a hacked e-mail account is a catastrophe – look at Hillary.

telnet dwaves.de 25; # a simple telnet tells you that this server is running
Trying 78.46.249.71…
Connected to dwaves.de.
Escape character is ‚^]‘.
220 dwaves.de ESMTP Exim 4.XX_X Tue, 13 Jun 2017 13:40:12 +0200

it is probably wise to hide the version info of exim… so hopefully it’s not possible to detect and attack known faulty versions.

https://serverfault.com/questions/352176/remove-exim-version-number

no seriously – especially if you used it to register at eBay … Amazon and god knows what else.

A hacker with access to your mail – can request password-reset mails from those services – resetting your eBay and Amazon password… and then ordering 20xPlaystation5 to some alibi location. Not soooo good.

i had this in dmesg

first i thought i need to update exim4 because it contains errors… then i thought maybe the RAM is bad… but that would be Hetzner’s ram…

but it could also be AN ATTACK https://blog.skullsecurity.org/2010/watch-out-for-exim

maybe it would be wise to disable those password-reset e-mails with this plugin: https://wordpress.org/plugins/manage-notification-emails/

just in case your mail-account get’s hacked…

it seems hard but not impossible to reverse engineer a md5 hashed password… (unsalted)

https://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes

you can

echo -n 1D8dfk | md5sum; # md5 hash password
1df08a562305b51810736543b019987e

and copy that into: https://crackstation.net/

… so Hello123! is not a sufficient complex or long password.

to check if your mail-password is easy to find out.

i got a mail:

exim paniclog /var/log/exim4/paniclog

on domain.de has non-zero size, mail system might be broken. The last 10 lines are quoted below.

2017-06-09 06:04:35 1dIGcZ-0004Pa-Um == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dGK4m-0001Cg-17 == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dDqpd-0003YV-RT == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dFHMF-0004aS-J9 == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dGVRg-0007rb-Rq == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dIsPP-0003kv-6F == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dIJCd-0007m4-8e == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dGoKi-0003Sx-HM == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dHq7k-0007CL-Ek == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport
2017-06-09 06:04:35 1dEB3Q-0004sI-Dv == user@domain.com R=localuser T=local_delivery defer (-1): Malformed value „unlimitedM“ (expansion of „${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M“) in local_delivery transport

top10 most used mail servers:

663 25/tcp open smtp? syn-ack <- unknown hidden identity mailservers
240 25/tcp open smtp syn-ack Postfix smtpd
206 25/tcp open smtp syn-ack Exim smtpd 4.69
174 25/tcp open tcpwrapped syn-ack
151 25/tcp open smtp syn-ack
96 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.3790.4675
78 25/tcp open smtp syn-ack qmail smtpd
77 25/tcp open smtp syn-ack netqmail smtpd 1.04
40 25/tcp open smtp syn-ack BorderWare firewall smtpd
22 25/tcp open smtp syn-ack Microsoft ESMTP
21 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.3790.3959
19 25/tcp open smtp syn-ack Cisco PIX sanitized smtpd
18 25/tcp open smtp syn-ack Sendmail 8.13.8/8.13.8
14 25/tcp open smtp syn-ack Access Remote PC smtpd
13 25/tcp open smtp syn-ack Exim smtpd 4.72
11 25/tcp open smtp syn-ack hMailServer smtpd
11 25/tcp open smtp syn-ack Exim smtpd 4.63
10 25/tcp open smtp syn-ack Exim smtpd
9 25/tcp open smtp syn-ack Exim smtpd 4.X
8 25/tcp open smtp syn-ack Sendmail 8.13.1/8.13.1
8 25/tcp open smtp syn-ack Sendmail (Not accepting mail)
8 25/tcp open smtp syn-ack Exim smtpd 4.67
7 25/tcp open smtp syn-ack Sendmail 8.9.3/8.9.3
6 25/tcp open smtp syn-ack Sendmail 8.14.3/8.14.3
6 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.2600.5949
6 25/tcp open smtp syn-ack Microsoft ESMTP 5.0.2195.7381
6 25/tcp open smtp syn-ack Microsoft ESMTP 5.0.2195.5329
5 25/tcp open smtp syn-ack IronPort smtpd
5 25/tcp open smtp syn-ack Barracuda Networks Spam Firewall smtpd
4 25/tcp open smtp-proxy syn-ack ESET NOD32 anti-virus smtp proxy
4 25/tcp open smtp syn-ack Sendmail 8.13.6/8.13.1
4 25/tcp open smtp syn-ack Sendmail 8.12.6/8.12.6
4 25/tcp open smtp syn-ack Sendmail 8.11.6
4 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.3790.1830
4 25/tcp open smtp syn-ack MailEnable smptd 1.986–
3 25/tcp open smtp syn-ack Sendmail 8.14.4/8.14.4
3 25/tcp open smtp syn-ack Sendmail 8.12.11/8.12.11
3 25/tcp open smtp syn-ack Sendmail 8.12.11.20060308/8.12.11
3 25/tcp open smtp syn-ack Microsoft ESMTP 7.0.6002.18222
3 25/tcp open smtp syn-ack Microsoft ESMTP 5.0.2195.6713
3 25/tcp open smtp syn-ack Exim smtpd 4.71
3 25/tcp open smtp syn-ack Exim
2 25/tcp open smtp-proxy syn-ack spamd smtpd
2 25/tcp open smtp syn-ack SonicWALL Email Security smtpd 7.2.1.2841
2 25/tcp open smtp syn-ack SmarterMail smtpd
2 25/tcp open smtp syn-ack Sendmail 8.14.4/8.14.3
2 25/tcp open smtp syn-ack Sendmail 8.14.2/8.14.2
2 25/tcp open smtp syn-ack Sendmail 8.13.8/8.13.1
2 25/tcp open smtp syn-ack Sendmail 8.13.7/8.13.7
2 25/tcp open smtp syn-ack Sendmail 8.13.6/8.13.6
2 25/tcp open smtp syn-ack Sendmail 8.12.11.20060614
2 25/tcp open smtp syn-ack Sendmail 8.12.10/8.12.10
2 25/tcp open smtp syn-ack Sendmail 8.11.6/8.11.6
2 25/tcp open smtp syn-ack Microsoft Exchange (disabled)
2 25/tcp open smtp syn-ack Microsoft ESMTP 7.5.7600.16385
2 25/tcp open smtp syn-ack Mercury/32 smtpd (Mail server account Maiser)
2 25/tcp open smtp syn-ack MailEnable smptd 1.981–
2 25/tcp open smtp syn-ack MailEnable smptd 1.9–
2 25/tcp open smtp syn-ack MailEnable smptd 0-3.63-
2 25/tcp open smtp syn-ack Exim smtpd 4.68
2 25/tcp open smtp syn-ack Checkpoint FireWall-1 smtpd
2 25/tcp open chat syn-ack AIM or ICQ server
1 25/tcp open smtp-proxy syn-ack WatchGuard smtp proxy
1 25/tcp open smtp-proxy syn-ack IronMail CipherTrust SMTP Proxy
1 25/tcp open smtp-proxy syn-ack Genua smtprelay
1 25/tcp open smtp syn-ack mailfront smtpd
1 25/tcp open smtp syn-ack hMailServer
1 25/tcp open smtp syn-ack XWall smtpd 3.46
1 25/tcp open smtp syn-ack Winmail smtpd
1 25/tcp open smtp syn-ack WinWebMail smtpd 3.8.1.1
1 25/tcp open smtp syn-ack WinWebMail smtpd 3.8.0.1
1 25/tcp open smtp syn-ack Surgemail smtpd 3.7b8-8
1 25/tcp open smtp syn-ack Sendmail 8.14.4/8.14.1
1 25/tcp open smtp syn-ack Sendmail 8.14.4/8.14
1 25/tcp open smtp syn-ack Sendmail 8.14.4/8.13.1
1 25/tcp open smtp syn-ack Sendmail 8.14.4/8.12.2
1 25/tcp open smtp syn-ack Sendmail 8.14.4/8
1 25/tcp open smtp syn-ack Sendmail 8.14.3/8.13.8
1 25/tcp open smtp syn-ack Sendmail 8.14.2
1 25/tcp open smtp syn-ack Sendmail 8.14.1
1 25/tcp open smtp syn-ack Sendmail 8.14.0/8.14.0
1 25/tcp open smtp syn-ack Sendmail 8.14.0/8.13.8
1 25/tcp open smtp syn-ack Sendmail 8.13.8+Sun/8.13.8
1 25/tcp open smtp syn-ack Sendmail 8.13.6/8.12.9
1 25/tcp open smtp syn-ack Sendmail 8.13.5.20060614/8.13.3
1 25/tcp open smtp syn-ack Sendmail 8.13.4/8.11.6
1 25/tcp open smtp syn-ack Sendmail 8.13.1
1 25/tcp open smtp syn-ack Sendmail 8.12.8/8.12.8
1 25/tcp open smtp syn-ack Sendmail 8.12.5/8.12.5
1 25/tcp open smtp syn-ack Sendmail 8.11.6/8
1 25/tcp open smtp syn-ack Sendmail 8.1
1 25/tcp open smtp syn-ack Rockliffe MailSite 9.0.1.5
1 25/tcp open smtp syn-ack Postfix smtpd (ispCP OMEGA 1.0.2)
1 25/tcp open smtp syn-ack Postfix
1 25/tcp open smtp syn-ack Network Box smtpd
1 25/tcp open smtp syn-ack Mirapoint Messaging Server MOS smtpd 4.1.9-GA Queueing
1 25/tcp open smtp syn-ack Microsoft ESMTP 7.5.7600.16601
1 25/tcp open smtp syn-ack Microsoft ESMTP 7.5.7600.16544
1 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.3790.211
1 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.2600.5512
1 25/tcp open smtp syn-ack Microsoft ESMTP 6.0.2600.3680
1 25/tcp open smtp syn-ack MailMarshal 6.8.3.9481
1 25/tcp open smtp syn-ack MailEnable smptd 4.26–4.26
1 25/tcp open smtp syn-ack MailEnable smptd 4.26–
1 25/tcp open smtp syn-ack MailEnable smptd 4.23–
1 25/tcp open smtp syn-ack MailEnable smptd 4.22–4.22
1 25/tcp open smtp syn-ack MailEnable smptd 4.17–
1 25/tcp open smtp syn-ack MailEnable smptd 3.62–
1 25/tcp open smtp syn-ack MailEnable smptd 0-4.26-
1 25/tcp open smtp syn-ack MailEnable smptd 0-4.25-
1 25/tcp open smtp syn-ack MailEnable smptd 0-4.0-
1 25/tcp open smtp syn-ack MailEnable smptd 0-3.11-3.04
1 25/tcp open smtp syn-ack MailEnable smptd –3.63
1 25/tcp open smtp syn-ack MAILsweeper SMTP proxy
1 25/tcp open smtp syn-ack Lyris ListManager smtpd
1 25/tcp open smtp syn-ack Lotus Domino smtpd 8.5.2
1 25/tcp open smtp syn-ack Lotus Domino smtpd 8.5 HF1086
1 25/tcp open smtp syn-ack Linuxmagic qmail-based smtpd (with Anti-Spam)
1 25/tcp open smtp syn-ack JAMES smtpd 2.3.2
1 25/tcp open smtp syn-ack IceWarp smtpd 10.0.8
1 25/tcp open smtp syn-ack IceWarp smtpd 10.0.7
1 25/tcp open smtp syn-ack IMail NT-ESMTP 9.21 137016-1
1 25/tcp open smtp syn-ack IMail NT-ESMTP 8.22 123846-3
1 25/tcp open smtp syn-ack IMail NT-ESMTP 11.02 19-1
1 25/tcp open smtp syn-ack IMail NT-ESMTP 11.01 7292-1
1 25/tcp open smtp syn-ack IA Mailserver smtpd
1 25/tcp open smtp syn-ack Exim smtpd 4.62
1 25/tcp open smtp syn-ack Exim smtpd 4.42
1 25/tcp open smtp syn-ack Communigate Pro SMTP 5.2.20
1 25/tcp open smtp syn-ack Code-Crafters Ability smtpd 2.63
1 25/tcp open smtp syn-ack ArGoSoft Mail Server Pro 1.8.8.7
1 25/tcp open smtp syn-ack ArGoSoft Freeware smtpd 1.8.8.8
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 9.6.2
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 9.5.6
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 9.0.7
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 8.1.4
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 11.0.3
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 11.0.2
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 11.0.0
1 25/tcp open smtp syn-ack Alt-N MDaemon mail server 10.0.0
1 25/tcp open smtp syn-ack (Relay not authorized)
1 25/tcp open nagios-nsca syn-ack Nagios NSCA
1 25/tcp open jdwp syn-ack

produced with:

sudo nmap -n -d –log-errors -PS25 -p25 –open -sV -T5 -iR 600000 -oA output_smtp_versions.txt

src: https://blogdata.skullsecurity.org/smtp-versions-count.txt

admin