Exim vulnerability?

[Brian S]

I've got a Spammer that is somehow logging into local user accounts and sending spam through the local relay. I changed the password on one account and denied the IPs and that worked for a bit. But today he is back sending through another user account. I figure if root was compromised, far worse would be occuring, so I am wondering/hoping, is there a vulnerability in exim that I don't know about?

Thanks,

Brian

 

[Brian S]

Updated exim to 4.72, spammer still able to login and send email. Any clues?

Thanks,

Brian

 

[floyd]

The logs will tell you how he is authenticating.

 

[nobaloney]

I've got a Spammer that is somehow logging into local user accounts and sending spam through the local relay. I changed the password on one account and denied the IPs and that worked for a bit. But today he is back sending through another user account. I figure if root was compromised, far worse would be occuring, so I am wondering/hoping, is there a vulnerability in exim that I don't know about?

Nothing in exim would allow you to login to a local user account. It's simple enough for you to make changes to exim.conf which will allow non-authenticated users to relay mail through your server.

How do you know the spammer is logging in? Exactly what evidence of the login have you found?

Have you added any local domains to any of your local whitelist files in the /etc/virtual directory?

Jeff

 

[Brian S]

If I tail the exim log and grep "login", I can see the accounts he is logging in through and sending email. I change the user's password and ban his IP, and he just comes back from another IP and logs into another account. I wonder if the recent CentOS vulnerability would have permitted him access to do this.

Thanks,

Brian

 

[floyd]

More than likely its a virus on the client's computer stealing their passwords.