[exim] spam sent by non-existent users

Top Page
Delete this message
Reply to this message
Author: Jonathan Gilpin
Date:  
To: exim-users
Subject: [exim] spam sent by non-existent users


Hi,

I have found spam has been sent out through our server by authenticated users which don’t exist..

e.g
2014-12-08 22:37:08 1Xy6vT-0006KE-1y SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1Xy6vT-0006KE-1y). From <yelbigoldmines@??? <mailto:yelbigoldmines@gmail.com>> (host=NULL [195.154.199.164]) for tracy@??? <mailto:tracy@intersport.com.hk>
2014-12-08 22:37:08 1Xy6vT-0006KE-1y <= yelbigoldmines@??? <mailto:yelbigoldmines@gmail.com> H=(web.de <http://web.de/>) [195.154.199.164] P=esmtpa A=fixed_login:info@??? <http://e-comlaw.com/> S=2133 id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3@??? <mailto:id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3@gmail.com>
2014-12-08 22:37:10 1Xy6vT-0006KE-1y => tracy@??? <mailto:tracy@intersport.com.hk> R=dnslookup T=remote_smtp H=mta1b.swcm.zscloud.net <http://mta1b.swcm.zscloud.net/> [195.65.152.39] X=TLSv1:AES256-SHA:256 C="250 Email accepted successfully (id=5486281510670000)"
2014-12-08 22:37:10 1Xy6vT-0006KE-1y Completed

2014-12-08 10:39:20 1Xxviq-000FQ9-Fz SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1Xxviq-000FQ9-Fz). From <mrsivonneemile@??? <mailto:mrsivonneemile@gmail.com>> (host=NULL [62.210.205.210]) for bantqueci@??? <mailto:bantqueci@financier.com>, echezonaijoma74@??? <mailto:echezonaijoma74@hotmail.com>, marcelinpagoua@??? <mailto:marcelinpagoua@yahoo.com>, toscaca@??? <mailto:toscaca@yahoo.com>
2014-12-08 10:39:20 1Xxviq-000FQ9-Fz <= mrsivonneemile@??? <mailto:mrsivonneemile@gmail.com> H=(User) [62.210.205.210] P=esmtpa A=fixed_login:info@??? <http://e-comlaw.com/> S=1688
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => marcelinpagoua@??? <mailto:marcelinpagoua@yahoo.com> R=dnslookup T=remote_smtp H=mta7.am0.yahoodns.net <http://mta7.am0.yahoodns.net/> [66.196.118.37] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel 2/0"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz -> toscaca@??? <mailto:toscaca@yahoo.com> R=dnslookup T=remote_smtp H=mta7.am0.yahoodns.net <http://mta7.am0.yahoodns.net/> [66.196.118.37] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel 2/0"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => bantqueci@??? <mailto:bantqueci@financier.com> R=dnslookup T=remote_smtp H=mx01.gmx.com <http://mx01.gmx.com/> [74.208.5.27] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 C="250 Requested mail action okay, completed: id=0LaGW8-1XZGku1oKM-00m6jO"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => echezonaijoma74@??? <mailto:echezonaijoma74@hotmail.com> R=dnslookup T=remote_smtp H=mx1.hotmail.com <http://mx1.hotmail.com/> [65.54.188.110] X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 <BAY004-MC3F12R0rmTI00318618@??? <mailto:BAY004-MC3F12R0rmTI00318618@BAY004-MC3F12.hotmail.com>> Queued mail for delivery"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz Completed

However, there is no such user as info@??? <mailto:info@e-comlaw.com>…

If I try to replicate the issue by trying to login with the username I get:

2014-12-11 18:13:45 fixed_plain authenticator failed for (jonathans-imac.home) [86.137.136.132]: 535 Incorrect authentication data (set_id=info@??? <mailto:set_id=info@e-comlaw.com>)


I think there must be something wrong with my fixed_login authenticator.. so here it is?


fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE WHERE (concat(local_part,'@',domain) = '$1' OR email = '$1') AND password='$2'}{1}fail}
server_set_id = $1


Can anyone give me any pointers?

Jonathan