Results 1 to 4 of 4
Thread: Exim Attack
-
10-21-2006, 01:54 PM #1Aspiring Evangelist
- Join Date
- May 2002
- Posts
- 388
Exim Attack
Hello,
I am using cPanel and I have one of my domain names getting a lot of e-mails in non-existant users.
These e-mails are sent from different IPs, different senders, different content.
I wouldnt like to suspend the user account, but try to script something that will automaticaly block these e-mails.
What I saw is that they send spam to an user that do not exist and my server reply back the Mail Delivery System "No such user here". This is killing my spamd and consequentely the exim server.
One example:
1GbKwh-0008I1-RA-H
mailnull 47 12
<>
1161452863 0
-ident mailnull
-received_protocol local
-body_linecount 344
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1161452874
-localerror
XX
1
sheqpnq@comcast.net
142P Received: from mailnull by gui.xxxxx.com with local (Exim 4.52)
id 1GbKwh-0008I1-RA
for sheqpnq@comcast.net; Sat, 21 Oct 2006 14:47:43 -0300
035 X-Failed-Recipients: il@dig.com.br
031 Auto-Submitted: auto-generated
056F From: Mail Delivery System <Mailer-Daemon@gui.xxxxx.com>
024T To: sheqpnq@comcast.net
059 Subject: Mail delivery failed: returning message to sender
045I Message-Id: <E1GbKwh-0008I1-RA@gui.***********>
038 Date: Sat, 21 Oct 2006 14:47:43 -0300
1GbKwh-0008I1-RA-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
il@the_domain.com.br
No Such User Here
------ This is a copy of the message, including all the headers. ------
Return-path: <sheqpnq@comcast.net>
Received: from [69.180.115.242] (helo=c-69-180-115-242.hsd1.fl.comcast.net)
by gui.xxxxx.com with esmtp (Exim 4.52)
id 1GbKwW-0008FI-O3
for il@dig.com.br; Sat, 21 Oct 2006 14:47:43 -0300
Message-ID: <000f01c6f538$fc2eb150$f273b445@gina>
From: "Tertiary Entrance" <sheqpnq@comcast.net>
To: il@dig.com.br
Subject: this toolsSign create links
Date: Sat, 21 Oct 2006 13:47:32 -0400
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_000B_01C6F517.751D1150"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Exiscan-SA-Spam: Yes
X-Exiscan-SA-Score: 14.5 (++++++++++++++)
X-Exiscan-SA-Report: Spam detection software, running on the system "gui.xxxxx.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Entrance Rankenter a city in music album by Within an am
ablum Russian! Finnish computer Polish Croatian magazine alsoenter
keythis page lists articles associated with am same. Running Enterfrom
to navigation or can is National Tertiary Entrance Rankenter city am in
music album by in Within an ablum Russian Circles released it is also of
title of several Finnish computer! Rankenter city in music album by am
Within an ablum Russian Circles released it or is or also title. [...]
Content analysis details: (14.5 points, 12.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.6105]
0.0 HTML_MESSAGE BODY: HTML included in message
1.4 DNS_FROM_RFC_WHOIS RBL: Envelope sender in whois.rfc-ignorant.org
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[69.180.115.242 listed in sbl-xbl.spamhaus.org]
1.7 DNS_FROM_RFC_POST RBL: Envelope sender in
postmaster.rfc-ignorant.org
X-Exiscan-SA-New-Subject: *SPAM* this toolsSign create links
------=_NextPart_000_000B_01C6F517.751D1150
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000C_01C6F517.751D1150"
------=_NextPart_001_000C_01C6F517.751D1150
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Entrance Rankenter a city in music album by Within an am ablum Russian!
Finnish computer Polish Croatian magazine alsoenter keythis page lists =
articles associated with am same.
Running Enterfrom to navigation or can is National Tertiary Entrance =
Rankenter city am in music album by in Within an ablum Russian Circles =
released it is also of title of several Finnish computer!
Rankenter city in music album by am Within an ablum Russian Circles =
released it or is or also title.
Album by Within an ablum Russian Circles released in it is of also title =
of several is Finnish computer a Polish am Croatian magazine alsoenter =
is keythis. An ablum Russian in Circles in released it is also title of =
several Finnish computer of Polish Croatian.
Is also title of several Finnish in computer Polish Croatian is magazine =
alsoenter keythis is page lists articles am.
Discussion Edit this toolssign am create links linkcite or articlein =
other was last is modified October in all text.
Article Discussion Edit of this toolssign create links linkcite =
articlein of other was last of modified October all of text available =
under am terms.
Also title of several Finnish is computer Polish Croatian magazine of =
alsoenter keythis in page lists articles associated.
------=_NextPart_001_000C_01C6F517.751D1150
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Entrance Rankenter a city in music =
album by Within=20
an am ablum Russian!<BR>Finnish computer Polish Croatian magazine =
alsoenter=20
keythis page lists articles associated with am same.<BR>Running =
Enterfrom to=20
navigation or can is National Tertiary Entrance Rankenter city am in =
music album=20
by in Within an ablum Russian Circles released it is also of title of =
several=20
Finnish computer!<BR>Rankenter city in music album by am Within an ablum =
Russian=20
Circles released it or is or also title.</FONT></DIV>
<DIV><IMG alt=3D"" hspace=3D0 =
src=3D"cid:000a01c6f538$fc2eb150$f273b445@gina"=20
align=3Dbaseline border=3D0></DIV>
<DIV><FONT face=3DArial size=3D2>Album by Within an ablum Russian =
Circles released=20
in it is of also title of several is Finnish computer a Polish am =
Croatian=20
magazine alsoenter is keythis. An ablum Russian in Circles in released =
it is=20
also title of several Finnish computer of Polish Croatian.<BR>Is also =
title of=20
several Finnish in computer Polish Croatian is magazine alsoenter =
keythis is=20
page lists articles am.<BR>Discussion Edit this toolssign am create =
links=20
linkcite or articlein other was last is modified October in all =
text.<BR>Article=20
Discussion Edit of this toolssign create links linkcite articlein of =
other was=20
last of modified October all of text available under am terms.<BR>Also =
title of=20
several Finnish is computer Polish Croatian magazine of alsoenter =
keythis in=20
page lists articles associated.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000C_01C6F517.751D1150--█ The Cloud Platform for Bare Metal
█ Instant Deployment of High-Performance Bare Metal Servers in 15 cities globally
█ Latitude.sh (Formerly Maxihost)
-
10-21-2006, 03:31 PM #2Web Hosting Master
- Join Date
- May 2006
- Location
- India
- Posts
- 661
Install RBL's check if this helps to reduce the attack a bit.
██ SparkSupport.Com - The Premier Tech Company
██ Cloud Solutions|Email Infra setup|VOIP|Video Streaming|Software Development
██ Email: info@sparksupport.com █ Phone : 1- 408-600-1449 | Skype : shijils
-
10-21-2006, 04:09 PM #3
Your catch all address is being abused by spammers, as evidenced by this line:
"059 Subject: Mail delivery failed: returning message to sender"
They send to non-existant adresses on your account, and you're bouncing the mail to the actual victim (the return to field is actually the intended recipient), so the spammer's message gets delivered...by *you*.
Turn off "catch-alls", and set the default address to :fail:
This won't completely fix it, but it will prevent a lot of the crap they are bouncing through you from hitting the actual targets since it refuses to accept delivery instead of accepting and then returning.
Less load on the mail queue as well.
-
10-22-2006, 10:11 PM #4Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- USA
- Posts
- 41
bear
Your catch all address is being abused by spammers, as evidenced by this line:
"059 Subject: Mail delivery failed: returning message to sender"
They send to non-existant adresses on your account, and you're bouncing the mail to the actual victim (the return to field is actually the intended recipient), so the spammer's message gets delivered...by *you*.
Turn off "catch-alls", and set the default address to :fail:
This won't completely fix it, but it will prevent a lot of the crap they are bouncing through you from hitting the actual targets since it refuses to accept delivery instead of accepting and then returning.
Less load on the mail queue as well.
Bear explained it there, but I understand it much better now!
Thanks Bear!