Thomas kinghorn wrote:
> Good afternoon all.
>
> Please forgive me if I am asking a stupid question.
>
> My server is currently being used, via a compromised account, to send junk
> to various freemail accounts.
>
> An extract of the message looks like:
>
> 208P Received: from [125.76.228.201] (helo=User)
> by smtp01.gennex.co.za with esmtpa (Exim 4.69)
> id 1MB4KF-000Nhu-W3 by authid <smith1@???> with
> login_authenticator; Mon, 01 Jun 2009 12:01:36 +0200
> 041R Reply-To: <songlile.private00@???>
> 056F From: "Mr. Song Lile"<songlile.private012@???>
> 228 Subject: Good Day,I am LILE, I work with the Hangs bank,I need your
> assistance in effecting a transaction worth $19.5m I intend to give 30% of
> the total funds as compensation for your assistance. Full names,Private
> phone number
>
> If I were to create a list of compromised accounts (until we can get the
> users to use decent passwords), how would I go about this
> as everything I have tried thus far has failed.
>
> I was thinking of something along these lines:
>
> # ACL MACRO
>
> # authenticated id {$authenticated_id}
> ACL_C_AUTHID = acl_c_authid
>
>
> # Connect phase #
> acl_check_connect:
>
> #Set ACL for AUTHID
> warn
> condition = ${if
> match{$authenticated_id}{lsearch;/usr/local/etc/exim/reject/rejected_authid}}
> set ACL_C_AUTHID = Yes
>
>
> # Compromised Accounts
> deny
> message = '$authenticated_sender' classified as compromised -
> Please change your account password
> condition = ${if eq {$ACL_C_AUTHID}{Yes}}
> logwrite = :main: Compromised Account: $authenticated_sender
>
> The list rejected_authid would contains the email addresses of the
> compromised accounts.
>
> Many thanks in advance for your assistance.
It looks like you're trying to check the authentication details in
acl_smtp_connect ... At that point in the smtp transaction no
authentication has taken place. Move your checks into acl_smtp_rcpt.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226)
http://cardwellit.com/
