Hello Todd, >> I need your help to shed some light on a strange Spam abuse of an >> Exim server. I'm running a personal Exim server for years now >> without any problems. Today I've checked the last couple of mainlog >> files on the server and saw that something strange had happened at >> night. > > Is it always from this same IP? > > If yes, then do: > tcpdump -n -p -s0 host 200.198.71.194 -w debug_auth.dump > > ...and let it run over night. If it happened in the logs for you that > night, then ctrl-c the tcpdump and run: > > tcpdump -n -p -s0 -X -r debug_auth.dump | less > > and look to see what he was sending that finally made it allowed. > That may not be very useful to see the content, but you should at > least see the negotiation portion and eliminate some possiblities.
thank you for that hint. Unfortunately it's not always the same IP address. Based on a friends log file 145 different addresses have been used until now. One my friends pointed me to the following thread which exactly describes the same problem: http://blog.windfluechter.net/content/getting-hit-spammer-exim Regards Juergen -- GPG Key available -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
