Re: Are people trying to relay mail through my system?

Mon, 25 Sep 2023 11:32:19 -0700 


On 9/25/23 08:29, Michael Kjörling wrote:

On 24 Sep 2023 20:58 -0600, from rickm...@shaw.ca (Rick Macdonald):

My /var/log/.exim4/log file is flooded with messages such as shown below.
I'm not trying to send mail to any of those .co or .com addresses. I use my
ISP (shaw.ca cable provider) as a smarthost.

Are people trying to use my system as a relay?

The log snippet you show doesn't include enough information to tell
for certain where those emails were originally accepted from, but
given what you wrote I wouldn't dismiss the possibility out of hand.


I've sent some more log info just now in a reply to Andy Smith.


If so, can I block them
without cutting myself off from remote access to the IMAP server I run on my
system?

You don't seem to be exposing any SMTP server to the outside world, so
I don't know what might reasonably be going on. Otherwise blocking off
TCP ports 25 and 587 would probably have been a good place to start.

Sorry if I sound lame. I set this up over 20 years ago and haven't done
anything to it since.

If you set it up in the early 2000s and haven't done anything since
then, there's certainly a non-zero probability that it's set up as an
open relay. But although that's a potential problem, it would only be
a _big_ problem if it was accessible from outside of your network,
which does not _immediately_ appear to be the case.



Ports 25 and 587 are not forwarded by my ASUS router. They may well have 
been back in the day.



However, on a semi-unrelated note, you might want to make sure that
the firmware and software is up to date on everything you _do_ expose
to the Internet. It looks like ASUS' web server has had stack-smashing
vulnerabilities previously (not sure if the RT-AC66U is affected), and
whatever is running through Restlet Framework on port 23424 reports a
version of server software that hasn't been updated since 2014. And
that's just some of what I plausibly found barely looking.



Well spotted! Port 23424 was for a server that I stopped running just 
last week. I have now removed it from my port forwarding.


Thanks Michael!

Rick























					Reply via email to