Spam sending with host_auth login

[stars]

For last 3 days we fight to stop spam, that is sent from our server after proper auth using email login.

Day by day we have another email account being compromised and used to send out spam.

Can You please help me interpret few lines of logs -exim mainlog

2014-05-29 17:21:04 1Wq28d-0004MM-Gw <= [[B]nonexistinguser[/B]]@[ourclientdomain.tld] H=201-8-87-138.user.veloxzone.com.br (femzjuzdjwur) [201.8.87.138] P=esmtpa A=login:[[B]nexistinguser[/B]]@[ourclientdomain.tld] S=709 id=YNX7FX9Y-VTAZ-IET0-USAB-L6631CG6EGR6@[ourclientdomain.tld] T="$list3.getRandomParam()" from <[[B]nonexistinguser[/B]]@[ourclientdomain.tld]> for [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email]

spam message header

1WpINV-0002G2-Q7-H
mail 8 12
<[[B]nonexistinguser[/B]]@[ourclientdomain.tld]>
1401200961 0
-helo_name rgqnzbexwk
-host_address 93.172.64.204.55564
-host_name 93-172-64-204.bb.netvision.net.il
-host_auth login
-interface_address [my ip].587
-received_protocol esmtpa
-body_linecount 7
-max_received_linelength 65
-auth_id [[B]existinguser[/B]]@[ourclientdomain.tld]
-deliver_firsttime

Yesterday spam was still been send even after email password reset. Is something wrong in my exim/dovecot conf? Everything worked fine for few years now. No problems on other boxes.

 

[nobaloney]

Unless you've recently changed your exim.conf file it's likely to not be the problem.

If spam continues to be sent even after you've changed the password then perhaps the spammer somehow has a persistent login. Try restarting Dovecot after you've changed the password, to shut out all logins and make users log in again.

Perhaps the user whose account is being compromised has a password logger on his/her machine so even new passwords get picked up by the spammer.

Jeff

 

[stars]

Is there posibility that using [nonexistinguser]@[ourclientdomain.tld] as sender and auth_id [existinguser]@[ourclientdomain.tld] somehow bypass the need of full smtp authorisation (AUTHRELAY)?

Maybe we could block mails that have [nonexistinguser]@[ourclientdomain.tld] as sender

Changing password, restarting exim, dovecot etc makes no difference...

 

[nobaloney]

Please post a log entry for one or two such successful attempts.

I'm not sure what you mean by sender as the sender is the authorized login user. Do you mean the From address?

RFCs allow you to send email from any From address. Both the default an my SpamBlocker exim.conf file don't allow bypass of authorized sender check.

With this exception: My SpamBlocker exim.conf files until the most recent version allow authorized relay without extra authentication from 127.0.0.1. The default one from DirectAdmin doesn't, and my latest one doesn't. You may want to check to see if you should remove 127.0.0.1 as an authorized relay.

Maybe we could block mails that have [nonexistinguser]@[ourclientdomain.tld] as sender

You can probably add code to exim.conf to do that but I wouldn't put it into the version I maintain, and I hope DirectAdmin staff won't put it into the version they maintain, because it's against the RFCs, and also because it may cause problems for some of your clients.

If I'm wrong, and the RFCs have changed over the years then someone please quote and link to the RFC which allows this, so I can consider it again.

Jeff

 

[stars]

Maybe we could block mails that have [nonexistinguser]@[ourclientdomain.tld] as sender

I ment from. Sender is always existing user.

As for now, we have another compromised account sending spam, after proper auth.

Please post a log entry for one or two such successful attempts.

In exim mainlog we have e.g.:

2014-06-01 23:19:55 1WrDAZ-0003qD-4S <= [email protected] H=(ip-226-102.nltel.ru) [188.94.226.102] P=esmtpa A=login:[existinguser]@[ourclientdomain.tld] S=4532 [email protected] T="▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒" from <[email protected]> for [email protected]

What else would You like to see?

As for exim.conf I use default DA exim.conf http://files.directadmin.com/services/exim.conf

 

[nobaloney]

Unless I'm missing something you're answering your own question; the user login is authenticated. We don't know how your spammer is getting the password, so we can't tell you that.

Jeff

 

[Richard G]

There is a very big chance the spammer is getting the password via a trojan on the customers computer.
Change email password of the user, then advise him to do a malware scan, not with a virus scanner but with specified tools, like the free ADWCleaner and Malware Bytes (use both!). Give him the new password after the system is cleaned otherwise you will have the same problem within minuts or hours.

 

[zEitEr]

And of course you'd better have your customers to use SSL secured connections to web-mails and POP/IMAP/SMTP. As the end-user internet devices might be working with email through unsecured network.