LOCALRELAY Local Account

dermotd

February 21, 2020 16:55

A client has started getting LOCALRELAY alert emails for one of the domains they host. The website itself is a Wordpress site, fully patched & updated, with a standard contact form on their Contact page. Other posts on the internet have suggested this behaviour is a spam attempt, and recommended that you should disable the mail function, however we want this site to be able to receive mails sent from users visiting it. I have run a Clam AV virus scan of the site directory and site mail, and it came up clean. If this is spam, how are they doing it? How do I stop this from happening and fix the problem? Email content below:

Time:  Fri Feb 21 09:15:37 2020 -0500
Type:  LOCALRELAY, Local Account - domain
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2020-02-21 09:00:11 1j58qg-000Mvz-UF <= domain@server.com U=domain P=local S=1244 id=594ae4030f51bb0751983361da99059e@domain.com T="WICHTIG, bitte lesen!" for petradgooding@gmail.com
2020-02-21 09:00:11 1j58qh-000Mw1-0z <= domain@server.com U=domain P=local S=1157 id=3aaa6360a9117265ce142f2da6edcc4f@domain.com T="WICHTIG, bitte lesen!" for ADanz@t-online.de
2020-02-21 09:00:40 1j58rA-000MxJ-HV <= domain@server.com U=domain P=local S=1242 id=17a7d83508e998d48eaf3e56cb9aaa70@domain.com T="WICHTIG, bitte lesen!" for petradgooding@gmail.com
2020-02-21 09:00:40 1j58rA-000MxL-Nd <= domain@server.com U=domain P=local S=1151 id=8d69862b3ee31a14605cdea950cac867@domain.com T="WICHTIG, bitte lesen!" for zwackerl@web.de
2020-02-21 09:01:05 1j58rZ-000MyW-GG <= domain@server.com U=domain P=local S=1240 id=497393e3fee0f070c4a3bf92504fd416@domain.com T="WICHTIG, bitte lesen!" for petradgooding@gmail.com
2020-02-21 09:01:05 1j58rZ-000MyY-Hz <= domain@server.com U=domain P=local S=1145 id=bdb15e3232e0762b9961d249d99e4fd5@domain.com T="WICHTIG, bitte lesen!" for wicht@gmx.net
2020-02-21 09:01:06 1j58ra-000Myh-PD <= domain@server.com U=domain P=local S=1242 id=80aa9fb5eb5513b0ddf3f495f1c9e645@domain.com T="WICHTIG, bitte lesen!" for petradgooding@gmail.com
2020-02-21 09:01:06 1j58ra-000Myj-U4 <= domain@server.com U=domain P=local S=1151 id=c3c44f181e8cbf2bd07e31bb854967c5@domain.com T="WICHTIG, bitte lesen!" for MiRoede@aol.com
2020-02-21 09:01:08 1j58rc-000Mys-1Z <= domain@server.com U=domain P=local S=1245 id=77c2a6e5c9e0091ea8ced8dfeb9e235a@domain.com T="WICHTIG, bitte lesen!" for petradgooding@gmail.com
2020-02-21 09:01:08 1j58rc-000Myu-3j <= domain@server.com U=domain P=local S=1160 id=8b3ca0ab3a49949312453988fe580f49@domain.com T="WICHTIG, bitte lesen!" for csimmo@t-online.de

/var/log/exim_main below:

root@domain [/var/log]# tail exim_mainlog
2020-02-21 17:41:49 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j5GzV-0007hk-Nq
2020-02-21 17:41:49 1j5GzV-0007hi-Np => user  R=localuser T=dovecot_delivery C="250 2.0.0  gNq0Ma1cUF7IbwAAJ1NjhA Saved"
2020-02-21 17:41:49 1j5GzV-0007hi-Np Completed
2020-02-21 17:41:49 1j5GzV-0007ho-QV <= <> R=1j5GzV-0007hb-LA U=mailnull P=local S=2593 T="Mail delivery failed:returning message to sender" for user@domain.com
2020-02-21 17:41:49 1j5GzV-0007hb-LA Completed
2020-02-21 17:41:49 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j5GzV-0007ho-QV
2020-02-21 17:41:49 1j5GzV-0007hk-Nq => user  R=localuser T=dovecot_delivery C="250 2.0.0  IOO4NK1cUF7IbwAAJ1NjhA Saved"
2020-02-21 17:41:49 1j5GzV-0007hk-Nq Completed
2020-02-21 17:41:49 1j5GzV-0007ho-QV => user  R=localuser T=dovecot_delivery C="250 2.0.0  4ImMNq1cUF75cgAAJ1NjhA Saved"
2020-02-21 17:41:49 1j5GzV-0007ho-QV Completed

Comments

7 comments

cPanelLauren

February 21, 2020 23:20
Can you give me the output of exigrep with 1/2 of the mail transactions. Such as the following: exigrep 1j58qg-000Mvz-UF /var/log/exim_mainlog
0
dermotd

February 21, 2020 23:38
Hi See below, thanks root@kdale [~]# exigrep 1j58qg-000Mvz-UF /var/log/exim_mainlog 2020-02-21 09:00:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1j58qg-000Mvz-UF2020-02-21 09:00:11 1j58qg-000Mvz-UF <= user@domain.com U=user P=local S=1244 id=594ae4030f51bb0751983361da99059e@user.com T="WICHTIG, bitte lesen!" for petradgooding@gmail.com2020-02-21 09:00:11 1j58qg-000Mvz-UF Sender identification U=user D=user.com S=Webmaster@user.com 2020-02-21 09:00:11 1j58qg-000Mvz-UF SMTP connection outbound 1582293611 1j58qg-000Mvz-UF user.com petradgooding@gmail.com2020-02-21 09:00:11 1j58qg-000Mvz-UF => petradgooding@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [172.217.214.27] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1582293611 m1si1793928ilj.36 - gsmtp"2020-02-21 09:00:11 1j58qg-000Mvz-UF Completed root@kdale [~]#
0
wonder_wonder

February 21, 2020 23:41
A long time ago (about 2 years more or less) a one client have the same problem, spam by contact page, a lot mails. I don't know if are the same issue, the solution in the case of my client, disable contact page and after one or two days, install a new pluggin for contact page with more options for no spam (captcha and more...).
0
cPanelLauren

February 22, 2020 00:35
It does indeed look like a spam attempt. I'd be curious to see what the output of the following is as well (in line with @wonder_wonder's assumptions) /usr/local/cpanel/3rdparty/bin/perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/msp.pl) --auth --limit 5
0
dermotd

February 22, 2020 12:35
Do you suspect the Contact Form 7 plugin itself is buggy? As this is the clients production web server, can you tell me what the cPanelTechs perl script does please.
0
wonder_wonder

February 22, 2020 23:46
In the case of my client that happened about 2 years ago, at that time, he installed the latest version of WP and therefore, the contact form plugin. I was also surprised but ... sometimes, the most used websites (in this case a cms), are the most "searched" are for this type of activities or others. As I comment, I don't know if it's your case, but it seems so. Even if I have the latest version, everything set by default in wp can happen, it happened to my client. Finally I had to help him by changing some wp security settings and the contact form plugin was changed. Tomorrow I can see what plugin it has, but although this does not have to do with cPanel, after that experience, I recommend changing certain WP default values and adding security plugins, although one of the best was to install the firewall (CSF) on your VPS (This would not prevent spam in contact form) but my client, apart from that type of spam, had others, such as repeated attempts to access the wp admin. I am not very expert (my knowledge in WP is media) but since that client is good and known to me, I helped him and that was when I saw those things. Regards.
0
cPanelLauren

February 25, 2020 19:07
That perl script parses the exim logs and outputs the following: perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s Emails by user: 163 : root 3 : mailnull =================== Total: 166 =================== Email accounts sending out mail: 6 : __cpanel__service__auth__icontact__eqs_gh5rptspda42 =================== Total: 6 =================== Directories mail is originating from: 3 : /root =================== Total: 2 =================== Top 20 Email Titles: 59 : lfd on server.mydomain.tld: Excessive resource usage: lauren (18569 (Parent PID:18569)) 59 : lfd on server.mydomain.tld: Excessive resource usage: lauren (18570 (Parent PID:18569)) <> =================== Total: 165 ===================
This would most likely be a lot different on a production environment, this is a test server that has minimal mail activity
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?