exim like open relay problem
 

hi,

i have cpanel with exim as mail server
i checked if it is open relay and it is not
i disable user nobody to send mails (php and cgi)
but i have spammers in my server, don't know how
they send mails from my server, when i check the
cpanel mail queue i saw that thay send mails from
domains doesn't exists in my server,so i telnet to
myserver

telnet localhost 25

helo localhost

mail from:m@hotmail.com

rcpt to:m@hotmail.com
accepted

data
test
.

quit

and it send the mail,so localhost can send any emails he wants
(m@hotmail.com) is not localdomain!!!!

so how i disable localhost from sending mails except if
the sender is a real user @ my real local domain

please help me, my server now in blocked, because it send more and
more spams.

thanks.

The better approach is to determine how these people have access to send mail via your localhost (which means your machine is already compromised) then sort that out.

hi,

yes thanks

my issue i am new to exim and cpanel
i just prefare sendmail with my manual configuration .

so i run netstat -panel | grep :25

and i saw perl (x.pl) scripts run on port 25

so i did ps -ef | grep x.pl

and saw the user how run the scripts and suspend his account

and closed port 25 from remote connection too by iptables .

till now tho spammer stopped, so my be it solved .

The question is how was a normal user able to escalate their privileges to bind to port 25 ? You need to investigate that and fix that vulnerability.

hi,

thanks for your support

as you said i don't know how this could be

before i suspend his account i search the entire file system
for that script and didn't find it, so could be a hidden perl
script in his site code (php forums)?