/etc/userdomains
Greetings All,
I've been having a problem with remote IPs connecting to my smtp server trying to send spam through it. So far my spamassassin is blocking almost all of it but ideally I would prefer not to have them be able to connect at all. My eximstats log lists the vast majority of remote smtp connections as unauthorized. I have been looking through files referenced in WHM's exim advanced configuration page trying to determine how they can connect without authenticating. My searches eventually came to /etc/userdomains which contained a line with my domain and profile preceded by the following line:
*: nobody
This seemed to me to be exactly the kind of entry that could allow unauthorized connections from any ip. I am a linux newbie, obviously. I am hoping that someone here will lend me their knowledge and experience and tell me:
1) Am I correct about this ... would the line above allow unauthorized connections from any IP?
2) What other files should I look at?
So far I've just been going through every file referenced in Exim's Advanced Configuration page. I also recently changed exim's config so that the log settings were set to +all, so everything that can be logged should end up being logged to /var/log/exim_mainlog
Thanks in advance.
:-)
pjimerson
-
My eximstats log lists the vast majority of remote smtp connections as unauthorized. I have been looking through files referenced in WHM's exim advanced configuration page trying to determine how they can connect without authenticating.
Hello, It's likely the messages are coming through a PHP script. Could you verify which PHP handler is enabled (E.g. suPHP, DSO) on the instance of PHP installed on your system? Note the following document is the best place to start when attempting to prevent email abuse: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Thank you.0 -
Hello, Do you have shell access? If so, please run the following script grep "[COLOR=rgb(53, 28, 117)]cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n [COLOR=rgb(53, 28, 117)]NB:This will check the script that will originate spam mails. [COLOR=rgb(53, 28, 117)] NB:It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 15 connection you can block it in the server firewall. #netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1 NB:The following script will give the summary of mails in the mail queue. exim -bpr | exiqsumm -c | head Thank you, 0
Please sign in to leave a comment.
Comments
2 comments