Re: [exim] 419 spammer - Help with AUTH ACL

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] 419 spammer - Help with AUTH ACL
Thomas kinghorn wrote:

> Good afternoon all.
>
> Please forgive me if I am asking a stupid question.
>
> My server is currently being used, via a compromised account, to send junk
> to various freemail accounts.
>
> An extract of the message looks like:
>
> 208P Received: from [125.76.228.201] (helo=User)
>         by smtp01.gennex.co.za with esmtpa (Exim 4.69)
>         id 1MB4KF-000Nhu-W3 by authid <smith1@???> with
> login_authenticator; Mon, 01 Jun 2009 12:01:36 +0200
> 041R Reply-To: <songlile.private00@???>
> 056F From: "Mr. Song Lile"<songlile.private012@???>
> 228  Subject: Good Day,I am LILE, I work with the Hangs bank,I need your
> assistance in effecting a transaction worth $19.5m I intend to give 30% of
> the total funds as compensation for your assistance. Full names,Private
> phone number

>
> If I were to create a list of compromised accounts (until we can get the
> users to use decent passwords), how would I go about this
> as everything I have tried thus far has failed.
>
> I was thinking of something along these lines:
>
> # ACL MACRO
>
> # authenticated id {$authenticated_id}
> ACL_C_AUTHID          = acl_c_authid

>
>
> # Connect phase #
> acl_check_connect:
>
> #Set ACL for AUTHID
> warn
> condition = ${if
> match{$authenticated_id}{lsearch;/usr/local/etc/exim/reject/rejected_authid}}
> set ACL_C_AUTHID = Yes
>
>
> # Compromised Accounts
>    deny
>      message          = '$authenticated_sender' classified as compromised -
> Please change your account password
>      condition          = ${if eq {$ACL_C_AUTHID}{Yes}}
>      logwrite            = :main: Compromised Account: $authenticated_sender

>
> The list rejected_authid would contains the email addresses of the
> compromised accounts.
>
> Many thanks in advance for your assistance.


It looks like you're trying to check the authentication details in
acl_smtp_connect ... At that point in the smtp transaction no
authentication has taken place. Move your checks into acl_smtp_rcpt.

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/