JamesCTotalWeb

Well-Known Member
Mar 20, 2005
64
0
156
cPanel Access Level
Root Administrator
Hello one and all, I don't post here much (well hardly ever) But anyways for the last 3 days we have been under attack IP's from all over being used to relay thru our mail server.

These emails just get stuck in queue and never go anywhere. They are not sent to any of the domains we host and for the most part they are sent to a domain that does not even resolve to anywhere.

Well after long long hours of tweaking Exim config I found this line

accept hosts = +skipsmtpcheck_hosts

Now when I comment this out the emails stop making it to the queue but the attack is still going on. So my question is what is this line used for? and why is it letting other bogus users relay through the mail server?

Any help would be greatful
 

JamesCTotalWeb

Well-Known Member
Mar 20, 2005
64
0
156
cPanel Access Level
Root Administrator
that line (AFAIK) is used for whitelisted IP's and users of pop-before-relay

by the looks of it, you have a compromised account on your server
Well I suggest people beware of it because it was leting all sort of people relay through Exim.
 

JamesCTotalWeb

Well-Known Member
Mar 20, 2005
64
0
156
cPanel Access Level
Root Administrator
if that is the case on your server then you have a compromised account, it doesnt allow unauthenticated/unwhitelisted users to relay, so you have a problem user somewhere....

Well I beg to differ with you nick666 the emails were not going anywhere they just got frozen in qeue but Exim was not rejecting them till I removed that line in the config file. Once it was removed the relay was denied like always.
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
Well I beg to differ with you nick666 the emails were not going anywhere they just got frozen in qeue but Exim was not rejecting them till I removed that line in the config file. Once it was removed the relay was denied like always.
Well then you are an idiot for not investigating this further, no mail server should accept, let alone queue mail from unauthenticated users....
 

JamesCTotalWeb

Well-Known Member
Mar 20, 2005
64
0
156
cPanel Access Level
Root Administrator
Well then you are an idiot for not investigating this further, no mail server should accept, let alone queue mail from unauthenticated users....
Well thank you for so much help nick666 ...... I have been digging through the server for 4 days and have also had 3 other admins looking through it too . and guess what nothing just bounced emails in the queue (before I removed that line) since then nothing the emials have been refused on connection.

So before you jump the gun and start name calling ask a simple question like " have you looked or had someone else look" or maybe even give a few suggestions of what you may think is the problem.

If I wanted to hear the childish bull **** (such as name calling) I would go over to WHT.

All I wanted to know is what that line was all about seeing how I have never noticed it before in the Exim config file.
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
I didnt actually mean to flame, but tbh you obviously have no clue what the problem is, and telling me that you beg to differ that there is something fundamentally wrong when your server is clearly accepting e-mail for outbound relay just annoyed me, so apologies for calling you an idiot but you really do need to have a proper look at it, removing the line is not really the solution, I would suggest getting someone with some experience of locating issues like that in to look at it, chirpy (on this forum) would get my recommendation, his company configserver have done us no wrong in the past
 

JamesCTotalWeb

Well-Known Member
Mar 20, 2005
64
0
156
cPanel Access Level
Root Administrator
Well just to let everyone know what happened was Exim just choked on an update ...... the custom ACL rules had issues with the default rules so when I did a cPanel up grade I negletcted to take a close look at the Exim configuration it had a warning that there was an issue and that I should revert to the default settings then add what ever custom ACL rules back.

In a panick I started making changes to the ACL rules at the very same time I reverted to the default ACL rules (thats when I found "accept hosts = +skipsmtpcheck_hosts") which I had not noticed before so it just looked like this rule caused the trouble.

After a long and hard look at the server I added the rules back and the emails did not come back.

Just so everyone understands Exim was not delivering any emails that were not ligit users it just stored them in the queue trying to figure out what to do with them. All the emails that were stuck in the queue were incomeing emails with 10 or 15 bogus email addresses and one wrong email address to a few of the sites hosted on the server. The total emails added up to 61440 emails in less then 8 hours .... LFD was blocking each IP after 10 (this is the setting we have for relay) so you can just do the math as to how many IP's were being blocked by the minute ,,,,,,,

I suggest everyone try chripy's CSF and LFD cause it stood toe to toe with this and we never really seen any load issues the whole time the attack was going on.

So anytime some one just jumps in and says "you have a compromised account" dont jump and have your OS reloaded or paying someone $100's just to tell you to click 3 buttons in WHM take the time to look and see what the real issue is. Then go from there with a fix ...... with that said I will now return to my read only trolling and think twice before I post a question here ......... it is much nicer just googleing for the answers that explains the real issues VS. coming here and getting bashed by those who think they know it all.
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
although in part I agree with your last statement about investigating things further prior to paying people, in your initial post you said:
we have been under attack IP's from all over being used to relay thru our mail server.

These emails just get stuck in queue and never go anywhere. They are not sent to any of the domains we host and for the most part they are sent to a domain that does not even resolve to anywhere.
Now forgive me for jumping to conclusions with the possible reason for it, but with the shoe on the other foot, what would your opinion be if that was stated to you?