AUTHRELAY emails
Hi,
I am getting a lot of these emails. Should there be a user call smtp@
Thanks
/daveb
Time: Fri Jan 12 06:56:07 2018 +1100
Type: AUTHRELAY, Remote IP - 61.177.248.202 (CN/China/-)
Count: 150 emails relayed
Blocked: No
Sample of the first 10 emails:
2018-01-12 06:55:41 1eZiwu-0003wr-VW <= smtp@example.com.au H=(User) [61.177.248.202]:59943 P=esmtpa A=dovecot_login:smtp@example.com.au S=1319 T="DRINGEND" for -- Removed - - Removed -
- Removed -
-
The alerts you are getting appear to be generated by CSF/LFD I would not have expected to see a mail account that was smtp@ but addresses are easily spoofed by scripts. You may like to review this thread and see if it has anything that might help you. Personally, I would be doing a lot of investigation into the account (domain) that is sending the mails, to try and establish if it has been compromised in any way, or if any deployed software (eg CMS) is being leveraged as a mass mailer. Lets have a closer look at the parts of the log: <= Indicates the arrival of a message for incoming mail H= Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25 P= This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:. A= If A= is present, then SMTP AUTH was used for the delivery. S= Is the delivery size of the message T= The relay used to transmit the message. Example: T=remote_smtp T=local_delivery You may need to enlist the help of the server administrator if your reseller privileges don't give you enough access to the various log files you will probably need to check to pin this down. Hope this helps 0 -
Hello, The previous post should help. Let us know if you have any additional questions. Thank you. 0
Please sign in to leave a comment.
Comments
2 comments