Spammers seem to have found a new way to exploit mail servers. I'm seeing a pattern of spammers authenticating once and sending 2-3 messages, each to dozens of recipients, and then it stops.
Many of the messages contain a URL and no other content, often with somebody's name as the subject line. Many of these messages are rejected by Yahoo with a [PH01] error message.
The spammer's IP address varies, representing countries where we have no customers, including Morocco, Turkey, and Tunisia.
But in each case the spammer stops after 2-3 messages, leading me to wonder if the spammer "faked" authentication somehow or if they actually obtained the user's credentials.
The spammers have consistently used "mycomputer" as the HELO or EHLO name, so currently it's pretty easy to see if you've been affected. If your logs are in the usual place, just run
and look for mail going to multiple addresses.
I first noticed the problem on a Windows server running "SmarterMail," so the issue is not specific to CPanel or Exim. Many others have seen similar issues, as evidenced by responses to my post
here (SmarterTools Community Forums).
Many of the messages contain a URL and no other content, often with somebody's name as the subject line. Many of these messages are rejected by Yahoo with a [PH01] error message.
The spammer's IP address varies, representing countries where we have no customers, including Morocco, Turkey, and Tunisia.
But in each case the spammer stops after 2-3 messages, leading me to wonder if the spammer "faked" authentication somehow or if they actually obtained the user's credentials.
The spammers have consistently used "mycomputer" as the HELO or EHLO name, so currently it's pretty easy to see if you've been affected. If your logs are in the usual place, just run
Code:
exigrep mycomputer /var/log/exim* | more
I first noticed the problem on a Windows server running "SmarterMail," so the issue is not specific to CPanel or Exim. Many others have seen similar issues, as evidenced by responses to my post
here (SmarterTools Community Forums).