Autor: Graeme Fowler Data: A: exim-users Assumpte: Re: [exim] spammers abusing my account, I don't know how
On Fri, 2007-07-27 at 23:51 -0700, xor2k wrote: > I'm using Exim 4.63 from backports.org an a Debian system and I've trouble
> with spammers sending mails with my exim server. I already did a relay test
> on abuse.net and they said that my server is at least not a relay. I already
> changed passwords, but spam is still being send with my user. Excerpt from
> the logfile:
I'll snip this down to the one message for which entries are complete:
> 2007-07-28 07:34:23 1IEewY-0004ga-QN <= <> H=(mforward2.dtag.de)
> [194.25.242.123] P=esmtp S=73282
> id=200707230408.l6N48PPu019592@???
> 2007-07-28 07:34:31 1IEewZ-0004gg-Oy <= <> U=Debian-exim P=spam-scanned
> S=73688 id=200707230408.l6N48PPu019592@???
> 2007-07-28 07:34:31 1IEewZ-0004gg-Oy => myuser <myuser@???>
> R=local_user T=mail_spool
> 2007-07-28 07:34:31 1IEewZ-0004gg-Oy Completed
> 2007-07-28 07:34:31 1IEewY-0004ga-QN => myuser <Kal424@???>
> R=spamcheck_router T=spamcheck
> 2007-07-28 07:34:31 1IEewY-0004ga-QN Completed
That shows a bounce message arriving from host mforward2.dtag.de,
passing through your spam scanner (which by the way is using an
inefficient method of checking, but we'll come to that later) and being
delivered to local user "myuser". Nothing wrong there.
> I replaced my domain with mydomain.com and my user with myuser.
Please don't do this, it makes debugging problems quite difficult.
> I don't know who that Kal424 is
It's a randomly generated email address created by a spammer, from which
you're catching bounces. The log you sent *does not* indicate a problem
with your server - it simply shows that you're catching "blowback", i.e.
error messages created by other servers because your domain is being
used in a spam run.
> No matter, the name changes every time and every 2-3
> hours such a mail is send from my exim server.
It's sent *to* your server, not from.
> I also did rootkit checking with chkrootkit, but it didn't find anything.
You won't - you haven't been cracked, you're not relaying, you're just
catching spam blowback.
You can stop receiving a lot of it by removing any catchall email
aliases you have, since the fact that you're getting email to random
addresses being delivered indicates that you're using one.
As for the spam scanning, it's more efficient to move it into ACLs
rather than having it run via a router/transport combination. Your
package documentation might show you how to do this.
