Outbound email using authentication: identify_local_connection
helo
i still curious how the spammer send big email(spam).
when spammer happen in my server, i take a note that almost spammer use similar to this:
i have read this as well
Event: failure error
Sender User: domain
Sender Domain: domain.com
From Address: noreplay@example.org[/EMAIL]
Sender: domain
Sent Time: Sep 5, 2017 9:06:21 PM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: identify_local_connection
Spam Score:
Recipient: 000000@xxxxxx.com[/EMAIL]
Delivered To:
Delivery User: -system-
Delivery Domain:
Router: fail_remote_domains
Transport: fail
Out Time: Sep 5, 2017 9:06:21 PM
ID: 1dpEUQ-00410G-VI
Delivery Host:
Delivery IP:
Size: 14.17 KB
i have read this as well
-
another example email that send using Authentication: identify_local_connection Event: success Sender User: root Sender Domain: -system- From Address: cpanel@xx.xxxxxxxx.net[/EMAIL] Sender: root Sent Time: Sep 6, 2017 7:39:19 PM Sender Host: localhost.localdomain Sender IP: 127.0.0.1 Authentication: identify_local_connection Spam Score: 2.6 Recipient: xxxx@gmail.com[/EMAIL] Delivered To: xxxx@gmail.com[/EMAIL] Delivery User: -remote- Delivery Domain: Router: lookuphost Transport: remote_smtp Out Time: Sep 6, 2017 7:59:19 PM ID: 1dpZbd-0037XA-RS Delivery Host: gmail-smtp-in.l.google.com Delivery IP: 74.125.68.26 Size: 37.31 KB Result: Accepted
yes above quote is a normal email which is send by cpanel itself.. but sometime spammer use similar method i guess..since they use "Authentication: identify_local_connection"0 -
Hello, You can configure Exim to put the actual sender in the header by enabling the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager). This is documented at: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Additionally, if you can't enable "SMTP Restrictions", I suggest using a third-party firewall management utility such as CSF instead: ConfigServer Security & Firewall There are options that allow you to restrict SMTP similar to the SMTP Restrictions option in WHM, while also excluding certain users from that protection. Note that you may also want to review some of the threads listed at the below URL to see how other users are combating this type of SPAM: outgoingspam | cPanel Forums Thank you. 0 -
Csf installed already. I thought that enable smtp restiction from whm is similar to smtp_block = 1 in csf.. Hmm will try later to make sure 0 -
I thought that enable smtp restiction from whm is similar to smtp_block = 1 in csf..
Yes, that's true, however CSF allows you to exclude users so you can enable it globally and allow specific accounts the ability to send via a remote server with the "SMTP_ALLOWUSER" rule. Thank you.0 -
yes CSF is very helpful. i enable SMTP_BLOCK = 1 and SMTP_REDIRECT = 1 it seems nobody can relay my mail server without SMTP authentication first. Rejected relay attempt: '76.164.xxx.xx' From: 'someusr@example.com' To: 'someusr@domain.co.uk'
but i dont know who did that.. since the sender : System i have check exim logs, there is no clue.. however interesting area, if i restart exim (without change any settings, just restart), then likely spammer can relay mail server again... i guess it is because firewall setting from CSF has been overwrite by exim.. the solution after restart exim, next i need to restart CSF again.. but i am not sure if we did restart CSF, it might be some settings in Exim has been overwrite by CSF.. any idea?0 -
Hello, That question is better asked to CSF directly. You can find their support forums at: General Discussion (csf) - ConfigServer Community Forum Thank you. 0
Please sign in to leave a comment.
Comments
6 comments