Exim4 send emails from fictitious gmail accounts

I have received an alert that my server was sending a lot of emails, I have been able to block several IP’s that were sending emails through my server hestacp 1.4.10.

What I do not know how they have been able to access my server and, or stop the domains that exim4 has, they continue to send …

I’m afraid that it will happen again, how can I protect myself and make fail2ban detect these abuses and automatically block those IP’s?

Check the contents of /var/log/exim4/mainlog to see you are able to see successful login attempts.

Usually iptables should be running and block by default after 5 failed attempts for an xx period. Check if iptables is running by v-list-sys-services or via /list/server/ in GUI.

in the exim4 logs I find many “535 Incorrect authentication data (set_id = …” that does not block fail2ban and in the end they end up obtaining the password … how can I make fail2ban block them when this malignant behavior is repeated?

I don’t know how they have done it because they have sent millions of emails and in the log it is impossible to see the log.

The detail is that I have stopped the entire domain from the hestiacp panel and without an active domain, it continued to send

and the other detail is that all the originating email addresses were from gmail.com, the origin server was several ip’s but all with the host name of my server …

currently I have been able to stop the attack and now I am going to remove my ip from the blacklists, but I want to be able to avoid this …

I have fail2ban by default but I think it does not work as it comes by default since I see many attacks but few ip’s blocked automatically from the hestiacp panel

You need to find the source of this emails. Infact you wrote "millions’ I’m a bit concerned, hestia has a max mail rate per hour for every user account. If you write now millions, it could mean that your server sends mail over a unrestricted account aka root.

Anyway, it’s hard to say what’s wrong with your server without additional informations, but i would not suggest to unlist your ips without fixing or knowing the root cause.

the truth is that I don’t know, I’ve been looking at log’s for hours and stopping domains from the panel and when I block an IP, at the hour I find another IP sending emails … I don’t have ssh accessible from the outside so if it’s the root user, like could it be that someone has entered? I don’t know where else to look … I have stopped all the domains to rule out that they have stolen passwords but even so they continue to enter …

Assume they have root access.

Revoke all keys

Change root password

Disallow ssh from any IP except from yours.

Kill all processes and start assessing the situation.

Yes, at the moment what I have done is to completely stop ssh and for now the attacks have stopped, I will let a few days pass to see how it goes and then I will start ssh again …

Thanks for the advice, I will keep you informed and if it is a ssh thing then I will be very worried since neither fail2ban nor the firewall of my network are working well or some windows machine has a virus that makes it possible to access by skipping the firewall …


My hestia server also having this issue, but the beauty is the issue is not because of HESTIACP. Any panel can be happen this marketing emails sending issue.

  1. I have added few attributes in my exim4. find the attribute (Limit per email account for SMTP auhenticated users) in my exim conf. ( hestia/exim4-07June2021.conf.template at master · vvcares/hestia (github.com))

  2. The issue can be via PHP contact forms or SMTP from any computer. Doubtfully via SMTP, so try to block inbound-port 25 from connecting outside of server. (But this means to block your computer email client also blocked to connect & send emails)

  3. Install CSF with MAXMIND free. It will block known spam IPs to connect to your server.

  4. Run this file to see your email sent statistics (hestia/eximstats.sh at master · vvcares/hestia · GitHub)

  5. If possible, blosk POP service

Use (re)captcha or any other spam protection will work

1 Like

Ok, I will prove this option that you mention that I did not know that it existed … in the firewall if I put port 0 is it correct or better to put port 25,465,587?

For blocking all traffic from the blacklist use 0 as port number

1 Like

Unfortunately there is nothing I can do to stop the attacks, when I block one IP another IP starts to send emails, I don’t know where else to look, I’m very sad because since then I can’t stop this

anyone know i can look more ??

Change the SMTP accounts passwords.
Get fail2ban to work
Ban for longer times
Use strict Recidive rules
Allow only your country to connect to ssh and SMTP ports.

Allow only your country to connect to ssh and SMTP ports.?? how I do this?

Use the ipset of the banlist to allow connections instead of to deny connections.

It is already very critical, they are hacking all the servers that I have with hestiacp !!! They send mail to gmail, to hotmail and there is no way to stop it !!! I have apache stopped and they continue to send !! very critical and it may also happen to you !! Any solution before thinking about migrating to another panel?

Or pleas provide us with more information how the got access we can’t improve the system if we can’t figure out how the got access…

Login attempts form dovecot are “normal” and if they constantly use different ip addresses it will almost impossible to combat any attacks as fail2ban only acts if x attempts failed. Normally common action.

If you check /var/log/fail2ban.log you will see some

2021-08-23 10:36:44,131 fail2ban.filter         [724]: INFO    [exim-iptables] Found - 2021-08-23 10:36:43

But if you want feel free to change control panel but most likely you will have the same issues

I have looked at all the logs I am stopping all the services and only exim4 running, what logs do you want me to look at? I am very desperate, I am getting on many spam blacklists and I don’t know how to stop it !!! and the worst thing is that it can happen to you too!

Don’t panic. It’s a problem on your side, with your servers. You did something wrong. You need to hire a specialist to check your servers for infections.