Odhiambo Washington via Exim-users <exim-users@???> (Di 19 Feb 2019 11:20:07 CET):
> I am seeing some spam going through my server, but I am not sure what
> method is being used by the spammer:
>
> exim -Mvh 1gw0Ng-0002NF-1H
> 1gw0Ng-0002NF-1H-H
> mailnull 26 26
> <malamala@???>
> 1550563436 0
> -received_time_usec .039642
> -helo_name [192.6.3.50]
> -host_address 74.142.119.226.1591
> -host_name rrcs-74-142-119-226.central.biz.rr.com
> -host_auth plain
> -interface_address 192.168.55.254.587
> -active_hostname gw.crownkenya.com
> -received_protocol esmtpsa
Looks like successful authentication. So he/she/it is using account
data, I'd say.
> -auth_id malamala@???
This is the string, that was set by the authenticator.
It may help you to track down the account, that was abused.
> 301P Received: from rrcs-74-142-119-226.central.biz.rr.com
> ([74.142.119.226] helo=[192.6.3.50])
> by gw.crownkenya.com with esmtpsa
> (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
> (Exim 4.92)
> (envelope-from <malamala@???>)
> id 1gw0Ng-0002NF-1H
> for sklep@???; Tue, 19 Feb 2019 11:03:56 +0300
The envelope from matches the account-id, depenending on your
configuration it is another indicator of the "hacked" account.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
