Re: [exim] Unstoppable spam

Top Page
Delete this message
Reply to this message
Author: Odhiambo Washington
Date:  
To: exim users
Subject: Re: [exim] Unstoppable spam
On Tue, 24 Sep 2019 at 11:48, Jasen Betts via Exim-users <
exim-users@???> wrote:

> On 2019-09-24, Odhiambo Washington via Exim-users <exim-users@???>
> wrote:
>
> > Authentication-Results: gw.ourdomain.tld;iprev=fail
> > smtp.remote-ip=5.61.42.174;auth=pass (PLAIN)
> > smtp.auth=benson.kuria@???;dmarc=skipped
> > header.from=ourdomain.tld
>
> Is that a standard header? I've not seen exim adding that.
>


Extracted that from the spam mail.


>
> It seems to say they did "auth plain" and gave an acceptable password.
> (escpecially in combination with "esmtpsa" in the received header.
>
> Could there be some problem with your plain authenticator? What is it
> authenticating against?
>


Not sure if there is a problem with my plain authenticator. Maybe, maybe
not.
I need a 3rd eye.

It authenticates against dovecot:

plain:
     driver = dovecot
     public_name = PLAIN
     server_socket = /var/run/dovecot/auth-client
     server_set_id = $auth1




>
> Can you share the ' <= ' line for this email (1iCQpf-0002zI-7B) in the
> exim logs it should be near Mon, 23 Sep 2019 19:05:01 +0300
>
>

Here is the log extract:

2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.kuria@???
H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa
X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
A=plain:benson.kuria@??? S=153471 id=4d95a1b3-5c91-471
e-5b9e-f8fe7aa1cd9b@??? T="Your order ?5634 is ready for the
transporting" from <benson.kuria@???> for
daniel.owino@???
2019-09-23 19:05:01 1iCQpf-0002zI-7B =>
/var/spool/virtual/ourdomain.tld/daniel.owino/Maildir
<daniel.owino@???> R=virtual_domains T=dovecot_virtual_delivery
S=153618
2019-09-23 19:05:01 1iCQpf-0002zI-7B Completed



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)