Skip to main content

Mysterious login maillog message

Comments

5 comments

  • ThinIce
    I'm sure someone will correct me if I'm wrong, but iirc the cpanel__service__auth__imap entry is cPanel monitoring the imap service to ensure it is working. The pop3-login example is an attempt to find accounts to login to / brute force, unrelated to the above.
    0
  • epanagio
    Thanks for taking the time to answer my question.
    0
  • cPanelMichael
    Hello :) Yes, those are simply access attempts by Chkservd to ensure the service is running. If you want to determine the source of SPAM, I recommend checking the following log file: /var/log/exim_mainlog
    You can search this log file using the "exigrep" utility in order to search for specific email addresses or message subjects. It should help you to determine which account the SPAM is originating form. Thank you.
    0
  • epanagio
    I looked in [QUOTE]/var/log/exim_manlog
    and I saw some random email messages that were received from a variety of senders. I also saw a lot, and I mean a lot of:[QUOTE]2013-09-03 01:55:52 SMTP connection from [202.107.225.31]:56748 lost 2013-09-03 01:55:54 SMTP connection from [202.107.225.31]:57017 (TCP/IP connection count = 1) 2013-09-03 01:55:54 no host name found for IP address 202.107.225.31 2013-09-03 01:55:55 SMTP connection from [202.107.225.31]:57017 lost 2013-09-03 01:55:57 SMTP connection from [202.107.225.31]:57296 (TCP/IP connection count = 1)
    I also saw a few [QUOTE]2013-09-03 13:21:45 H=( [198.24.175.151]:1775 F= rejected RCPT : Please turn on SMTP Authentication in your mail client. () [198.24.175.151]:1775 is not permitted to relay through this server without authentication. 2013-09-03 13:21:45 H=() [198.24.175.151]:1775 Warning: "Detected session with all messages failed" 2013-09-03 13:21:45 H=() [198.24.175.151]:1775 Warning: "Increment slow_fail_block Ratelimit - () [198.24.175.151]:1775 because of all messages failed" 2013-09-03 13:21:45 SMTP connection from () [198.24.175.151]:1775 closed by QUIT
    The last message worried me but I am not sure it it is real or not.
    0
  • cPanelMichael
    You should search this log for the email address that reported your server as sending out SPAM. Simply viewing the full log is going to output a large amount of data. Thank you.
    0

Please sign in to leave a comment.