Odhiambo Washington via Exim-users <exim-users@exim.org> (Di 19 Feb 2019 11:20:07 CET): > I am seeing some spam going through my server, but I am not sure what > method is being used by the spammer: > > exim -Mvh 1gw0Ng-0002NF-1H > 1gw0Ng-0002NF-1H-H > mailnull 26 26 > <malam...@crownkenya.com> > 1550563436 0 > -received_time_usec .039642 > -helo_name [192.6.3.50] > -host_address 74.142.119.226.1591 > -host_name rrcs-74-142-119-226.central.biz.rr.com > -host_auth plain > -interface_address 192.168.55.254.587 > -active_hostname gw.crownkenya.com > -received_protocol esmtpsa
Looks like successful authentication. So he/she/it is using account
data, I'd say.
> -auth_id malam...@crownkenya.com
This is the string, that was set by the authenticator.
It may help you to track down the account, that was abused.
> 301P Received: from rrcs-74-142-119-226.central.biz.rr.com
> ([74.142.119.226] helo=[192.6.3.50])
> by gw.crownkenya.com with esmtpsa
> (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
> (Exim 4.92)
> (envelope-from <malam...@crownkenya.com>)
> id 1gw0Ng-0002NF-1H
> for sk...@budomarket.pl; Tue, 19 Feb 2019 11:03:56 +0300
The envelope from matches the account-id, depenending on your
configuration it is another indicator of the "hacked" account.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
