The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need ACL for Spam Scenario: receiving Spam from local mail accounts

Discussion in 'E-mail Discussions' started by fenixer, May 4, 2009.

  1. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Hello....

    I am trying to find a sollution (via ACL) for a new Spam Scenario which is breaking since a week ago.

    Spam Scenario: receiving emails to a local mail account, by example, local@mail-account.tld, but From is also local@mail-account.tld.......... the emails obviously are being sent using an external MTA (coming from the WAN)....

    It is completely non-sense Exim receiving mails from X to X being X a local account, and being the from-host external......

    Well, I have to find the ACL which:

    - If email is not being received from localhost
    - if domain is local
    - if host is not at relaylist (client is sending emails using SMTP auth)

    (and optional I guess, although is may not be neccesary)
    - if mail from is the same as mail to

    - simple...... the email is denied.

    I am not an expert at exim ACL-ing, but I will try to get this rules working as soon as possible....... When I do, I will publish here.

    This post is for someone could help me somehow... thanks in advance... ;)
     
    #1 fenixer, May 4, 2009
    Last edited: May 4, 2009
  2. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Maybe something like this???????

    Having this lists:

    ........... just under senderverifying ACLs...........

    Do you think it is good for the case and will not affect others than spam being sended using local mail addresses????
     
    #2 fenixer, May 4, 2009
    Last edited: May 4, 2009
  3. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    I have same problem Here. See:

    1Mp4JR-0006yY-AQ-H
    mailnull 47 12
    <>
    1253383533 0
    -ident mailnull
    -received_protocol local
    -body_linecount 57
    -max_received_linelength 339
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -localerror
    XX
    1
    libro@tecniciencia.com

    157P Received: from mailnull by MYSERVERHOSTNAME with local (Exim 4.69)
    id 1Mp4JR-0006yY-AQ
    for libro@tecniciencia.com; Sat, 19 Sep 2009 15:05:33 -0300
    045 X-Failed-Recipients: oyefi2000@school.edu.ru
    029 Auto-Submitted: auto-replied
    068F From: Mail Delivery System <Mailer-Daemon@MYSERVERHOSTNAME>
    027T To: libro@tecniciencia.com
    059 Subject: Mail delivery failed: returning message to sender
    057I Message-Id: <E1Mp4JR-0006yY-AQ@MYSERVERHOSTNAME>
    038 Date: Sat, 19 Sep 2009 15:05:33 -0300

    Data spool file

    1Mp4JR-0006yY-AQ-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    oyefi2000@school.edu.ru
    The mail server could not deliver mail to oyefi2000@school.edu.ru. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <libro@tecniciencia.com>
    Received: from localhost ([127.0.0.1]:57675 helo=MYSERVERHOSTNAME)
    by MYSERVERHOSTNAME with smtp (Exim 4.69)
    (envelope-from <libro@tecniciencia.com>)
    id 1Mp4JQ-0006xm-MZ
    for oyefi2000@school.edu.ru; Sat, 19 Sep 2009 15:05:32 -0300
    Date: Sat, 19 Sep 2009 15:05:32 +0300
    To: <oyefi2000@school.edu.ru>
    Reply-To: <libro@tecniciencia.com>
    From: <libro@tecniciencia.com>
    Subject: èíòåëëåêòóàëû
    Message-ID: <01CA3953.14336732@MYSERVERHOSTNAME>
    X-Priority: 3 (Normal)
    Content-Type: multipart/alternative;
    boundary="----01CA396C302F2FE1"
    X-ACL-Warn: {

    ------01CA396C302F2FE1
    Content-Type: text/plain; charset=windows-1251
    Content-Transfer-Encoding: 8bit


    This is sending by a spammer script in my server, but where and who ?
    This is a Bounce message.
     
  4. rodstewart

    rodstewart Active Member

    Joined:
    Feb 4, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hamburg Germany
    cPanel Access Level:
    DataCenter Provider
    Hello....

    We have had the same problem for few weeks.

    You should check for cgi skript.
    In most cases the spammers have transferred over ftp the cgi script after that they run the script and after that the deleted it.

    So please check your logs for suspect cgi upload at the time (19 Sep) the email was send from your server.

    normally you should only check in /var/log/messages
    Code:
    cat /var/log/messages |grep UPLOAD
    If you found a suspect script take a look on all activities of that user
    Code:
    cat /var/log/messages |grep pure-ftpd |grep cpanelusername
    Additional:
    To list all running cgi processes run
    Code:
    ps auxwf | grep cgi
    If that not help you feel free to contact me.
    regards
    Sven
     
Loading...

Share This Page