# exim still sending spam w/ default .conf

## incidenta5

I just installed exim w/ the default configuration. It shouldn't be relaying anything, however I see a bunch of these messages in the main exim log. They are all coming in as spam and I want to block it by default, so that I only receive email and deliver it to local accounts.My outgoing bandwidth usage jumped up a few hundred Mb just yesterday which hinted at exim not being configured properly. Before I go blacklisting IP's I want to make sure that its not relaying spam.

Any Thoughts?

-I

Messages like this (~50k of them since yesterday.. a variety of different ones)

```
2008-04-29 10:53:31 1JqqIK-0000Sa-JG == <someemailaddr> R=dnslookup T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: <target host>: 452 try later

2008-04-29 10:58:43 1Jqps3-0000L1-6b => <someemailaddr>  R=dnslookup T=remote_smtp H=<host>

2008-04-29 10:58:43 1JqqGY-0000Mr-LK == <someemailaddr>  routing defer (-51): reusing SMTP connection skips previous routing defer

2008-04-29 10:58:43 1JqpsM-0000LX-N5 => <someemailaddr>  R=dnslookup T=remote_smtp H=<host>*

```

My exim.conf

```
d

omainlist local_domains = @ : localhost : localhost.localdomain

domainlist relay_to_domains = 

hostlist   relay_from_hosts = 127.0.0.1 

acl_smtp_rcpt = acl_check_rcpt

acl_smtp_data = acl_check_data

acl_smtp_mime = acl_check_mime

av_scanner = clamd:/var/run/clamd.exim/clamd.sock

tls_advertise_hosts = *

tls_certificate = /etc/pki/tls/certs/exim.pem

tls_privatekey = /etc/pki/tls/private/exim.pem

daemon_smtp_ports = 25 : 465 : 587

tls_on_connect_ports = 465

never_users = root

host_lookup = *

rfc1413_hosts = *

rfc1413_query_timeout = 5s

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

auth_advertise_hosts =

begin acl

acl_check_rcpt:

  require domains = +local_domains

          log_message = no relay.

  accept  hosts = : 

  deny    message       = Restricted characters in address

          domains       = +local_domains

          local_parts   = ^[.] : ^.*[@%!/|]

  deny    message       = Restricted characters in address

          domains       = !+local_domains

          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

  accept  local_parts   = postmaster

          domains       = +local_domains

  require verify        = sender

  accept  hosts         = +relay_from_hosts

          control       = submission

  accept  authenticated = *

          control       = submission

  require message = relay not permitted

          domains = +local_domains : +relay_domains

  require verify = recipient

  accept

acl_check_data:

 

  accept

acl_check_mime:

  # File extension filtering.

  deny message = Blacklisted file extension detected

       condition = ${if match \

                        {${lc:$mime_filename}} \

                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \

                     {1}{0}}

  accept

begin routers

dnslookup:

  driver = dnslookup

  domains = ! +local_domains

  transport = remote_smtp

  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8

  no_more

system_aliases:

  driver = redirect

  allow_fail

  allow_defer

  data = ${lookup{$local_part}lsearch{/etc/aliases}}

  file_transport = address_file

  pipe_transport = address_pipe

localuser:

  driver = accept

  check_local_user

  transport = local_delivery

  cannot_route_message = Unknown user

dovecot_router:

  driver = accept

  require_files = +/home/mail/users/${local_part}/

  transport = dovecot_transport

begin transports

remote_smtp:

  driver = smtp

dovecot_transport:

  driver = appendfile

  user = dovecot

  group = dovecot

  mode = 0600

  directory=/home/mail/users/${lc:$local_part}/

  maildir_format = true 

  mode_fail_narrower = false

  envelope_to_add = true

  return_path_add = true

procmail:

  driver = pipe

  command = "/usr/bin/procmail -d $local_part"

  return_path_add

  delivery_date_add

  envelope_to_add

  user = $local_part

  initgroups

  return_output

local_delivery:

  driver = appendfile

  file = /var/mail/$local_part

  delivery_date_add

  envelope_to_add

  return_path_add

  group = mail

  mode = 0660

address_pipe:

  driver = pipe

  return_output

address_file:

  driver = appendfile

  delivery_date_add

  envelope_to_add

  return_path_add

address_reply:

  driver = autoreply

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite

begin authenticators

```

----------

## SeaTiger

Bandwidth jump up a few hundreds Mb is a lot ...   :Shocked: 

Is this a production server or a personal machine?

Try setup standalone exim log (http://www.exim.org/exim-html-4.20/doc/html/spec_44.html) and post a longer log.

```
  <=     message arrival

  =>     normal message delivery

  ->     additional address in same delivery

  *>     delivery suppressed by -N

  **     delivery failed; address bounced

  ==     delivery deferred; temporary problem
```

```
2008-04-29 10:53:31 1JqqIK-0000Sa-JG == <someemailaddr> R=dnslookup T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: <target host>: 452 try later
```

Deferred delivery, not out yet.

```
2008-04-29 10:58:43 1Jqps3-0000L1-6b => <someemailaddr>  R=dnslookup T=remote_smtp H=<host>
```

Delivery... (trying, does not mean successful delivery)

```
2008-04-29 10:58:43 1JqqGY-0000Mr-LK == <someemailaddr>  routing defer (-51): reusing SMTP connection skips previous routing defer
```

Deferred delivery, not out yet.

```
2008-04-29 10:58:43 1JqpsM-0000LX-N5 => <someemailaddr>  R=dnslookup T=remote_smtp H=<host>* 
```

Delivery... (trying, does not mean successful delivery)

Those lines only show out going (or trying to send out) log. We should look for lines with "<=" which means incoming message. Mail always has to come in first, then send (relay) out.

----------

## incidenta5

The machine is located at a hosting company in CA, and it's essentially serving up my personal site. The only open ports are http, smtp, smtps, pop3s, ssh (all TCP). I think the outgoing bandwidth may have been more updates/apache than exim in this case, although I didn't have a log analyzer or bandwidth tool running at the time.

More log entries:

```
2008-04-29 10:12:54 1JqqZe-0001IN-Sn Frozen (delivery error message)

2008-04-29 10:12:54 1JqqZf-0001IR-AB ** scgoqmsovmrt@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<scgoqmsovmrt@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 q20si12770175pog.0

2008-04-29 10:12:54 1JqqZf-0001IR-AB Frozen (delivery error message)

2008-04-29 10:12:54 1JqqKQ-0000V4-Cy == hsin.h1118@msa.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:12:54 1JqqKQ-0000V4-Cy == hsiu.lai@msa.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:12:55 1JqqHO-0000PY-3w msa-mx3.hinet.net [168.95.6.116] Connection timed out

2008-04-29 10:12:55 1JqqHO-0000PY-3w == hsiao.tiffany@msa.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:12:56 1JqqZj-0001Ia-Gh <= <> R=1JqqKR-0000Ue-1r U=exim P=local S=2970

2008-04-29 10:12:56 1JqqZj-0001Ic-UA <= <> R=1JqqHO-0000PY-3w U=exim P=local S=3769

2008-04-29 10:12:56 1JqqZj-0001Ib-HS <= <> R=1JqqKQ-0000V4-Cy U=exim P=local S=3509

2008-04-29 10:12:56 1JqqZh-0001IX-4A ** rpomf@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<rpomf@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 y11si12727379pod.9

2008-04-29 10:12:56 1JqqZh-0001IX-4A Frozen (delivery error message)

2008-04-29 10:12:56 1JqU6T-0002V1-Tt msa-mx4.hinet.net [168.95.6.123] Connection timed out

2008-04-29 10:12:58 1JqqJL-0000U2-PN msa-mx3.hinet.net [168.95.6.116] Connection timed out

2008-04-29 10:12:58 1JqqJL-0000U2-PN == gone.gd75@msa.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:12:58 1JqU6I-0002Rv-Eo ms28a.hinet.net [168.95.5.28] Connection timed out

2008-04-29 10:12:58 1JqU6I-0002Rv-Eo == pay-tsern@ms28.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:12:58 1JqqZm-0001Il-N2 <= <> R=1JqqJL-0000U2-PN U=exim P=local S=3640

2008-04-29 10:12:59 1JqqZj-0001Ia-Gh ** louvhw@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<louvhw@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 m27si12732754pof.1

2008-04-29 10:12:59 1JqqZj-0001Ia-Gh Frozen (delivery error message)

2008-04-29 10:12:59 1JqqZj-0001Ic-UA ** wkcosd@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<wkcosd@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 m26si12743621pof.6

2008-04-29 10:12:59 1JqqZj-0001Ic-UA Frozen (delivery error message)

2008-04-29 10:12:59 1JqqZj-0001Ib-HS ** uozwr@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<uozwr@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 n22si12782744pof.13

2008-04-29 10:12:59 1JqqZj-0001Ib-HS Frozen (delivery error message)

2008-04-29 10:13:01 1JqqZm-0001Il-N2 ** lociswldxxbi@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<lociswldxxbi@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 m28si12728015poh.8

2008-04-29 10:13:01 1JqqZm-0001Il-N2 Frozen (delivery error message)

2008-04-29 10:13:02 1JqU1s-00019W-MR ms14a.hinet.net [168.95.5.14] Connection timed out

2008-04-29 10:13:02 1JqU1s-00019W-MR == sib03655@ms14.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:13:05 1JqU6I-0002Rv-Eo => samantha.fan@skm.com.tw R=dnslookup T=remote_smtp H=mail.skm.com.tw [211.75.102.228]

2008-04-29 10:13:06 1Jqq1V-0000yf-0O => kenlon@ms4.url.com.tw R=dnslookup T=remote_smtp H=mx3.url.com.tw [210.59.228.113]

2008-04-29 10:13:07 1JqqZu-0001It-VT <= <> R=1Jqq1V-0000yf-0O U=exim P=local S=4221

2008-04-29 10:13:07 1JqU5v-00023E-FB => a101172@ms25.hinet.net R=dnslookup T=remote_smtp H=ms25a.hinet.net [168.95.5.25]

2008-04-29 10:13:07 1JqU5D-0001o6-Hx Spool file is locked (another process is handling this message)

2008-04-29 10:13:07 1Jqptc-0000cU-Tf msz.pchome.com.tw [211.20.188.139] Connection timed out

2008-04-29 10:13:07 1JqqZv-0001Iz-He <= <> R=1JqU5v-00023E-FB U=exim P=local S=3080

2008-04-29 10:13:07 1Jqptc-0000cU-Tf == jemi@msz.pchome.com.tw R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:13:08 1JqqZv-0001J2-RA <= <> R=1JqU5v-00023E-FB U=exim P=local S=1246

2008-04-29 10:13:08 1JqU60-0001qu-1P ms19a.hinet.net [168.95.5.19] Connection timed out

2008-04-29 10:13:08 1Jqq1K-00013B-Mv ** foolish@ms38.url.com.tw R=dnslookup T=remote_smtp: SMTP error from remote mail server after end of data: host mx3.url.com.tw [210.59.228.113]: 554  mail server permanently rejected message (#5.3.0)

2008-04-29 10:13:08 1Jqq1K-00013B-Mv ** a0987321@ms3.url.com.tw R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<a0987321@ms3.url.com.tw>: host mx3.url.com.tw [210.59.228.113]: 550 user disabled

2008-04-29 10:13:08 1JqU60-0001qu-1P == joan@ms19.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:13:09 1JqqKa-0000V8-H7 msa-mx6.hinet.net [168.95.6.142] Connection timed out

2008-04-29 10:13:09 1JqqKa-0000V8-H7 == jimlin1629@msa.hinet.net R=dnslookup T=remote_smtp defer (110): Connection timed out

2008-04-29 10:13:10 1JqqZy-0001J8-0F <= <> R=1JqqKa-0000V8-H7 U=exim P=local S=3441

2008-04-29 10:13:10 1JqqZu-0001It-VT ** cxqcxnqdt@gmail.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<cxqcxnqdt@gmail.com>: host gmail-smtp-in.l.google.com [72.14.253.27]: 550-5.1.1 This Gmail user does not exist. Please try double-checking\n550-5.1.1 the recipient's email address for typos or unnecessary spaces.\n550-5.1.1 Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 q20si12755781pog.0
```

I tried this config with some automated spam replay testers and got the following entries:

```

2008-04-29 13:50:21 H=www.abuse.net [208.31.42.77] F=<spamtest@abuse.net> rejected RCPT <securitytest@abuse.net>

2008-04-29 13:50:22 H=www.abuse.net [208.31.42.77] F=<> rejected RCPT <securitytest@abuse.net>

2008-04-29 13:50:22 H=www.abuse.net [208.31.42.77] F=<spamtest@<my site>.com> rejected RCPT <securitytest@abuse.net>

2008-04-29 13:50:23 H=www.abuse.net [208.31.42.77] F=<spamtest@<my site>.com> rejected RCPT <securitytest%abuse.net@<my site>.com>: Restricted characters in address

2008-04-29 13:50:24 H=www.abuse.net [208.31.42.77] F=<spamtest@<my site>.com> rejected RCPT <"securitytest@abuse.net"@<my site>.com>: Restricted characters in address

2008-04-29 13:50:24 SMTP call from www.abuse.net [208.31.42.77] dropped: too many nonmail commands (last was "RSET")

2008-04-29 13:59:12 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=santuario.pads.ufrj.br [146.164.48.5] U=spamtest input="HELO antispam-ufrj.pads.ufrj.br\r\n"

2008-04-29 13:59:33 H=santuario.pads.ufrj.br (antispam-ufrj.pads.ufrj.br) [146.164.48.5] U=spamtest F=<spamtest@antispam-ufrj.pads.ufrj.br> rejected RCPT <relaytest@antispam-ufrj.pads.ufrj.br>

2008-04-29 13:59:42 H=santuario.pads.ufrj.br (antispam-ufrj.pads.ufrj.br) [146.164.48.5] U=spamtest F=<spamtest@antispam-ufrj.pads.ufrj.br> rejected RCPT relaytest@antispam-ufrj.pads.ufrj.br

2008-04-29 14:00:05 H=santuario.pads.ufrj.br (antispam-ufrj.pads.ufrj.br) [146.164.48.5] U=spamtest F=<> rejected RCPT <relaytest@antispam-ufrj.pads.ufrj.br>

2008-04-29 14:00:27 H=santuario.pads.ufrj.br (antispam-ufrj.pads.ufrj.br) [146.164.48.5] U=spamtest F=<spamtest@portal.<my site>.com> rejected RCPT <relaytest@antispam-ufrj.pads.ufrj.br>

2008-04-29 14:00:34 SMTP call from santuario.pads.ufrj.br (antispam-ufrj.pads.ufrj.br) [146.164.48.5] U=spamtest dropped: too many syntax or protocol errors (last command was "MAIL FROM: <spamtest@[208.111.34.92]>")

2008-04-29 14:00:39 H=www.rbl.jp (h.rbl.jp) [218.45.239.250] F=<rlychk@h.rbl.jp> rejected RCPT <rlytest@rbl.jp>

2008-04-29 14:00:39 H=www.rbl.jp (h.rbl.jp) [218.45.239.250] F=<> rejected RCPT <rlytest@h.rbl.jp>

2008-04-29 14:00:40 H=www.rbl.jp (h.rbl.jp) [218.45.239.250] F=<rlychk@mail.<my site>.com> rejected RCPT <rlytest@h.rbl.jp>

2008-04-29 14:00:40 H=www.rbl.jp (h.rbl.jp) [218.45.239.250] F=<rlychk@mail.<my site>.com> rejected RCPT <rlytest%h.rbl.jp@mail.<my site>.com>

2008-04-29 14:00:42 H=www.rbl.jp (h.rbl.jp) [218.45.239.250] F=<rlychk@mail.<my site>.com> rejected RCPT <"rlytest@h.rbl.jp"@mail.<my site>.com>

2008-04-29 14:00:42 SMTP call from www.rbl.jp (h.rbl.jp) [218.45.239.250] dropped: too many nonmail commands (last was "RSET")

2008-04-29 14:01:19 H=207-191-194-245.cpe.ats.mcleodusa.net (godfather.mob.net) [207.191.194.245] F=<OpenRelayTester1@mob.net> rejected RCPT <ConfirmedOpenRelay1@mob.net>

```

----------

## incidenta5

Also, I did the following:

```
exim -bp
```

And a *LOT* of messages popped up as being in the queue. It slowed my server down to a crawl. I had to delete all messages in the buffer (don't recall the command I used, but it did clear the buffer w/o sending any of the spam).[/quote]

----------

## DarKRaveR

 *Quote:*   

> 
> 
> 2008-04-29 10:13:07 1JqqZv-0001Iz-He <= <> R=1JqU5v-00023E-FB U=exim P=local S=3080
> 
> 

 

The only incoming mails in the snippet are all local generated (most certainly deferred notifications or bounces).

Find the actual incoming mails and see why they weren't rejected. And take a look at the content/header of these messages.

Hint: cat /var/spool/exim/input/MSG-ID-H and MSG-ID-D ... Look in the body, see the refecrence, look up that MSG-ID in your exim log.

----------

