On Tue, 19 Feb 2019 at 13:33, Heiko Schlittermann via Exim-users <
exim-users@???> wrote:
> Odhiambo Washington via Exim-users <exim-users@???> (Di 19 Feb 2019
> 11:20:07 CET):
> > I am seeing some spam going through my server, but I am not sure what
> > method is being used by the spammer:
> >
> > exim -Mvh 1gw0Ng-0002NF-1H
> > 1gw0Ng-0002NF-1H-H
> > mailnull 26 26
> > <malamala@???>
> > 1550563436 0
> > -received_time_usec .039642
> > -helo_name [192.6.3.50]
> > -host_address 74.142.119.226.1591
> > -host_name rrcs-74-142-119-226.central.biz.rr.com
> > -host_auth plain
> > -interface_address 192.168.55.254.587
> > -active_hostname gw.crownkenya.com
> > -received_protocol esmtpsa
>
> Looks like successful authentication. So he/she/it is using account
> data, I'd say.
>
> > -auth_id malamala@???
>
> This is the string, that was set by the authenticator.
> It may help you to track down the account, that was abused.
>
> > 301P Received: from rrcs-74-142-119-226.central.biz.rr.com
> > ([74.142.119.226] helo=[192.6.3.50])
> > by gw.crownkenya.com with esmtpsa
> > (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
> > (Exim 4.92)
> > (envelope-from <malamala@???>)
> > id 1gw0Ng-0002NF-1H
> > for sklep@???; Tue, 19 Feb 2019 11:03:56 +0300
>
> The envelope from matches the account-id, depenending on your
> configuration it is another indicator of the "hacked" account.
>
I thought so too.
How they end up hacking this account is something of a mystery now. This is
the second time in as many months.
Thank you.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)