Как закрыть релей на Exim

[fix]

Здравствуйте!

Есть проблема: Работал почтовый сервак на экзиме, все было нормально , но вчера через него пошла левая почта. Судя по логам отпраляет ее сам сервак, а не пользователи из локальной сети. На сколько я понимаю у меня открытый релей.

подскажите как его закрыть на экзиме, что-бы через мня не слали почту

плиз горю!!!

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[zingel]

заголовок отправленного письма давайте....

[fix]

сори, я если честно слаб в админстве

где взять заголовок?

[zingel]

понятно, а с чего Вы взяли что у Вас релей и то, что эта почта - левая? Без конфига не скажу что у Вас где лежит....

[fix]

Код: Выделить всё

primary_hostname = ххххххххх

domainlist local_domains = @ : localhost : ххххххх

hostlist   relay_from_hosts = 127.0.0.1 : 192.168.1.0/24
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:/var/run/clamav/clamd
exim_user = mailnull
exim_group = mail
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 30s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
begin acl
:
acl_check_rcpt:
 accept  hosts = :
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
 accept  local_parts   = postmaster
          domains       = +local_domains
  require verify        = sender
  accept  domains       = +local_domains
          endpass
          verify        = recipient
 accept  domains       = +relay_to_domains
          endpass
          verify        = recipient
  accept  hosts         = +relay_from_hosts
  accept  authenticated = *
  deny    message       = relay not permitted
  deny message = Forged IP in HELO.
        log_message = HELO is my IP
        condition = ${lookup {$sender_helo_name} \
        lsearch{/usr/local/etc/exim/my_ip.txt} \
        {yes}{no}}
  deny message = You are not in the office
        log_message = LOCAL_DOMAINS relay prohibited outside \
        LAN for $sender_address
        !hosts = +relay_from_hosts
        sender_domains = +local_domains
acl_check_data:
   deny message   = This message contains a virus ($malware_name).
        demime = *
:
        malware = *
  accept
...................

вот кусок конфига может поможет

[zingel]

грепайте заголоки в /var/spool/exim4/input/, это я могу предположить....телепатически....

[fix]

exim остановлен там пусто

мне стыдно прошу помоши а инфу предоставить немогу, есть лог экзима до остановки в нем чтото полезное может быть?

[zingel]

в логе нет заголовков, к сожалению, а нужны именно они, чтобы понять, зачем и кто и почему отправляет через Вас спам. Заголовки обычно тамже где и письма, в них они, вот пример такого письма мне и нужен.

[Alex Keda]

celz gпо уску конфига - у вас нет открытого релея.
при условии что локалка вся ваша.
======
дайте

Код: Выделить всё

tail -30 /var/log/exim/mainlog

[fix]

Вот письмо от маил сервера через который мой экзим по сарт хосту доставляет почту может оно поможет(сообщение о неудачной доставке)

his message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

cuquiodice@yahoo.com.mx
SMTP error from remote mail server after end of data:
host d.mx.mail.yahoo.com [66.196.82.7]: 554 delivery error:
dd Sorry your message to cuquiodice@yahoo.com.mx cannot be delivered. This account has been disabled or discontinued [#102]. - mta114.mail.re1.yahoo.com

------ This is a copy of the message, including all the headers. ------

Return-path: <www@ххххх.ххх.ua>
Received: from a2-157.ltk.com.ua ([ххх.ххх.ххх.ххх] helo=ххххх.ххх.ua)
by mx.ххх.ххх.ua with esmtp id 1KJTTN-0004gW-JY
for cuquiodice@yahoo.com.mx; Thu, 17 Jul 2008 16:24:42 +0300
Received: from www by ххххх.ххх.ua with local (Exim 4.53 (FreeBSD))
id 1KJTZd-000EaL-S6
for cuquiodice@yahoo.com.mx; Thu, 17 Jul 2008 16:31:09 +0300
To: cuquiodice@yahoo.com.mx
Subject: CITI BANK NEW YORK
From: VIKRAM PANDIT <citibankny@yahoo.com>
Reply-To: citibanknyusa@yahoo.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Message-Id: <E1KJTZd-000EaL-S6@ххххх.ххх.ua>
Sender: World Wide Web Owner <www@ххххх.ххх.ua>
Date: Thu, 17 Jul 2008 16:31:09 +0300
X-Spam-Flag: YES
X-Spam-Score: 5.9 (+++++)
X-Spam-Report: Spam detection software, running on the system "ns.ххх.ххх.ua", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: CITI BANK NEW YORK (WORLD BANK ASSISTED PROGRAMME) DIRECTORATE
OF INTERNATIONAL PAYMENT AND TRANSFERS. ADD. 111 WALL STREET, NEW YORK, NY
10043 USA Our Ref: WB/NF/CB/XX027 ATTN: [...]
Content analysis details: (5.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[ххх.ххх.ххх.ххх listed in zen.spamhaus.org]
2.1 SUBJ_ALL_CAPS Subject is all capitals
2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
1.3 NA_DOLLARS BODY: Talks about a million North American dollars
-0.7 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
[score: 0.1620]
-0.0 AWL AWL: From: address is in the auto white-list

CITI BANK NEW YORK
(WORLD BANK ASSISTED PROGRAMME)
DIRECTORATE OF INTERNATIONAL
PAYMENT AND TRANSFERS.
ADD. 111 WALL STREET,
NEW YORK, NY 10043
USA

Our Ref: WB/NF/CB/XX027

ATTN:


YOUR IMMEDIATE RELEASE OF YOUR INHERITANCE FUND:

Your mail has been received by this Office together with your Contact Informations. Be informed that we need your Bank Details where the Fund will be transfered to you.

Meanwhile, we are not asking you to pay any Fee, because our work here in New York is to satisfy each and everyone of our BENEFICIARIES. Be informed that the entire Fund will be wired into your Nominated Bank Account as soon we concludes this transaction with you.

What you will have to do is to follow all our Instructions so that you can receive your Fund amicably from us to avoid diversion of your Fund into a wrong Account.

Therefore, you are advised to choose any of these two options below and get back to us on how you want the Fund to be transfered to you safer:

1. Do you want to come to our Office in New York and pick up your Fund of $8 Million US Dollars?

2. Do you want us to transfer your Fund of $8 Million US Dollars into your Nominated Bank Account?

Kindly get back to us so that we can know the next step to follow as we are looking forward to be hearing from you soonest.

Regards.
VIKRAM PANDIT,
(PRESIDENT/ CEO CITI BANK, NEW YORK

[Alex Keda]

Код: Выделить всё

Received: from www 

дырки на сайте, который на локальной машине - зкрывайте.

[zingel]

+1

грепайте код на предмет функций mail() в формах

[Fix]

вот

2008-07-18 11:12:18 1KJl2y-000I24-E8 => peterchenguangzhou@126.com R=dnslookup T=remote_smtp H=126.mxmail.netease.com [220.181.15.198]
2008-07-18 11:12:18 1KJl2y-000I24-E8 Completed
2008-07-18 11:12:25 1KJl3V-000I5a-VU davidpereira.ws [64.70.19.33] Operation timed out
2008-07-18 11:12:25 1KJl3V-000I5W-U8 wortiz.ws [64.70.19.33] Operation timed out
2008-07-18 11:12:25 1KJl3V-000I5a-VU == vortexmarketinggroup@davidpereira.ws R=dnslookup T=remote_smtp defer (60): Operation timed out
2008-07-18 11:12:25 1KJl3V-000I5W-U8 == vortex@wortiz.ws R=dnslookup T=remote_smtp defer (60): Operation timed out
2008-07-18 11:12:28 1KJl3X-000I74-5r prodigy.com [207.115.17.26] Operation timed out
2008-07-18 11:12:28 1KJl3X-000I74-5r == weba49a@prodigy.com R=dnslookup T=remote_smtp defer (60): Operation timed out
2008-07-18 11:12:35 1KJl03-000EXQ-Lt SMTP timeout while connected to g.mx.mail.yahoo.com [206.190.53.191] after initial connection: Operation timed out
2008-07-18 11:12:35 1KJl03-000EXQ-Lt == beautyqueen4202002@yahoo.com <Beautyqueen4202002@yahoo.com> R=dnslookup T=remote_smtp defer (60): Operation timed out: SMTP timeout while connected to g.mx.mail.yahoo.com [206.190.53.191] after initial connection
2008-07-18 11:12:42 1KJl3Y-000I8K-8W => whm9205mc@126.com R=dnslookup T=remote_smtp H=126.mxmail.netease.com [220.181.15.192]
2008-07-18 11:12:42 1KJl3Y-000I8K-8W Completed
2008-07-18 11:12:54 1KJl0C-000Ehm-6e SMTP timeout while connected to mail10.yuhknow.com [64.34.174.151] after initial connection: Operation timed out
2008-07-18 11:12:55 1KJl0C-000Ehm-6e => garfield1@yuhknow.com R=dnslookup T=remote_smtp H=mail10.yuhknow.com [208.77.101.79]
2008-07-18 11:12:55 1KJl0C-000Ehm-6e Completed
2008-07-18 11:12:55 1KJl0N-000Evb-Fx SMTP timeout while connected to g.mx.mail.yahoo.com [209.191.88.239] after initial connection: Operation timed out
2008-07-18 11:12:55 1KJl0N-000Evb-Fx == nervbraker@yahoo.com <Nervbraker@yahoo.com> R=dnslookup T=remote_smtp defer (60): Operation timed out: SMTP timeout while connected to g.mx.mail.yahoo.com [209.191.88.239] after initial connection
2008-07-18 11:12:57 1KJkzS-000Ds0-Gf SMTP timeout while connected to e.mx.mail.yahoo.com [216.39.53.1] after initial connection: Operation timed out
2008-07-18 11:12:57 1KJkzS-000Ds0-Gf == w8ting4eas@yahoo.com R=dnslookup T=remote_smtp defer (60): Operation timed out: SMTP timeout while connected to e.mx.mail.yahoo.com [216.39.53.1] after initial connection
2008-07-18 11:13:03 1KJl2s-000Hw5-O3 park.funnel.revenuedirect.com.akadns.net [66.150.161.57] Operation timed out
2008-07-18 11:13:03 1KJl2s-000Hw5-O3 == omri.arbel@gamail.com R=dnslookup T=remote_smtp defer (60): Operation timed out
2008-07-18 11:13:06 1KJl0V-000F5e-Em SMTP timeout while connected to f.mx.mail.yahoo.com [209.191.88.247] after initial connection: Operation timed out
2008-07-18 11:13:06 1KJl0V-000F5e-Em == schwarzeneggerdoris2004@yahoo.com <Schwarzeneggerdoris2004@yahoo.com> R=dnslookup T=remote_smtp defer (60): Operation timed out: SMTP timeout while connected to f.mx.mail.yahoo.com [209.191.88.247] after initial connection
2008-07-18 11:13:09 1KJl0P-000Exd-0Z SMTP timeout while connected to b.mx.mail.yahoo.com [66.196.97.250] after initial connection: Operation timed out
2008-07-18 11:13:09 1KJl0P-000Exd-0Z == grlewey@yahoo.com R=dnslookup T=remote_smtp defer (60): Operation timed out: SMTP timeout while connected to b.mx.mail.yahoo.com [66.196.97.250] after initial connection
2008-07-18 11:13:11 1KJl0a-000FBE-5a SMTP timeout while connected to e.mx.mail.yahoo.com [216.39.53.1] after initial connection: Operation timed out
2008-07-18 11:13:11 1KJl0a-000FBE-5a == hopeglenus@yahoo.com R=dnslookup T=remote_smtp defer (60): Operation timed out: SMTP timeout while connected to e.mx.mail.yahoo.com [216.39.53.1] after initial connection

[Alex Keda]

Код: Выделить всё

Received: from www 

дырки на сайте, который на локальной машине - зкрывайте.

[zingel]

спамят через кривые формы на Вашем сайте, закрывайте дыру иначе Вас закроет хостер или провайдер

[fix]

значит через сайт
блин не я его делал не понятно как закрыть дыру

а точно через него локальное имя машины ведь тоже www?

[zingel]

да без разницы, показывает от какого пользователя, а пользователь сриптов у Вас www, apache пользователь

[fix]

вот что интересно посмотрел лог апача собственно никто кроме меня и поисковых ситем к сайту не обрашался (((

[zingel]

плохо смотрели