Hi all,
One particular account on my server has been used to send spam repeatedly.
I have changed the account's password so many times now that I believe this
spam is not actually using their password for ASMTP, but probably a hole on
the system which I am not able to detect.
I am requesting for a 3rd to help me figure out how this could be happening.
The header below is from one such spam.
What weakness(es) is the spammer likely abusing?
Return-Path: <benson.kuria@???>
Envelope-to: daniel.owino@???
Delivery-date: Mon, 23 Sep 2019 19:05:01 +0300
Authentication-Results: gw.ourdomain.tld;iprev=fail
smtp.remote-ip=5.61.42.174;auth=pass (PLAIN)
smtp.auth=benson.kuria@???;dmarc=skipped
header.from=ourdomain.tld
Received: from [5.61.42.174] (helo=[127.0.0.1]) by gw.ourdomain.tld
with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2)
(envelope-from <benson.kuria@???>) id 1iCQpf-0002zI-7B for
daniel.owino@???; Mon, 23 Sep 2019 19:05:01 +0300
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0010_01D572B4.9D8D2390"
From: <benson.kuria@???>
To: <daniel.owino@???>
Subject: =?utf-8?Q?Message_has_been_disinfected_:Yo?=
=?utf-8?Q?ur_order_=E2=84=965634_is_ready_for_the_?=
=?utf-8?Q?transporting?=
Message-ID: <4d95a1b3-5c91-471e-5b9e-f8fe7aa1cd9b@???>
Date: Mon, 23 Sep 2019 16:04:50 +0000
MIME-Version: 1.0
X-Scanned-By: unscanned primary on gw.ourdomain.tld (41.57.X.X); Mon,
23 Sep 2019 19:05:01 +0300
X-MimeOLE: Produced By Microsoft MimeOLE
X-Spam-Flag: NO
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)