Hi,
I have found spam has been sent out through our server by authenticated users which don’t exist..
e.g
2014-12-08 22:37:08 1Xy6vT-0006KE-1y SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1Xy6vT-0006KE-1y). From <yelbigoldmines@??? <
mailto:yelbigoldmines@gmail.com>> (host=NULL [195.154.199.164]) for tracy@??? <
mailto:tracy@intersport.com.hk>
2014-12-08 22:37:08 1Xy6vT-0006KE-1y <= yelbigoldmines@??? <
mailto:yelbigoldmines@gmail.com> H=(web.de <
http://web.de/>) [195.154.199.164] P=esmtpa A=fixed_login:info@??? <
http://e-comlaw.com/> S=2133 id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3@??? <
mailto:id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3@gmail.com>
2014-12-08 22:37:10 1Xy6vT-0006KE-1y => tracy@??? <
mailto:tracy@intersport.com.hk> R=dnslookup T=remote_smtp H=mta1b.swcm.zscloud.net <
http://mta1b.swcm.zscloud.net/> [195.65.152.39] X=TLSv1:AES256-SHA:256 C="250 Email accepted successfully (id=5486281510670000)"
2014-12-08 22:37:10 1Xy6vT-0006KE-1y Completed
2014-12-08 10:39:20 1Xxviq-000FQ9-Fz SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1Xxviq-000FQ9-Fz). From <mrsivonneemile@??? <
mailto:mrsivonneemile@gmail.com>> (host=NULL [62.210.205.210]) for bantqueci@??? <
mailto:bantqueci@financier.com>, echezonaijoma74@??? <
mailto:echezonaijoma74@hotmail.com>, marcelinpagoua@??? <
mailto:marcelinpagoua@yahoo.com>, toscaca@??? <
mailto:toscaca@yahoo.com>
2014-12-08 10:39:20 1Xxviq-000FQ9-Fz <= mrsivonneemile@??? <
mailto:mrsivonneemile@gmail.com> H=(User) [62.210.205.210] P=esmtpa A=fixed_login:info@??? <
http://e-comlaw.com/> S=1688
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => marcelinpagoua@??? <
mailto:marcelinpagoua@yahoo.com> R=dnslookup T=remote_smtp H=mta7.am0.yahoodns.net <
http://mta7.am0.yahoodns.net/> [66.196.118.37] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel 2/0"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz -> toscaca@??? <
mailto:toscaca@yahoo.com> R=dnslookup T=remote_smtp H=mta7.am0.yahoodns.net <
http://mta7.am0.yahoodns.net/> [66.196.118.37] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 ok dirdel 2/0"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => bantqueci@??? <
mailto:bantqueci@financier.com> R=dnslookup T=remote_smtp H=mx01.gmx.com <
http://mx01.gmx.com/> [74.208.5.27] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 C="250 Requested mail action okay, completed: id=0LaGW8-1XZGku1oKM-00m6jO"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => echezonaijoma74@??? <
mailto:echezonaijoma74@hotmail.com> R=dnslookup T=remote_smtp H=mx1.hotmail.com <
http://mx1.hotmail.com/> [65.54.188.110] X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 <BAY004-MC3F12R0rmTI00318618@??? <
mailto:BAY004-MC3F12R0rmTI00318618@BAY004-MC3F12.hotmail.com>> Queued mail for delivery"
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz Completed
However, there is no such user as info@??? <
mailto:info@e-comlaw.com>…
If I try to replicate the issue by trying to login with the username I get:
2014-12-11 18:13:45 fixed_plain authenticator failed for (jonathans-imac.home) [86.137.136.132]: 535 Incorrect authentication data (set_id=info@??? <
mailto:set_id=info@e-comlaw.com>)
I think there must be something wrong with my fixed_login authenticator.. so here it is?
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE WHERE (concat(local_part,'@',domain) = '$1' OR email = '$1') AND password='$2'}{1}fail}
server_set_id = $1
Can anyone give me any pointers?
Jonathan
