On Mon, Sep 08, 2003 at 07:20:58PM +0200, smurfd wrote:
| I recently read a great article on debianplanet, that was about how to
| setup a courier/exim (imap / smtp) server. Everything worked out fine,
| until after say a week.. then i heard one night, that the box started
| working like a madone. i checked, it had a loadaverage above 50,00. so
| i pulled the tcp cable.. the day after i saw in the logs what looked
| like some mailservers had been using me as a relay or something .. so i
| tighened the security up alot with blocking all the
| incoming/outgoing/forwarded trafic at my(local) gateway fron that hosts
| mx:es.
|
| Then i got my /var/log/exim/mainlog file filled with lines looking like
| :
| 2003-09-08 06:25:13 19w88k-0005Cw-00 == someone@host T=remote_smtp defer
| (110): Connection timed out
|
| Where the host is always the same, and the someone differs..
Is 'host' a valid host? (why hide it from us anyways?) What about
the 'someone'? Are these contacts of yours or do they look like
something from a spam run or DDoS attack? It's quite possible that
the admin(s) of 'host' have blocked your machine at their firewall
once they noticed the "attack". (or mabye that host just doesn't
exist)
| In 8 hours my logs were about 50-100 MB filled with similar lines...
Must be a lot of messages for the retries to generate that much log
info!
| So i thought, "well i do a fresh install, and these things should go
| away.."
| I did, but no difference.
I don't know what you mean by "fresh install".
| So i googled and asked around abit on irc networks, and the idea someone
| gave me was that i was getting probed from some spammer wanting me as
| their relay or smtp-proxy..
Quite possible, perhaps even probable (unless you or a client/user of
yours tried sending the messages to those email accounts).
| Now my box doesnt work that hard anymore, but its darn frustrating..
| since the logs get huge in notime..
| The courier setup seems to work perfect, but it seems to be the smtp
| that is the problem...
Read up on SMTP and exim and how to secure your mail server. The
problem could be insufficient/incorrect relay controls in your exim
config or you might be running some other security hole (such as
formmail.pl) that provides unauthorized use of your mail
infrastructure.
| Has anyone stumbled into similar situations, and is there a way to get
| rid of those "probes"?
Those aren't "probes" ... exim has messages on the queue and it is
dutifully trying to deliver them like it was told to. What you need
to do now is clean out your mailq and close the hole that allowed your
system to be abused.
As for cleaning out the queue :
. 'mailq' will report on the messages in the queue
. 'exim -Mrm <foo>' will remove the message with id '<foo>'
You can either remove them one at a time, manually, or combine some
unix utils (eg grep or sed or awk) to automate the process of
extracting all message ids of messages addressed to that host and then
instructing exim to drop it.
HTH,
-D
--
Whoever loves discipline loves knowledge,
but he who hates correction is stupid.
Proverbs 12:1
http://dman13.dyndns.org/~dman/
Attachment:
pgplE8YoIq6iM.pgp
Description: PGP signature