On 2010-12-04 10:06, Alexander Nagel wrote:
> The logfile section of one mail which looks quite normal except the
> A=cram authenticator:
>
> 2010-12-03 23:11:36 1POdqq-0005Dd-Lg<= notmylocale1@notmydomain1
> H=static-mum-XX.XXX.XXX.XX.YYYY.net.in (ZZZZ.com) [XX.XXX.XXX.XX]
> P=esmtpa A=cram: S=1541
> id=bffc0c4db7014b5f85f70fd3366406e2@5596f1f9ac9a4e95972a770a95afed48
> from<notmylocale1@notmydomain1> for notmylocale3@notmydomain3
> 2010-12-03 23:11:40 1POdqt-0005Dd-Lp<= notmylocale2@notmydomain2
> H=static-mum-XX.XXX.XXX.XX.YYY.net.in (ZZZZ.com) [XX.XXX.XX.XX] P=esmtpa
> A=cram: S=1420
> id=66f95d560e354a95905d29ba7a939ae3@266eba13b7e640dca0c0f1f0b0044aff
> from<notmylocale2@notmydomain2> for notmylocale3@notmydomain3
> 2010-12-03 23:11:40 1POdqq-0005Dd-Lg Completed QT=4s
[...]
> cram:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = ${lookup pgsql{PG_Q_AUTH_CRAMMD5}}
> server_set_id = $auth1
You should make the lookup return fail explicitly when pgsql returns no rows,
otherwise it just returns an empty string. server_secret needs an explicit fail
in order to fail the attempt at authorisation. See (e.g..)
http://exim.org/exim-html-4.69/doc/html/spec_html/ch35.html#SECID176
http://exim.org/exim-html-4.69/doc/html/spec_html/ch11.html#SECTexpop
( for ${lookup )
Something along the lines of
server_secret = ${lookup pgsql{PG_Q_AUTH_CRAMMD5} {$value} fail}
What's happened is that your spammer has guessed, probably, a user name
which does not exist in your database - and then tried to AUTH with it
and any random password. Not hard, even for a really dumb spammer.
Cheers,
Jeremy
PS: You're correct to be using the server config for the authenticator.
Client would be when you want to use AUTH when initiating SMTP
sessions to other servers.
