[exim] spammers abusing my account, I don't know how

Top Page
Delete this message
Reply to this message
Author: xor2k
Date:  
To: exim-users
Subject: [exim] spammers abusing my account, I don't know how

Hi!

I'm using Exim 4.63 from backports.org an a Debian system and I've trouble
with spammers sending mails with my exim server. I already did a relay test
on abuse.net and they said that my server is at least not a relay. I already
changed passwords, but spam is still being send with my user. Excerpt from
the logfile:

2007-07-28 07:04:17 1IEeTL-0004li-Hs => myuser <myuser@???>
R=local_user T=mail_spool
2007-07-28 07:04:17 1IEeTL-0004li-Hs Completed
2007-07-28 07:04:17 1IEeTL-0004lc-6d => myuser <michi@???>
R=spamcheck_router T=spamcheck
2007-07-28 07:04:17 1IEeTL-0004lc-6d Completed
2007-07-28 07:12:20 Start queue run: pid=26157
2007-07-28 07:12:20 End queue run: pid=26157
2007-07-28 07:34:23 1IEewY-0004ga-QN <= <> H=(mforward2.dtag.de)
[194.25.242.123] P=esmtp S=73282
id=200707230408.l6N48PPu019592@???
2007-07-28 07:34:31 1IEewZ-0004gg-Oy <= <> U=Debian-exim P=spam-scanned
S=73688 id=200707230408.l6N48PPu019592@???
2007-07-28 07:34:31 1IEewZ-0004gg-Oy => myuser <myuser@???>
R=local_user T=mail_spool
2007-07-28 07:34:31 1IEewZ-0004gg-Oy Completed
2007-07-28 07:34:31 1IEewY-0004ga-QN => myuser <Kal424@???>
R=spamcheck_router T=spamcheck
2007-07-28 07:34:31 1IEewY-0004ga-QN Completed
2007-07-28 07:42:20 Start queue run: pid=28125
2007-07-28 07:42:20 End queue run: pid=28125
2007-07-28 08:12:20 Start queue run: pid=3273

I replaced my domain with mydomain.com and my user with myuser. I don't know
who that Kal424 is. No matter, the name changes every time and every 2-3
hours such a mail is send from my exim server. I also did rootkit checking
with chkrootkit, but it didn't find anything.

Anyone knows what to do?

Michael
--
View this message in context: http://www.nabble.com/spammers-abusing-my-account%2C-I-don%27t-know-how-tf4161381.html#a11840209
Sent from the Exim Users mailing list archive at Nabble.com.