Is this correct EXIM IP address behaviour?
Hi,
We had an issue where an email account was compromised due to a weak password and used to send out spam. However we found it strange that the IP address that ended up on blacklists was not the one that should have been sending the spam emails.
For example,
email@account.com was used to authenticate
host.server.com is the server on IP .123
account.com was on IP .456
We had the exm setting enabled to send from the domains IP address, and can confirm that was working from the email headers when we tested. (Email sent normally from outlook or squirrelmail was sent from .456).
During the spam attack they authenticated with email@account.com, and spoofed the email headers so it looked like spam was coming from info@host.server.com instead of the account that was used to authenticate.
The IP address .123 ended up on the RBL black lists, and not .456.
Is that how it should have worked? Shouldn't EXIM have been sending mail from .456 since thats the IP the email authenticating domain was logged into when creating the emails? Or can they just spoof the sending IP anyway?
What do you think?
Please sign in to leave a comment.
Comments
0 comments