On Tue, 19 Feb 2019 at 13:33, Heiko Schlittermann via Exim-users < [email protected]> wrote:
> Odhiambo Washington via Exim-users <[email protected]> (Di 19 Feb 2019 > 11:20:07 CET): > > I am seeing some spam going through my server, but I am not sure what > > method is being used by the spammer: > > > > exim -Mvh 1gw0Ng-0002NF-1H > > 1gw0Ng-0002NF-1H-H > > mailnull 26 26 > > <[email protected]> > > 1550563436 0 > > -received_time_usec .039642 > > -helo_name [192.6.3.50] > > -host_address 74.142.119.226.1591 > > -host_name rrcs-74-142-119-226.central.biz.rr.com > > -host_auth plain > > -interface_address 192.168.55.254.587 > > -active_hostname gw.crownkenya.com > > -received_protocol esmtpsa > > Looks like successful authentication. So he/she/it is using account > data, I'd say. > > > -auth_id [email protected] > > This is the string, that was set by the authenticator. > It may help you to track down the account, that was abused. > > > 301P Received: from rrcs-74-142-119-226.central.biz.rr.com > > ([74.142.119.226] helo=[192.6.3.50]) > > by gw.crownkenya.com with esmtpsa > > (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) > > (Exim 4.92) > > (envelope-from <[email protected]>) > > id 1gw0Ng-0002NF-1H > > for [email protected]; Tue, 19 Feb 2019 11:03:56 +0300 > > The envelope from matches the account-id, depenending on your > configuration it is another indicator of the "hacked" account. > I thought so too. How they end up hacking this account is something of a mystery now. This is the second time in as many months. Thank you. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
