On 24 Sep 2023 20:58 -0600, from rickm...@shaw.ca (Rick Macdonald): > My /var/log/.exim4/log file is flooded with messages such as shown below. > I'm not trying to send mail to any of those .co or .com addresses. I use my > ISP (shaw.ca cable provider) as a smarthost. > > Are people trying to use my system as a relay?
The log snippet you show doesn't include enough information to tell for certain where those emails were originally accepted from, but given what you wrote I wouldn't dismiss the possibility out of hand. > If so, can I block them > without cutting myself off from remote access to the IMAP server I run on my > system? You don't seem to be exposing any SMTP server to the outside world, so I don't know what might reasonably be going on. Otherwise blocking off TCP ports 25 and 587 would probably have been a good place to start. IMAP and SMTP solve completely different problems and last I looked Exim didn't even talk IMAP, so even blocking off one should have zero effect on the other. > Sorry if I sound lame. I set this up over 20 years ago and haven't done > anything to it since. If you set it up in the early 2000s and haven't done anything since then, there's certainly a non-zero probability that it's set up as an open relay. But although that's a potential problem, it would only be a _big_ problem if it was accessible from outside of your network, which does not _immediately_ appear to be the case. However, on a semi-unrelated note, you might want to make sure that the firmware and software is up to date on everything you _do_ expose to the Internet. It looks like ASUS' web server has had stack-smashing vulnerabilities previously (not sure if the RT-AC66U is affected), and whatever is running through Restlet Framework on port 23424 reports a version of server software that hasn't been updated since 2014. And that's just some of what I plausibly found barely looking. -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
