Spam is coming from the server, and there are several transactions within the exim log file "/var/log/exim_mainlog" indicating the following error:
H=host.example.com [x.x.x.x]:50803 I=[x.x.x.x]:25 F=<firstname.lastname@example.org> rejected RCPT <email@example.com>: Sender verify failed
The important aspect to note from the above transaction is the email account right after "F=", and the "Sender verify failed" message at the end.
Using "firstname.lastname@example.org" to indicate some random email ID but with a valid domain @example.net.
This is an email attack named Backscatter which uses auto-generated email replies to an email address that didn't originally send an email. It uses a forge Reply-To and domain forged as the sender on spam messages, and the receiving server accepts a message for delivery but determines later that the message cannot be delivered.
Detailed information about the backscatter attack can be found in the following link:
There is no single solution to BackScatter attacks, and in many cases, it can't be avoided. The main vulnerabilities that allow BackScatter attacks to occur are:
- Filter setup configured to bounce messages.
- Forwarders or autoresponder exploited by the backscatter attack.
- A website/application contact form without CAPTCHA to reduce abuse.