Hello everyone,
I’m having a weird issue with my server running exim4u 2.1.1 on Debian
Squeeze and I just can’t get my head around this.
I know this might be more of an Exim question but since I use Exim4u
I’ll try my luck here first.
the problem:
For a few days now I have one single user sending out spam mails.
Not many - only about 5x a day. All sent to the domain’s aliases and one
other local domain.
But: they seem to 'multiply' because simultaneously the same rubbish is
sent from multiple external IPs to what seems to be his whole addresses
book, using his account’s email address as sender.
First I thought: sure thing - a compromised account. So I changed his
password.
But the following day it happened again.
So I changed his pw again and told him not to update the pw on his
computer but only use his mobile for a day.
About 36h later it happened again.
I have checked the logs and he indeed didn’t connect using his macbook
for the whole day. Just a told him.
So this should rule out a compromised machine, right?
There are no relay servers in my exim4u installation and connections are
only accepted on SSL/TLS (993/587).
The eximu4 web interface is not public.
I keep the box up to date and have all Debian LTS packages installed and
have a rather tight iptables based firewall running.
Plus I think I can exclude dictionary attacks because I have fail2ban
blacklisting IPs after a couple of failed attempts.
Long story short: I’m running out of excuses.
My last glimps of hope:
I noticed in the exim mainlog that the rogue connections used „P=esmtps“:
2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.comH=s115.panelboxmanager.com [184.107.100.85] P=esmtps
X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303
id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated
user sends out mail.
http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is:
does the 'missing a' indicate that the mail was sent without
authentication?
could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because
neither the spamming pattern (local / remote) nor the
password-change-ignoring connections make any sense to me.
thanks i.a.
Mika
