I have an issue with a spammer that I have not been able to track down via logs. Enabled feature set: Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required) Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.) Silently Discard all FormMail-clone requests with a bcc: header in the subject line Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required) The SMTP Tweak is enabled. Enabled: Verify the existance of email senders. Enabled: Discard emails for users who have exceeded their quota instead of keeping them in the queue. log_selector = +all What concerns me is viewing mail delivery stats via WHM I see a listing for Deliveries by transport ----------------------- Volume Messages **bypassed** 158KB 7 Even with log_selector = +all I am not able to track this spammer down. Provided below is the mail headers reported to us. Return-path: <firstname.lastname@example.org> Received: from defapp07.gatewaydefender.com (unverified [220.127.116.11]) by buckeye-express.com (Rockliffe SMTPRA 6.1.20) with ESMTP id <B0015165024@mail.buckeye-express.com> for <email@example.com>; Fri, 23 Sep 2005 06:59:31 -0400 Received: from yyyyyyyyy.com (Not Verified[xx.xx.xx.xx]) by defapp07.gatewaydefender.com id <BK10fbc4eb>; Fri, 23 Sep 2005 06:59:30 -0400 Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST) Message-Id: <firstname.lastname@example.org> From: "Meira Branson" <email@example.com> To: "genoxxxx" <firstname.lastname@example.org> Date: Sun, 25 Sep 2005 15:46:54 +0200 (CEST) Subject: Mom was used by her son Mime-Version: 1.0 Content-Type: text/plain I expect more header information as a result of my above enabled features but with **bypassed** appearing in Exim Mail Statistics I am concerned they may be indeed bypassing the system. The domain as expected does not exist on the system. No new accounts on server look questionable. phpbbversion check scan has been ran and versions older than 16 have been disabled +5 days. I also run mail-watch on the server which has not reported any accounts. I have ran the following with no results: grep '20050925154654.27788' /var/log/exim_mainlog grep 'meineke.com' /var/log/exim_mainlog grep 'email@example.com' /var/log/exim_mainlog grep 'mom was used by her son' /var/log/exim_mainlog grep -r 'firstname.lastname@example.org' /home/* This is racking my brain as I cannot track this email down and I hope it is not a new exploit in exim.