Hi all, One particular account on my server has been used to send spam repeatedly. I have changed the account's password so many times now that I believe this spam is not actually using their password for ASMTP, but probably a hole on the system which I am not able to detect. I am requesting for a 3rd to help me figure out how this could be happening.
The header below is from one such spam. What weakness(es) is the spammer likely abusing? Return-Path: <benson.ku...@ourdomain.tld> Envelope-to: daniel.ow...@ourdomain.tld Delivery-date: Mon, 23 Sep 2019 19:05:01 +0300 Authentication-Results: gw.ourdomain.tld;iprev=fail smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped header.from=ourdomain.tld Received: from [5.61.42.174] (helo=[127.0.0.1]) by gw.ourdomain.tld with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) (envelope-from <benson.ku...@ourdomain.tld>) id 1iCQpf-0002zI-7B for daniel.ow...@ourdomain.tld; Mon, 23 Sep 2019 19:05:01 +0300 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0010_01D572B4.9D8D2390" From: <benson.ku...@ourdomain.tld> To: <daniel.ow...@ourdomain.tld> Subject: =?utf-8?Q?Message_has_been_disinfected_:Yo?= =?utf-8?Q?ur_order_=E2=84=965634_is_ready_for_the_?= =?utf-8?Q?transporting?= Message-ID: <4d95a1b3-5c91-471e-5b9e-f8fe7aa1c...@ourdomain.tld> Date: Mon, 23 Sep 2019 16:04:50 +0000 MIME-Version: 1.0 X-Scanned-By: unscanned primary on gw.ourdomain.tld (41.57.X.X); Mon, 23 Sep 2019 19:05:01 +0300 X-MimeOLE: Produced By Microsoft MimeOLE X-Spam-Flag: NO -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/