The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

why is my exim an open relay??

Discussion in 'General Discussion' started by corey_s, Nov 2, 2005.

  1. corey_s

    corey_s Member

    Joined:
    Apr 6, 2005
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    This is really frustrating.

    I'm running exim 4.52 on CentOS 3.5, via WHM 10.6.

    Our exim is definitely acting as an open relay, but I'm completely stumped as to how to close it.

    I've spent an hour googling and searching on these forums, and tried a few things, but nothing that has actualy worked.

    Following is evidence:

    # telnet my.mailhost.net 25
    Trying 69.xx.xxx.x...
    Connected to my.mailhost.net.
    Escape character is '^]'.
    220-my.mailhost.net ESMTP Exim 4.52 #1 Wed, 02 Nov 2005 18:19:23 -0700
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    ehlo
    250-my.mailhost.net Hello [130.xx.xxx.xx]
    250-SIZE 52428800
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    mail from: <foo@qwest.net>
    250 OK
    rcpt to: <bar@excite.com>
    250 Accepted
    DATA
    354 Enter message, ending with "." on a line by itself
    From: foo@qwest.net
    To: bar@excite.com
    Subject: relay test

    relayed! WTF!?

    .
    250 OK id=1EXTlm-0001rj-3R
    quit
    221 my.mailhost.net closing connection
    Connection closed by foreign host.


    As can be seen - I ended up with an email in my excite inbox...

    I know postfix and sendmail well - but I have no experience with exim; but I need to close this relay ASAP.


    Many thanks!
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What makes you think it's an open relay? That SMTP session doesn't particularly prove anything, because:

    1. Are you actually on the server when you do that? You can always relay locally.

    or

    2. Have you authenticated your IP address within the last 30 minutes by POPing an account on the server? If so, you'll be able to relay email.
     
  3. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    i AM an open relay too. in

    Nessus Scan Report
    This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.
    Scan Details
    Number of security holes found 0
    Number of security warnings found 1
    Analysis of Host
    Address of Host Port/Service Issue regarding Port
    66.98.184.59 general/udp Security notes found
    66.98.184.59 ftp (21/tcp) Security notes found
    66.98.184.59 mysql (3306/tcp) Security notes found
    66.98.184.59 domain (53/tcp) Security notes found
    66.98.184.59 http (80/tcp) Security notes found
    66.98.184.59 pop3 (110/tcp) Security notes found
    66.98.184.59 smtp (25/tcp) Security warning(s) found

    Warning smtp (25/tcp)
    The remote SMTP server is insufficiently protected against relaying
    This means that spammers might be able to use your mail server
    to send their mails to the world.

    Nessus was able to relay mails by sending those sequences:

    MAIL FROM: <nessus@myserver.com.ar>
    RCPT TO: <nobody%example.com@myserver.com.ar>

    Risk factor : Medium

    Solution : upgrade your software or improve the configuration so that
    your SMTP server cannot be used as a relay any more.
    Nessus ID : 11852


    NOW, what should i do to fix it
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What I said still applies. Had you already authenticated from the originating IP of nessus and if not, check the exim_mainlog as it likely rejected the email. Nessus and the like are usually pretty unreliable since they only poke a server from the outside.
     
  5. Tao_Man

    Tao_Man Registered

    Joined:
    Jun 28, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    go to www.dnsreport.com run your domain, in the output where it tests your email servr if it thinks you have an open relay it will give you a link to some info on what you needs to do. Sorry don't know the direct link as closed my server a long time ago to relay
     
  6. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    Agggggggggg

    FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that any....

    I WILL TRY TO FIX IT NOW !!!!

    news on this post i will include later
     
  7. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    Please help

    i need help
    1. my exim queue keeps growing i added all logs to the emails so i can see one for example

    1Gc5Mr-0003Fc-UP-H
    mailnull 47 12
    <>
    1161631309 0
    -ident mailnull
    -received_protocol local
    -body_linecount 383
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1161631312
    -localerror
    XX
    1
    vvegab@australiamail.com

    155P Received: from mailnull by HEREGOESMYSERVER.COM with local (Exim 4.52)
    id 1Gc5Mr-0003Fc-UP
    for vvegab@australiamail.com; Mon, 23 Oct 2006 16:21:27 -0300
    044 X-Failed-Recipients: indem@wrongclietn.com
    031 Auto-Submitted: auto-generated
    064F From: Mail Delivery System <Mailer-Daemon@HEREGOESMYSERVER.COM>
    029T To: vvegab@australiamail.com
    059 Subject: Mail delivery failed: returning message to sender
    053I Message-Id: <E1Gc5Mr-0003Fc-UP@HEREGOESMYSERVER.COM>
    038 Date: Mon, 23 Oct 2006 16:21:26 -0300

    1Gc5Mr-0003Fc-UP-D


    2. my eximmainlog says

    2006-10-26 00:10:43 SMTP connection from [124.168.28.56]:1737 I=[MYIPHERE]:25 (TCP/IP connection count = 6)
    2006-10-26 00:10:43 1GcvdF-0007vw-4e => american <american@HEREGOESMYSERVER.COM> F=<pmgsender@returns.pm0.net> P=<pmgsender@returns.pm0.net> R=localuser T=local_delivery S=3488 QT=53s DT=0s
    2006-10-26 00:10:43 1GcvdF-0007vw-4e Completed QT=53s.....

    or..

    2006-10-26 00:17:29 1Gcvke-0008UD-1B <= <> H=(wx-out-0506.google.com) [66.249.82.228]:11371 I=[MYIPHERE]:25 P=esmtp S=2529 T="Delivery Status Notification (Failure)" from <> for nazehoberon@ONEREALDOMAIN.COM
    2006-10-26 00:17:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Gcvke-0008UD-1B
    2006-10-26 00:17:29 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
    2006-10-26 00:17:29 SMTP connection from avcsegur
    2006-10-26 00:17:31 1Gcvke-0008UJ-8X <= <> U=avcsegur P=local-bsmtp S=2928 T="Delivery Status Notification (Failure)" from <> for avcsegur@HEREGOESMYSERVER.COM
    2006-10-26 00:17:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Gcvke-0008UJ-8X


    what is cwd=/tmp doing there ??

    tmp is secure , according to ALLL forums , isnt it ??

    thanks in advance
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There's no such thing as a "secure" /tmp, there's just things you can do to make it more secure than the default configuration, such as mounting it noexec and nosuid.

    cwd=/tmp suggests you have a script running in /tmp sending out email. You should check /tmp for suspicious php and perl scripts.
     
  9. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    can i do it

    What happens if i just delete all content in tmp in an hour that the server has few visits ?

    is there any script to find out which user is sending mailnull or nobody sending emails ?
     
  10. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    What about these solutions from chirpy on cPanel forum:
    http://forums.cpanel.net/showthread.php?t=50186

    - Vince
     
  11. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    The spammer keeps using my servers !!!

    OK, i resume what i did to avoid this fuc.. spammer .

    1. I read all features and enabled them on whm
    2. I found out that my exim log rejects relays that are not my clients, i think...
    3. I Installed the cheepy feature in php to detect if an script is sending though my server, i tested it , it works, but i do not detect any spammer like this
    4. i installed RBL, SBL and all features about detecting ip from spammers, to avoid them to conect to my server

    But i keeps receiving emails that were sent by anyname@mydomain.com , i will copy one here and you will see , that I understand that the original email was sent using my server.

    I receive it in my inbox ....I replace MYDOMAINHERE and xx.xx..xx. with MY IP' SERVER

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    drjohn@usash.com
    (ultimately generated from 616cc0dc@usash.com)
    mailbox is full: retry timeout exceeded

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <gnr@MYDOMAINHERE.com>
    Received: from aclermont-ferrand-157-1-16-228.w83-205.abo.wanadoo.fr ([83.205.143.228]:2402)
    by enzo.websitewelcome.com with esmtp (Exim 4.52)
    id 1Ge8CM-0000bv-Kf
    for 616cc0dc@usash.com; Sun, 29 Oct 2006 04:47:27 -0600
    Received: from XXX.XXX.XXX.XXX(HELO MYDOMAINHERE.com)
    by usash.com with esmtp (HH7I1U8G1 JL487)
    id EC7N00-BD83Y1-K1
    for 616cc0dc@usash.com; Sun, 29 Oct 2006 10:47:34 -0060
    From: "Danielle Beal" <gnr@MYDOMAINHERE.com>
    To: <616cc0dc@usash.com>
    Subject: Notification
    Date: Sun, 29 Oct 2006 10:47:34 -0060
    Message-ID: <01c6fb47$a4646310$6c822ecf@gnr>
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Office Outlook, Build 11.0.6353
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
    Thread-Index: Aca6QMFUDL7VL222RV6EN62GPY2S06==

    The accumulation of positions by those in the know has shot
    A_U_N_I up 33% in a few short days. We hope you all got in
    early like we told you to, and are enjoying your good fortune.
    But even if you didn't don't worry because ..........


    So, someone is sending though MYIP with noexist@MYDOMAINHERE.COM , but i can not detect them.

    I trying putting the domain tha uses to connect to my smtp , in my black list in my server, but he keeps changing it with every email.

    When exim sends an email, does not keeps logs about sending if it was ok, it keeps about errors, or only date time on sucessfully sending, right ?

    what do you suggest to detect this spammer ?
     
  12. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    i fixed it !

    just running ./fixeverythings .

    strange thing since then, my server blocks 4 emails per second. hehe spammers.
     
Loading...

Share This Page