[exim] Looking for an example

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMM 
MSebastian Nielsen at ->
Delete this message
Reply to this message
Author: Mark Elkins
Date:  
To: exim-users
Subject: [exim] Looking for an example
Hello group,

I'm looking for an example for how to cure this problem.

Every now and then, a user will give his password to a bad actor (Social
Engineering). That bad person then goes to my webmail interface and
sends out a lot of SPAM e-mail - which goes to my port 587 (only) Exim
(version 4.94)..

The mail server then gets black-listed :-(

Of course - then everyone suffers.

All my users details are in a MySQL Database. Ideally - I could change
their status to "disabled" - but still need to handle the SPAM being
sent out from their account details. Perhaps I'd lookup the
"X-Originating-IP" and if there - not do a delivery?

What are the "Best Practises" with handling this?

An example of a "bad" email (the H file) might look like... (as
untouched as possible)

1jX2Tv-00A32n-Ka-H
mail 8 12
<mothapom@???>
1588942319 2
-received_time_usec .638108
-helo_name webmail.vweb.co.za
-host_address 2001:42a0::5.36176
-interface_address 2001:42a0::71.587
-received_protocol esmtps
-body_linecount 48
-max_received_linelength 74
-frozen 1589015756
-tls_cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
-tls_sni relay.vweb.co.za
-tls_ourcert -----BEGIN CERTIFICATE-----\nMIIGaTCCBVGgAwIBAgISAw6 [Lots
deleted] 4isptageh9BnUwAwJw==\n-----END CERTIFICATE-----\n
YY wryer@???
YY wrongdoer@???
YY wristwatch@???
[20+ lines deleted]
NN yards@???
NN yawn@???
50
wrinkle@???
wrinkling@???
[20+ lines deleted]
swarthy@???
swathes@???

255P Received: from [2001:42a0::5] (port=36176 helo=webmail.vweb.co.za)
        by relay.vweb.co.za with esmtps
(TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92.2)
        (envelope-from <mothapom@???>)
        id 1jX2Tv-00A32n-Ka; Fri, 08 May 2020 14:51:59 +0200
018  Mime-Version: 1.0
038  Date: Fri, 08 May 2020 12:52:10 +0000
087  Content-Type: multipart/alternative;
 boundary="--=_RainLoop_183_170848428.1588942330"
026  X-Mailer: RainLoop/1.11.3
057F From: "Mrs. Agnes Adams" <mothapom@???>
068I Message-ID: <f48e1f3d5cf34a6e7f03fe0d1b6487a8@???>
030R Reply-To: jm4065278@???
012  Subject: HI
034  X-Originating-IP: 197.220.169.156

--

Mark James ELKINS  -  Posix Systems - (South) Africa
mje@??? Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] 4.94 - De-tainting without lookup?Re: [exim] Looking for an example->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)