I suspect someone hacked one of your SMTP passwords. Theres bots out there that guess passwords.
If you use SMTP submission, then firewall port 587 to the IPs your users use. Otherwise, if you accept authenticated submission on port 25, then add following line to your config: auth_advertise_hosts = IP/CIDR : IP/CIDR : IP/CIDR where IP/CIDR is a network in CIDR format, for example: 192.168.0.0/16 this will lock out authentication so it cannot happen from unauthorized hosts, thus bots will not be able to crack the password, as theres no possibility to submit a password without having the IP authorized. -----Ursprungligt meddelande----- Från: Jeremy Harris via Exim-users <[email protected]> Skickat: den 24 februari 2022 22:08 Till: [email protected] Ämne: Re: [exim] Hit with some kind of hidden multiple recipients relay hack? On 22/02/2022 18:39, Henry S. Thompson via Exim-users wrote: > I came back from a few days out of town to find 1000s of frozen queue > entries and my server blacklisted by gmail. Here's a sample: > > : mailq | head -20 > 6d 1.3K 1nKNYR-000bDv-0w <[email protected]> *** frozen *** > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > D [email protected] > [email protected] > D [email protected] > D [email protected] > > And here's what that item looks like in detail: > > : exim4 -Mvc 1nKNYR-000bDv-0w|head -20 > Received: from [103.104.169.173] (helo=ogcb16c7f19.openstacklocal) > by home.hst.name with esmtp (Exim 4.94.2) > (envelope-from <[email protected]>) > id 1nKNYR-000bDv-0w; Wed, 16 Feb 2022 16:53:23 +0000 > Content-Type: text/plain; charset="utf-8" > MIME-Version: 1.0 > Content-Transfer-Encoding: quoted-printable > Content-Description: Mail message body > Subject: From The Commissioner Debt Management Service > To: Recipients <[email protected]> > From: "Mr. Timothy Gribben" <[email protected]> > Date: Thu, 17 Feb 2022 00:53:15 +0800 > Reply-To: [email protected] > > ... > > I don't have open relaying set up, at least I don't think so, and a > few online checkers agree... > > How is this happening/where are the recipients coming from? Start with your log. How was 1nKNYR-000bDv-0w submitted? From the headers: Is "home.hst.name" your system? (PS: Obfuscation makes it harder to help). Is [103.104.169.173] on your net? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
