Bridgit Griffin (Withers) wrote: > Hi, > > Recently, since late Jun, I have been seeing spam that appears to be > sent from an email alias I have. However, closer inspection of the spam > headers shows that someone connected into the smtp server (Exim ver > 4.52) then sent it out using my alias.
*snip* > > Please note I do not have control over the smtp server, my hosting > provider does. Then they will have to (help) sort the problem. > Also there are no email accounts associated with the > domains. By default, there will ordinarily be *at least* 'postmaster@' and may also be 'abuse', 'webmaster', and perhaps a 'catchall' if the provider is lazy. Your 'alias' is also an 'email account' of sorts, even if it has no local mailstore. > This has happened on 4 different domains that I have. Please > see a sample of the header below. > > Thanks! > > Received: from [220.70.206.152] (port=4460 helo=67.19.170.34) > by mustang.websitewelcome.com with smtp (Exim 4.52) > id 1Fv3uo-0006yP-G2 for [EMAIL PROTECTED]; Mon, > 26 Jun 2006 22:07:03 -0500 > Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT) > Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com > From: [EMAIL PROTECTED] > Subject: Re: hi > To: [EMAIL PROTECTED] > Message-id: <[EMAIL PROTECTED]> > X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report > X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com > X-AntiAbuse: Original Domain - colonichealth.net > X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] > X-AntiAbuse: Sender Address Domain - colonichealth.net > > > Received: from [60.179.219.85] (port=1166 > helo=85.219.179.60.broad.nb.zj.dynamic.cndata.com) > by mustang.websitewelcome.com with smtp (Exim 4.52) > id 1FvZCG-000049-4X for [EMAIL PROTECTED]; Wed, 28 Jun 2006 07:31:15 > -0500 > Date: Wed, 28 Jun 2006 08:31:22 -0400 (EDT) > Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com > From: [EMAIL PROTECTED] > Subject: Something for your site.. > To: [EMAIL PROTECTED] > Message-id: <[EMAIL PROTECTED]> > X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report > X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com > X-AntiAbuse: Original Domain - nceweb.com > > If this sort of message is reaching only your own MUA via the postmaster or catchall alias, then a local MUA filter is a quick, albeit temporary, fix. If it is being relayed or creating collateral-spam bounces to the world at large, then your provider needs to clean up his config, or you need a more 'aware' provider. Note the mismatch in the sample you submitted between the actual connection-from IP and the alleged source IP/domain. Properly configured Exim need not permit that to come onto the box at all. Help here is, of necessity, largely available/of value only to those who *DO* control an MTA, and a current Exim one at that, not one a couple of years old. HTH, Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
