Hi folk, I came across a new (to me) method of sending SPAM through my
587 only mail relay system for my clients.
As usual - a user has given up her password (social engineering - whatever).
The account was being used to send about 10 emails at a time with a
different from address and from different locations from around the
world. This made it a bit difficult to catch (they started at 2AM and I
caught this at 9AM).
Typical Log entry:
2019-09-25 06:11:12 1iCydz-0000TU-LP <= minan...@zanet.co.za
H=(relay.zanet.co.za) [113.173.127.51]:34572 I=[192.96.24.71]:587
P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
A=PLAIN:mycli...@zanet.co.za S=1570
However - from my viewpoint, the Username used in the authentication
"mycli...@zanet.co.za" should be the same as the "From".. i.e. <=
minan...@zanet.co.za.
Is there a neat way to drop emails when the "From" is not the same as
the PLAIN authenticated name?
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
