Am Dienstag, 19. Februar 2019, 11:38:22 CET schrieb Odhiambo Washington via Exim-users: > How they end up hacking this account is something of a mystery now. This is > the second time in as many months. ..."usually" they got user login credentials in any way.
from my experience, most typical is: - the user uses a easy to brute force PW (exim provides different limits to make this more difficult - if configured/set in the config, but additional firewall rules or IPS may required too to block massive brute forcing on EXIM by SMTP) - the users PW got hacked on a client in any way or - the same users PW got discovered/"hacked" on a foreign website or internet service - the (usually encrypted) "password storage" (i.e. a SQL database, LDAP, shadow or whatever got "hacked" / copied and this PW was cracked). very typical seems attacks on SQL databases behind any LAMP or similiar web management tool or by other web applications which use the same database installation - using insecure grants or security holes in the database or a LAMP stack. - PW sniffed from a non encrypted SMTP session with exim (if allowed in exim and on client) this just to point you into a few typical directions. good luck, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/