Hello everyone, I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first. the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender. First I thought: sure thing - a compromised account. So I changed his password. But the following day it happened again. So I changed his pw again and told him not to update the pw on his computer but only use his mobile for a day. About 36h later it happened again. I have checked the logs and he indeed didn’t connect using his macbook for the whole day. Just a told him. So this should rule out a compromised machine, right? There are no relay servers in my exim4u installation and connections are only accepted on SSL/TLS (993/587). The eximu4 web interface is not public. I keep the box up to date and have all Debian LTS packages installed and have a rather tight iptables based firewall running. Plus I think I can exclude dictionary attacks because I have fail2ban blacklisting IPs after a couple of failed attempts. Long story short: I’m running out of excuses. My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important" Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628 So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration? It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me. thanks i.a. Mika