Is this correct EXIM IP address behaviour?
We had an issue where an email account was compromised due to a weak password and used to send out spam. However we found it strange that the IP address that ended up on blacklists was not the one that should have been sending the spam emails.
For example,
email@account.com was used to authenticate
host.server.com is the server on IP xxx.xxx.xxx.123
account.com was on IP xxx.xxx.xxx.456
We had the exm setting enabled to send from the domains IP address, and can confirm that was working from the email headers when we tested. (Email sent normally from outlook or squirrelmail was sent from .456).
During the spam attack they authenticated with email@account.com, and spoofed the email headers so it looked like spam was coming from info@host.server.com instead of the account that was used to authenticate.
The IP address .123 ended up on the RBL black lists, and not .456.
Is that how it should have worked? Shouldn't EXIM have been sending mail from .456 since thats the IP the email authenticating domain was logged into when creating the emails? Or can they just spoof the sending IP anyway?
What do you think?
-
Hello :) It depends on how the specific blacklist determined the offending IP address. It's possible that it used the IP address associated with the hostname of the mail server. You can check the message headers after sending a test message from the account to verify which IP address is used for sending. Thank you. 0 -
Fair enough, strange if the blacklists block the hostname though since most servers seem to check against the sending IP address. That would mean I can just have no accounts using the hostname IP and the spammer wouldn't actually get blocked. When I did a test email from the "hacked" account I verified that ..456 showed up as the sender IP. Wierd stuff! 0 -
You could consult with the specific blacklist publisher to determine what methods they use when adding IP addresses to their list. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments