[exim] New compromise...?

Página Inicial
Delete this message
Reply to this message
Autor: Mark Elkins
Data:  
Para: exim-users
Assunto: [exim] New compromise...?
Hi folk, I came across a new (to me) method of sending SPAM through my
587 only mail relay system for my clients.

As usual - a user has given up her password (social engineering - whatever).

The account was being used to send about 10 emails at a time with a
different from address and from different locations from around the
world. This made it a bit difficult to catch (they started at 2AM and I
caught this at 9AM).

Typical Log entry:

2019-09-25 06:11:12 1iCydz-0000TU-LP <= minanilo@???
H=(relay.zanet.co.za) [113.173.127.51]:34572 I=[192.96.24.71]:587
P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
A=PLAIN:myclient@??? S=1570

However - from my viewpoint, the Username used in the authentication
"myclient@???" should be the same as the "From".. i.e. <=
minanilo@???.
Is there a neat way to drop emails when the "From" is not the same as
the PLAIN authenticated name?

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za