prevent upcp from over-writing it.

    Then, I proceeded to edit my "/etc/exim.conf" and commented out "accept hosts = +relay_hosts" (so it looks like this: "#accept hosts = +relay_hosts" (no quotes). NOTE: Make your changes to exim.conf through WHM. Otherwise they will get overwritten when WHM rebuilds exim.conf. You will find it in Advanced Mode, under "begin acl" within the scroll box.

    Then I restarted Exim, and POP3, and that did it.

    Clients now only need to change their email client to use Server Authenication to send email via smtp outside my server realm.

    I've posted a snap shot for configuring Outlook Express for my clients at http://demo123.net/smtp.html for those needing this help.

    See the original tread at: http://forums.cpanel.net/showthread.php?t=14210&highlight=authsmtp
     
Loading...

Share This Page