Re: [exim] Is that SPAM? Or am I compromised?

On 3/14/23 03:12, Yves via Exim-users wrote:
>
> opendkim-testmsg <./"Hey, what's up? - <admin@???> - 2023-03-12 2223.eml"
>
> which returned nothing, and $?==0. So the signature is valid!
>

> [root@seuil3 etc]# journalctl --grep 640E42D8.7020207
> mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message <640E42D8.7020207@???> for nobody:182
> mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 - BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_>
> mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02 1pbRIJ-002UYg-0j <= admin@??? H=([93.184.14.24]) [93.184.14.24] P=esmtp S=6613 id=640E42D8.7020207@???
>
> I’m not sure of how to understand that :-/
> All 3 lines seem to me to relate to receiving the message. I don’t see a line that is about sending the message, or signing it.
>
DKIM_ADSP_ALL says that SpamAssassin found no signature. Something signed it later, which makes sense.


> Could it be that the message is signed when I receive it?
Your configuration answers this question.
> Could it be because I use LMTP for delivering, instead of local drop?
> If that is the explanation, it seems a bit “stupid” of Exim to do so…

Of your configuration, not of Exim per se. Exim behavior is extremely flexible and configurations can vary tremendously from site to site.

Examine your configuration, check whether signing is indeed done by / controlled by exim configuration or elsewhere, and on what conditions.