Hi Mika, 2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works. The fact that these messages are sent from an your user's e-mail address might mean that: a) the sender expects that the recipients will be more likely to read it (due to the message appearing as being from same domain/from user in the address book) b) (and you should really test this theory) your mail server might be skipping spam checks on messages which it considers as sent from local users. I had a similar issue a couple years once: someone's account was compromised, and our server became a spamming machine. I can't remember whether or not it happened more than once, but when I decided to debug this problem, the issue turned out to be that I had disabled spam checking on messages originating from 127.0.01, and the spammer used our webmail service running on the same server to send the spam. Once I figured that out, I configured Exim to also test messages originating from www-data user, and the problems stopped. Hope this helps, Rimas