Hi folk, I came across a new (to me) method of sending SPAM through my
587 only mail relay system for my clients.
As usual - a user has given up her password (social engineering - whatever).
The account was being used to send about 10 emails at a time with a
different from address and from different locations from around the
world. This made it a bit difficult to catch (they started at 2AM and I
caught this at 9AM).
Typical Log entry:
2019-09-25 06:11:12 1iCydz-0000TU-LP <= minanilo@???
H=(relay.zanet.co.za) [113.173.127.51]:34572 I=[192.96.24.71]:587
P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
A=PLAIN:myclient@??? S=1570
However - from my viewpoint, the Username used in the authentication
"myclient@???" should be the same as the "From".. i.e. <=
minanilo@???.
Is there a neat way to drop emails when the "From" is not the same as
the PLAIN authenticated name?
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
