> I got home tonight, only to find one of our boxes have been relaying
> spam for the past two days. A quick scan of the logs, and I noticed
> that there were blank auths being done to one of my authenticators. I
> commented out the authenticator, rm -Rf'd my mailqueue, and restarted,
> and all was good.
>
> However, I want to know what went wrong. The second authenticator, the
> one that was commented out, was the one getting abused:
>
> begin authenticators
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = "${if eq
> {${lookup{$2}lsearch{/etc/exim/auth.users}{$value}}} {$3} {yes}{no}}"
^
Appears that they're using users that aren't found, thus the lookup is ""
and if the password they supply is blank, $3 = ""
try inserting the word fail (no {}) where I marked above (after $value} )
> server_set_id = $2
>
> #login:
> # driver = plaintext
> # public_name = LOGIN
> # server_prompts = "Username:: : Password::"
> # server_condition = "${if eq
> {${lookup{$1}lsearch{/etc/exim/auth.users}{$value}}} {$2} {yes}{no}}"
> # server_set_id = $2
Same here
> here is some of the log entries:
>
> 2003-06-16 06:50:29 19RfOB-0007WV-7L <= ytu5478@???
> H=(smtp0100.mail.yahoo.com) [211.169.249.120] P=asmtp A=login: S=4434
> 2003-06-16 06:50:46 19RfOb-0007WV-Du <= dijngf4521@???
> H=(smtp0100.mail.yahoo.com) [211.169.249.120] P=asmtp A=login: S=4426
>
> plus more of the same.
>
> Anyone able to tell my where I have erred?
