[exim] Dictionary spamming ?

Top Page
Delete this message
Reply to this message
Author: Phil \(Medway Hosting\)
Date:  
To: Exim Users List
Subject: [exim] Dictionary spamming ?
Hi All

I am getting a lot of entries like these in my logs over the last few days:

2007-09-23 05:00:08 fixed_login authenticator failed for (windows) [64.62.22.218]:8204 I=[84.40.17.13]:25: 535 Incorrect authentication data (set_id=maxwell)
2007-09-23 05:00:08 fixed_login authenticator failed for (windows) [64.62.22.218]:8164 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=smiles)
2007-09-23 05:00:09 fixed_login authenticator failed for (windows) [64.62.22.218]:8250 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=smokey)
2007-09-23 05:00:11 fixed_login authenticator failed for (windows) [64.62.22.218]:8301 I=[84.40.17.13]:25: 535 Incorrect authentication data (set_id=nancy)
2007-09-23 05:00:12 fixed_login authenticator failed for (windows) [64.62.22.218]:8341 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=snickers)
2007-09-23 05:00:13 fixed_login authenticator failed for (windows) [64.62.22.218]:8395 I=[84.40.17.13]:25: 535 Incorrect authentication data (set_id=nascar)
2007-09-23 05:00:14 fixed_login authenticator failed for (windows) [64.62.22.218]:8437 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=speedy)
2007-09-23 05:00:15 fixed_login authenticator failed for (windows) [64.62.22.218]:8488 I=[84.40.17.13]:25: 535 Incorrect authentication data (set_id=nelson)
2007-09-23 05:00:15 fixed_login authenticator failed for (windows) [64.62.22.218]:8535 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=spooky)
2007-09-23 05:00:15 fixed_login authenticator failed for (windows) [64.62.22.218]:8609 I=[84.40.17.13]:25: 535 Incorrect authentication data (set_id=network)
2007-09-23 05:00:16 fixed_login authenticator failed for (windows) [64.62.22.218]:8634 I=[84.40.17.12]:25: 535 Incorrect authentication data (set_id=stephani)

Am I right in thinking this is a spam dictionary attack from "cr4p sp4mm3r s0ftw4re" or hack attempts to send via my server ? I tried searching for info, and plenty of examples but no explanations !

Many thanks

Phil

_____________________________________________

Website Hosting from only £5.00 per month.
www.medwayhosting.com - +44 (0)1634 856965
_____________________________________________

Digital & Traditional Printing, and much more
www.medwayprint.com - +44 (0)1634 281199
_____________________________________________From kae@??? Wed Sep 26 18:41:33 2007
Envelope-to: exim-users@???
Received: from tiger1.tiger-computing.com ([82.152.140.161]:5856
    heloã1.rg2.tiger-computing.com)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.67)
    (envelope-from <kae@???>) id 1Iaat5-00031T-W4
    for exim-users@???; Wed, 26 Sep 2007 18:41:32 +0100
Received: from ws.in.tiger-computing.com ([10.0.0.100] identºe)
    by gs1.rg2.tiger-computing.com with esmtp (Exim 4.63)
    (envelope-from <kae@???>) id 1Iaasx-0005Jz-8L
    for exim-users@???; Wed, 26 Sep 2007 18:41:19 +0100
Date: Wed, 26 Sep 2007 18:34:29 +0100
From: Keith Edmunds <kae@???>
To: exim-users@???
Message-ID: <20070926183429.1fd3ff8b@???>
X-Mailer: Claws Mail 3.0.1 (GTK+ 2.8.20; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset£-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Score: -1.5 (-)
X-Spam-Status: No, scoreÑ.5 required~0 testsºYES_00Ñ.5 autolearnO
    version^1.8
Subject: [exim] Strip originating headers when relaying
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.7
Precedence: list
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¾subscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subjectŽlp>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¥bscribe>
X-List-Received-Date: Wed, 26 Sep 2007 17:41:33 -0000


We have an Exim server that allows authenticated clients to relay through
it, which works fine.

However, if the client is, for example, a laptop on a dial-up connection,
the ultimate destination mail server will sometimes reject the connection
based on the originating IP address.

Is it possible to rewrite the headers (or use some other technique) such
that the mail appears to originate on our Exim server?

Thanks