Re: [exim] Unstoppable spam

Top Page
This message is part of the following thread:
M-+\the complete thread tree sorted by date
M\MMOdhiambo Washington at <-
MMMarius Schwarz at ->
Delete this message
Reply to this message
Author: Sebastian Nielsen
Date:  
To: exim-users
Subject: Re: [exim] Unstoppable spam
If the gw.ourdomain.tld is listed as authorized relayer in exim4 config,
authentication isn't needed.
Check the configuration that relaying is not authorized for gw.ourdomain.tld

Best thing you can do is to restrict so BOTH an authorized IP *AND* a
password is required to be authorized to relay, thus you also run clear of
all those password-cracking robots out there.

-----Ursprungligt meddelande-----
Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För
Odhiambo Washington via Exim-users
Skickat: den 24 september 2019 09:49
Till: exim users <exim-users@???>
Ämne: [exim] Unstoppable spam

Hi all,

One particular account on my server has been used to send spam repeatedly.
I have changed the account's password so many times now that I believe this
spam is not actually using their password for ASMTP, but probably a hole on
the system which I am not able to detect.
I am requesting for a 3rd to help me figure out how this could be happening.

The header below is from one such spam.

What weakness(es) is the spammer likely abusing? 

Return-Path: <benson.kuria@???>
Envelope-to: daniel.owino@???
Delivery-date: Mon, 23 Sep 2019 19:05:01 +0300
Authentication-Results: gw.ourdomain.tld;iprev=fail
smtp.remote-ip=5.61.42.174;auth=pass (PLAIN)
smtp.auth=benson.kuria@???;dmarc=skipped
header.from=ourdomain.tld
Received: from [5.61.42.174] (helo=[127.0.0.1]) by gw.ourdomain.tld
with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2)
(envelope-from <benson.kuria@???>) id 1iCQpf-0002zI-7B for
daniel.owino@???; Mon, 23 Sep 2019 19:05:01 +0300
Content-Type: multipart/mixed;
                boundary="----=_NextPart_000_0010_01D572B4.9D8D2390"
From: <benson.kuria@???>
To: <daniel.owino@???>
Subject: =?utf-8?Q?Message_has_been_disinfected_:Yo?=
                =?utf-8?Q?ur_order_=E2=84=965634_is_ready_for_the_?=
                =?utf-8?Q?transporting?=
Message-ID: <4d95a1b3-5c91-471e-5b9e-f8fe7aa1cd9b@???>
Date: Mon, 23 Sep 2019 16:04:50 +0000
MIME-Version: 1.0
X-Scanned-By: unscanned primary on gw.ourdomain.tld (41.57.X.X); Mon,
23 Sep 2019 19:05:01 +0300
X-MimeOLE: Produced By Microsoft MimeOLE
X-Spam-Flag: NO





--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Unstoppable spamRe: [exim] Content scanning and non-MIME messages->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)