Hi folks,
I just updated my server to close the
exim dkim exploit. Five days due since it's been out officaly.
I checked my logs to see if I could find any evidence of a break in but could not see any. Just the "normal" people trying to relay through. Also last log does not shown any awkward things. No changes in services or iptables rules. The only thing "new" is this
Code:
2012-10-21 18:41:57 [14112] SMTP protocol synchronization error (next input sent too soon: pipelining was advertised): rejected "DATA" H=(admin-silo5yeiy) [163.177.112.103]:3748 I=[xx.169.xx.xx]:25 next input="RSET\r\nMAIL FROM:<mrwc@my_domain.tld>\r\nRCPT TO:<xingkong868@126.com>\r\nDATA\r\n"
as well as some people trying to AUTH with the service also AUTH is not advertised. This ones are new.
Next to the question does anyone know of log lines to watch out for that indicate an exploit (succesfull or not) is that within the link above they state that one is not vunerable if one has the warn control = dkim_disable_verify. As far as I know warn is the action taken by exim if the contidtion control = dkim_disable_verify holds true. So I have accept control = dkim_disable_verify. Which is not the same but does it help?
As my mail is not serving any offical stuff and no mail address is known to outside I put my risk beeing a target down. But wearing a bullet proof vest always looks hilerious if one gets head shoot
.
All this is on a virtual server now running debian 6.0.6. Should be 6.0.5 before that.
So anyone got anything on this?
