Results 1 to 4 of 4

Thread: Exim Attack

  1. #1

    Exim Attack

    Hello,

    I am using cPanel and I have one of my domain names getting a lot of e-mails in non-existant users.

    These e-mails are sent from different IPs, different senders, different content.

    I wouldnt like to suspend the user account, but try to script something that will automaticaly block these e-mails.

    What I saw is that they send spam to an user that do not exist and my server reply back the Mail Delivery System "No such user here". This is killing my spamd and consequentely the exim server.

    One example:

    1GbKwh-0008I1-RA-H
    mailnull 47 12
    <>
    1161452863 0
    -ident mailnull
    -received_protocol local
    -body_linecount 344
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1161452874
    -localerror
    XX
    1
    sheqpnq@comcast.net

    142P Received: from mailnull by gui.xxxxx.com with local (Exim 4.52)
    id 1GbKwh-0008I1-RA
    for sheqpnq@comcast.net; Sat, 21 Oct 2006 14:47:43 -0300
    035 X-Failed-Recipients: il@dig.com.br
    031 Auto-Submitted: auto-generated
    056F From: Mail Delivery System <Mailer-Daemon@gui.xxxxx.com>
    024T To: sheqpnq@comcast.net
    059 Subject: Mail delivery failed: returning message to sender
    045I Message-Id: <E1GbKwh-0008I1-RA@gui.***********>
    038 Date: Sat, 21 Oct 2006 14:47:43 -0300


    1GbKwh-0008I1-RA-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    il@the_domain.com.br
    No Such User Here

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <sheqpnq@comcast.net>
    Received: from [69.180.115.242] (helo=c-69-180-115-242.hsd1.fl.comcast.net)
    by gui.xxxxx.com with esmtp (Exim 4.52)
    id 1GbKwW-0008FI-O3
    for il@dig.com.br; Sat, 21 Oct 2006 14:47:43 -0300
    Message-ID: <000f01c6f538$fc2eb150$f273b445@gina>
    From: "Tertiary Entrance" <sheqpnq@comcast.net>
    To: il@dig.com.br
    Subject: this toolsSign create links
    Date: Sat, 21 Oct 2006 13:47:32 -0400
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_000B_01C6F517.751D1150"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2869
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    X-Exiscan-SA-Spam: Yes
    X-Exiscan-SA-Score: 14.5 (++++++++++++++)
    X-Exiscan-SA-Report: Spam detection software, running on the system "gui.xxxxx.com", has
    identified this incoming email as possible spam. The original message
    has been attached to this so you can view it (if it isn't spam) or label
    similar future email. If you have any questions, see
    the administrator of that system for details.
    Content preview: Entrance Rankenter a city in music album by Within an am
    ablum Russian! Finnish computer Polish Croatian magazine alsoenter
    keythis page lists articles associated with am same. Running Enterfrom
    to navigation or can is National Tertiary Entrance Rankenter city am in
    music album by in Within an ablum Russian Circles released it is also of
    title of several Finnish computer! Rankenter city in music album by am
    Within an ablum Russian Circles released it or is or also title. [...]
    Content analysis details: (14.5 points, 12.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
    4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
    1)
    1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
    1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
    [score: 0.6105]
    0.0 HTML_MESSAGE BODY: HTML included in message
    1.4 DNS_FROM_RFC_WHOIS RBL: Envelope sender in whois.rfc-ignorant.org
    3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    [69.180.115.242 listed in sbl-xbl.spamhaus.org]
    1.7 DNS_FROM_RFC_POST RBL: Envelope sender in
    postmaster.rfc-ignorant.org
    X-Exiscan-SA-New-Subject: *SPAM* this toolsSign create links

    ------=_NextPart_000_000B_01C6F517.751D1150
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_000C_01C6F517.751D1150"


    ------=_NextPart_001_000C_01C6F517.751D1150
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    Entrance Rankenter a city in music album by Within an am ablum Russian!
    Finnish computer Polish Croatian magazine alsoenter keythis page lists =
    articles associated with am same.
    Running Enterfrom to navigation or can is National Tertiary Entrance =
    Rankenter city am in music album by in Within an ablum Russian Circles =
    released it is also of title of several Finnish computer!
    Rankenter city in music album by am Within an ablum Russian Circles =
    released it or is or also title.

    Album by Within an ablum Russian Circles released in it is of also title =
    of several is Finnish computer a Polish am Croatian magazine alsoenter =
    is keythis. An ablum Russian in Circles in released it is also title of =
    several Finnish computer of Polish Croatian.
    Is also title of several Finnish in computer Polish Croatian is magazine =
    alsoenter keythis is page lists articles am.
    Discussion Edit this toolssign am create links linkcite or articlein =
    other was last is modified October in all text.
    Article Discussion Edit of this toolssign create links linkcite =
    articlein of other was last of modified October all of text available =
    under am terms.
    Also title of several Finnish is computer Polish Croatian magazine of =
    alsoenter keythis in page lists articles associated.
    ------=_NextPart_001_000C_01C6F517.751D1150
    Content-Type: text/html;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
    <META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
    <STYLE></STYLE>
    </HEAD>
    <BODY bgColor=3D#ffffff>
    <DIV><FONT face=3DArial size=3D2>Entrance Rankenter a city in music =
    album by Within=20
    an am ablum Russian!<BR>Finnish computer Polish Croatian magazine =
    alsoenter=20
    keythis page lists articles associated with am same.<BR>Running =
    Enterfrom to=20
    navigation or can is National Tertiary Entrance Rankenter city am in =
    music album=20
    by in Within an ablum Russian Circles released it is also of title of =
    several=20
    Finnish computer!<BR>Rankenter city in music album by am Within an ablum =
    Russian=20
    Circles released it or is or also title.</FONT></DIV>
    <DIV><IMG alt=3D"" hspace=3D0 =
    src=3D"cid:000a01c6f538$fc2eb150$f273b445@gina"=20
    align=3Dbaseline border=3D0></DIV>
    <DIV><FONT face=3DArial size=3D2>Album by Within an ablum Russian =
    Circles released=20
    in it is of also title of several is Finnish computer a Polish am =
    Croatian=20
    magazine alsoenter is keythis. An ablum Russian in Circles in released =
    it is=20
    also title of several Finnish computer of Polish Croatian.<BR>Is also =
    title of=20
    several Finnish in computer Polish Croatian is magazine alsoenter =
    keythis is=20
    page lists articles am.<BR>Discussion Edit this toolssign am create =
    links=20
    linkcite or articlein other was last is modified October in all =
    text.<BR>Article=20
    Discussion Edit of this toolssign create links linkcite articlein of =
    other was=20
    last of modified October all of text available under am terms.<BR>Also =
    title of=20
    several Finnish is computer Polish Croatian magazine of alsoenter =
    keythis in=20
    page lists articles associated.</FONT></DIV></BODY></HTML>

    ------=_NextPart_001_000C_01C6F517.751D1150--
    The Cloud Platform for Bare Metal
    Instant Deployment of High-Performance Bare Metal Servers in 15 cities globally
    Latitude.sh (Formerly Maxihost)

  2. #2
    Join Date
    May 2006
    Location
    India
    Posts
    661
    Install RBL's check if this helps to reduce the attack a bit.
    SparkSupport.Com - The Premier Tech Company
    Cloud Solutions|Email Infra setup|VOIP|Video Streaming|Software Development
    Email: info@sparksupport.com Phone : 1- 408-600-1449 | Skype : shijils

  3. #3
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,090
    Your catch all address is being abused by spammers, as evidenced by this line:
    "059 Subject: Mail delivery failed: returning message to sender"
    They send to non-existant adresses on your account, and you're bouncing the mail to the actual victim (the return to field is actually the intended recipient), so the spammer's message gets delivered...by *you*.

    Turn off "catch-alls", and set the default address to :fail:
    This won't completely fix it, but it will prevent a lot of the crap they are bouncing through you from hitting the actual targets since it refuses to accept delivery instead of accepting and then returning.
    Less load on the mail queue as well.

  4. #4
    Join Date
    Nov 2004
    Location
    USA
    Posts
    41
    bear
    Your catch all address is being abused by spammers, as evidenced by this line:
    "059 Subject: Mail delivery failed: returning message to sender"
    They send to non-existant adresses on your account, and you're bouncing the mail to the actual victim (the return to field is actually the intended recipient), so the spammer's message gets delivered...by *you*.

    Turn off "catch-alls", and set the default address to :fail:
    This won't completely fix it, but it will prevent a lot of the crap they are bouncing through you from hitting the actual targets since it refuses to accept delivery instead of accepting and then returning.
    Less load on the mail queue as well.
    I replyed to another post of almost the same as this one.
    Bear explained it there, but I understand it much better now!

    Thanks Bear!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •