Re: [exim] Is that SPAM? Or am I compromised?

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: exi.ml
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Is that SPAM? Or am I compromised?
Thank you Slavko for your answer.

On 13/03/2023 10:28, Slavko via Exim-users wrote:
> Dňa 12. 3. o 22:34 Yves via Exim-users napísal(a):
> […]
>> — There is a DKIM signature done by my own server (d=yalis.fr), which
>> includes the From header, and that header is @yalis.fr.
>
> Can be DKIM replay, it can be failed, only with purpose to fool users.
> You didn't provide DKIM verify result...


I did not know how to verify the signature… Looking at Archlinux
packages, I selected opendkim; it man page says that opendkim-testmsg
returns nothing if the input message is good. I ran:

opendkim-testmsg <./"Hey, what's up? - <admin@???> - 2023-03-12
2223.eml"

which returned nothing, and $?==0. So the signature is valid!

> Anyway, your Message-ID is signed, if that message was initialed from
> your server, you must be able to find it in logs. And you can change
> DKIM key, to be sure...


I checked per your advice on the server:

[root@seuil3 etc]# journalctl --grep 640E42D8.7020207
mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message
<640E42D8.7020207@???> for nobody:182
mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 -
BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_>
mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02
1pbRIJ-002UYg-0j <= admin@??? H=([93.184.14.24]) [93.184.14.24]
P=esmtp S=6613 id=640E42D8.7020207@???

I’m not sure of how to understand that :-/
All 3 lines seem to me to relate to receiving the message. I don’t see a
line that is about sending the message, or signing it.

Could it be that the message is signed when I receive it? Could it be
because I use LMTP for delivering, instead of local drop?
If that is the explanation, it seems a bit “stupid” of Exim to do so…

Regards

> […]