Hello Todd,
>> I need your help to shed some light on a strange Spam abuse of an
>> Exim server. I'm running a personal Exim server for years now
>> without any problems. Today I've checked the last couple of mainlog
>> files on the server and saw that something strange had happened at
>> night.
>
> Is it always from this same IP?
>
> If yes, then do:
> tcpdump -n -p -s0 host 200.198.71.194 -w debug_auth.dump
>
> ...and let it run over night. If it happened in the logs for you that
> night, then ctrl-c the tcpdump and run:
>
> tcpdump -n -p -s0 -X -r debug_auth.dump | less
>
> and look to see what he was sending that finally made it allowed.
> That may not be very useful to see the content, but you should at
> least see the negotiation portion and eliminate some possiblities.
thank you for that hint. Unfortunately it's not always the same
IP address. Based on a friends log file 145 different addresses
have been used until now.
One my friends pointed me to the following thread which exactly
describes the same problem:
http://blog.windfluechter.net/content/getting-hit-spammer-exim
Regards
Juergen
--
GPG Key available