Something is up with this Exim4. Probably some spammer reading the cPanel forums is doing this. This VULN exists in Exim4 and allows people to send an email message to your server then directly out to another address. Its almost like relaying but someobdy has found a way around this. One of my clients is, sexy_guy, on the cPanel forums, and after examining his logs today I found multiple vulns in Exim4 that is allowing people to send mail from email from various e-mail addresses to users who are not on your server.

I copied an example from sexy_guys logs file.

2003-08-08 00:53:05 19l22h-0001TZ-8i <= xavier@drachetech.com H=ppp48.dyn85.pacific.net.sg (computer) [210.24.85.48] P=smtp S=487281 id=000f01c35d81$e7d7a6a0$305518d2@computer
2003-08-08 00:53:10 19l22h-0001TZ-8i => jac_koh@amat.com R=lookuphost T=remote_smtp H=ns1.amat.com [152.135.235.5]
2003-08-08 00:53:10 19l22h-0001TZ-8i -> alfred_hee@amat.com R=lookuphost T=remote_smtp H=ns1.amat.com [152.135.235.5]
2003-08-08 00:53:10 19l22h-0001TZ-8i Completed

Look at this msg carefully. The message comes into the server then it goes straight out to jac_koh@amat.com and a copy sent to alfred_hee@amat.com. This is not normal. Look at the msg id. Its identical. The message was not sent to anyone on the server but rather to somebody who isn't on the server! Also note, this is not a php script sending out email from the server otherwise the user would be recorded as a LOCAL sender, which its not. Please look though your exim_mainlog for messages that seem to be arriving to your server and then leaving your server and the recipient is not not a domain on your box. Thats the HINT!

Can anyone prove me wrong?

:eek: O man this sux.

/me runs to look at logs.

Having one message come in and two message come out in the logs can have a bunch of "harmless" explanations(like a BCC: field in one, or a .forward file with two destinations)
Can you confirm that the message was not sent by an authenticated user? Is xavier@drachetech.com a client on the same server?

xavier@drachetech.com is not a user on our server and even if he was the ip was not in /etc/relayhosts so we cannot say this was a authenitcated pop users. Anyway, i was right about the above. Its been discovered that this is a Imap Vuln that existed so if your running anything less thank Exim 350 you are vuln to this hole.

Imap is not part of exim, perhaps you mean LMTP ?

Imap4, no i mean Imap which is part of Cpanel + Exim

I believe this was fixed in 7.4.2

BTW, I always thought you (Aussie) was using the name sexy_guy on cpanel forums.

Could this also be explained by users setting up a forwarding address (ie. Email sent to support@mydomain.com goes to 3 or 10 different people)?

Then please edit the title of your post.
exim is a package by itself, incorporated with cpanel at the same level as imap. cpimap's bugs are not exim's. (And people who firewall imap need not worry that EXIM makes them vulnerable)
mixing it up all together just weakens everyone's security