Re: Are people trying to relay mail through my system?

To: debian-user@lists.debian.org
Subject: Re: Are people trying to relay mail through my system?
From: Michael Kjörling <2695bd53d63c@ewoof.net>
Date: Mon, 25 Sep 2023 14:29:49 +0000
Message-id: <[🔎] f050fee5-d1ee-4c63-9f5c-4fa7f19bdf20@home.arpa>
In-reply-to: <[🔎] 2ae792b3-61a9-4c04-a225-fa492cac127d@shaw.ca>
References: <[🔎] 2ae792b3-61a9-4c04-a225-fa492cac127d@shaw.ca>

On 24 Sep 2023 20:58 -0600, from rickmacd@shaw.ca (Rick Macdonald):
> My /var/log/.exim4/log file is flooded with messages such as shown below.
> I'm not trying to send mail to any of those .co or .com addresses. I use my
> ISP (shaw.ca cable provider) as a smarthost.
> 
> Are people trying to use my system as a relay?

The log snippet you show doesn't include enough information to tell
for certain where those emails were originally accepted from, but
given what you wrote I wouldn't dismiss the possibility out of hand.

> If so, can I block them
> without cutting myself off from remote access to the IMAP server I run on my
> system?

You don't seem to be exposing any SMTP server to the outside world, so
I don't know what might reasonably be going on. Otherwise blocking off
TCP ports 25 and 587 would probably have been a good place to start.

IMAP and SMTP solve completely different problems and last I looked
Exim didn't even talk IMAP, so even blocking off one should have zero
effect on the other.


> Sorry if I sound lame. I set this up over 20 years ago and haven't done
> anything to it since.

If you set it up in the early 2000s and haven't done anything since
then, there's certainly a non-zero probability that it's set up as an
open relay. But although that's a potential problem, it would only be
a _big_ problem if it was accessible from outside of your network,
which does not _immediately_ appear to be the case.

However, on a semi-unrelated note, you might want to make sure that
the firmware and software is up to date on everything you _do_ expose
to the Internet. It looks like ASUS' web server has had stack-smashing
vulnerabilities previously (not sure if the RT-AC66U is affected), and
whatever is running through Restlet Framework on port 23424 reports a
version of server software that hasn't been updated since 2014. And
that's just some of what I plausibly found barely looking.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Reply to:

Follow-Ups:
- Re: Are people trying to relay mail through my system?
  - From: Rick Macdonald <rickmacd@shaw.ca>

References:
- Are people trying to relay mail through my system?
  - From: Rick Macdonald <rickmacd@shaw.ca>

Prev by Date: Re: PATH revisited: one PATH to "rule the [Debian] World"
Next by Date: Re: PATH revisited: one PATH to "rule the [Debian] World"
Previous by thread: Are people trying to relay mail through my system?
Next by thread: Re: Are people trying to relay mail through my system?
Index(es):
- Date
- Thread