Re: [exim] server compromised: "SPA: fail" but uknown spamme…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] server compromised: "SPA: fail" but uknown spammer is sending mails anyway. Config issue?
On 04/08/2021 20:20, Jan Catrysse via Exim-users wrote:
> 2021-08-04 15:06:58 H=(213.233.88.90) [93.122.252.1]
> X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<xfinity@???>
> A=SPA:fail rejected RCPT<txbutterfly@???>: Sender verify failed


Authentication succeeded, and set an id (using server_set_id) of "fail".
This implies an error in the way your SPA authenticator is written.


server_password    = ${lookup mysql{SELECT `password` FROM `users` WHERE
CONCAT_WS('@', `username`, `domain`) = '${quote_mysql:$auth1}' AND
`SMTPAUTH_allowed` = 'YES' AND '${quote_mysql:$auth1}' !=
'';}{$value}{fail}}


Without thinking too hard about that, I suspect you *really* don't
want the braces around the word "fail".
--
Cheers,
Jeremy