Exim Configuration Settings to prevent outgoing spam

I've had a some problems in the past few months with my server being used to relay spam messages.

I made some changes to the Exim configuration that I hope will prevent further issues, but would love to hear some recommendations on what the best settings are in there since even the "basic" settings panel has about a hundred different things you can change.

I turned on SPF failure rejection and DKIM verification... not sure if that will help anything.

 

Thanks guy. I've taken all of these precautions already and still have email being relayed through the server. I have CSF installed and the SMTP_BLOCK option turned on. I even have CSF's mailscanner installed. I've got what most would consider pretty harsh limits for emails per hour set at only 50 per hour. There aren't many sites on the server that actually use it for email service, most use Google Apps.

I would be inclined to believe that there is a stolen password somewhere, except that the domain the emails are going out on has no email accounts on it. It had some fowarders, which I've deleted. I've also deleted the MX record for the domain since it does not require email service of any kind.

What I can't understand is how there isn't some sort of simple security setting that can tell the server if the "from" domain name is not on the server, don't send it. All of these emails are being sent "from" @aol.com addresses...which is a domain clearly not on the server.

 

I haven't, I've been so concerned with trying to figure out how they're continuing to leave the server. I'm not entirely sure how to prevent emails from leaving with a certain spam score either though. Is that a Spamassassin thing?

What I have seen is that it appears to be remote smtp connections and they're being "authenticated" using an email account that isn't even on the server. It's an email account for a domain that uses Google Apps. So, I have no idea how the server is allowing that to happen.

- - - Updated - - -

This is one of the emails that went out. I've removed the to/from addresses so that I don't expose anyones address.
Maybe someone else can see something in this information that I'm not seeing.

Code:

Date:	
Wed, 17 Apr 2014 05:18:28 +0100
From:	
xxxxxxxxx@aol.com <xxxxxxxxxxx@aol.com>
 To: [there were about 20+ email addresses in the TO field that I removed]
Subject:	
Fw: link
Content-Type:	
multipart/alternative;
 boundary="----=_NextPart_000_BE72_202A399C.4CB5CF93"
Importance:	
Normal
Message-ID:	
<4d5e7da5e29c$50b4421a$edc9432a$@aol.com <xxxxxxxxxxxxx@aol.com>
MIME-Version:	
1.0
Received:	
from [37.105.xx.xx] (port=52446 helo=domain.com)
 by host3.domain.com with esmtpa (Exim 4.82)
 (envelope-from <user@aol.com>)
 id 1Wap1H-002XGG-9h; Thu, 17 Apr 2014 11:18:35 -0500
X-cPanel-MailScanner:	
Not scanned: please contact your Internet E-Mail Service Provider for details
X-cPanel-MailScanner-From:	
xxxxxxxxxxxx@aol.com
X-cPanel-MailScanner-ID:	
1Wap1H-002XGG-9h
X-cPanel-MailScanner-Information:	
Please contact the ISP for more information
X-cPanel-MailScanner-SpamCheck:	
X-Mailer:	
Microsoft Windows Live Mail 16.4.3522.110
X-MimeOLE:	
Produced By Microsoft MimeOLE V16.4.3522.110
X-MSMail-Priority:	
Normal
X-Priority:	
3
X-Spam-Status:	
No

 

Thank you! I've made that change. Crossing my fingers that it stops this activity.