Skip to main content

Thousands of emails being sent via remote

Comments

9 comments

  • cPRex Jurassic Moderator

    Hey there!  Can you paste one of the mail transactions here so we can see that?  You can get that with the following command:

    grep ######-##########-#### /var/log/exim_mainlog

    where that string of numbers and letters is the mail ID.  Just be sure to remove any personal info like IP addresses and domains before sharing the data.

    0
  • phild

    Hi and thank you for taking the time to reply. This is the info you asked for:

     

    root [/]# grep 1sHPx1-0000000EdoP-4Ag9 /var/log/exim_mainlog
    2024-06-12 15:31:59 1sHPx1-0000000EdoP-4Ag9 H=mail4.update.cineworld.com [35.157.55.212]:36447 Warning: "SpamAssassin as personal detected message as NOT spam (-2.0)"
    2024-06-12 15:31:59 1sHPx1-0000000EdoP-4Ag9 <= cineworld@update.cineworld.com H=mail4.update.cineworld.com [35.157.55.212]:36447 P=esmtps X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=157347 id=a476dbc628cd11efb44476375321aa80@update.cineworld.com T="This week at Cineworld \342\234\250\360\237\247\231\342\200\215\342\231\202\357\270\217" for personal@personal.co.uk
    2024-06-12 15:31:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1sHPx1-0000000EdoP-4Ag9
    2024-06-12 15:32:00 1sHPx1-0000000EdoP-4Ag9 ** personal <personal> R=send_to_smart_host T=remote_smtp H=n1smtpout.europe.secureserver.net [92.204.64.1] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 552 5.2.0 HPx9sWSnO9u7l :DED: Access to this mail system has been blocked for 92.205.27.25 due to spam activity. Spam was seen coming from this IP, and possibly other scripts running on it.  Once the compromise has been cleaned, please contact customer support to remove the block.
    2024-06-12 15:32:00 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1sHPx1-0000000EdoP-4Ag9
    2024-06-12 15:32:00 1sHPxA-0000000Edrb-1eme <= <> R=1sHPx1-0000000EdoP-4Ag9 U=mailnull P=local S=5726 T="Mail delivery failed: returning message to sender" for cineworld@update.cineworld.com
    2024-06-12 15:32:00 1sHPx1-0000000EdoP-4Ag9 Completed
    root [/]#

    cineworld.com is not a domain on the server. The one it is sending to is.

    Thanks again.

    0
  • cPRex Jurassic Moderator

    Thanks for that.  As a test, does this command show a large number of messages being sent from somewhere that isn't /var/spool/exim on the server?

    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    0
  • phild

    Thank you for your help. That command returned this:

    root [/]# awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    11694 cwd=/var/spool/exim
    104 cwd=/home/mccombie/public_html
    76 cwd=/home/aggelikistyliano/public_html
    49 cwd=/home/bestadmin/public_html
    44 cwd=/home/iconembroideryco/public_html/opencart
    37 cwd=/home/roserock/public_html
    36 cwd=/home/backstreetmechan/public_html
    32 cwd=/home/andyseconomycarh/public_html
    15 cwd=/home/hairdesignairdri/public_html
    14 cwd=/home/newdadmin/public_html
    11 cwd=/home/dennathornedesig/public_html
    10 cwd=/home/shrewdmovenet/public_html/wp-admin
    7 cwd=/home/dwgwalkingco
    7 cwd=/home/bestadmin/public_html/wp-includes/ID3
    4 cwd=/home/vivavocehypnothe/public_html
    4 cwd=/home/juliavandenbosch/public_html
    4 cwd=/home/dunoonopenbowls
    3 cwd=/var/installatron/cache
    3 cwd=/home/theukghostbuster/public_html/forum
    2 cwd=/home/redhousefarmfish/public_html/wp-admin
    2 cwd=/home/lemonaris/public_html
    2 cwd=/home/davidlavelleco/public_html/wordpress/wp-admin
    1 cwd=/home/warpedplasticco/public_html
    1 cwd=/home/shrewdmovenet/public_html
    1 cwd=/home/furnitureoutletc/public_html
    1 cwd=/home/davidlavelleco/public_html
    1 cwd=/home/blingerbell/public_html
    1 cwd=/home/aggelikistyliano/public_html/administrator
    root [/]# _

    those are all accounts on the server.
    0
  • cPRex Jurassic Moderator

    It might be best to create a ticket so the server can be examined directly, as none of that looks particularly interesting or helpful.

    0
  • phild

    Ok. Thanks for your time anyway.

    Cheers.

    0
  • cPRex Jurassic Moderator

    Sure thing - sorry I can't offer more at this time.

    0
  • mtindor

    The results of the awk stuff really doesn't look odd to me.   Looks fairly normal.

    11694 cwd=/var/spool/exim

     - pretty normal.   that is always going to be a high value because that is all the mail (including inbound / outbound legitimate) running through Exim.

    Everything else looks pretty normal.   if one of the others was in the 1000s I'd be worried that an email account was hijacked.

    You might want to run your 92.x.x.x address through https://multirbl.valli.org/ and see what blacklists it is on.   Some of the blacklists it is on are either bogus or ones that want you to pay for removal and you shouldn't do that.  But there may be one or two (such as Abusix) where you do want to get your server IP off of that list.

    Looks like in this particular scenario where you posted logs, a message came in from Cineworld to personal@personal.co.uk and then was possibly forwarded back out to some external address -- and that email got sent through your Smarthost.  Is that right?

    At any rate, try to get off of any blacklists that you could reasonably expect to be removed from.   Some blacklists you will never get off of, and those are usually inconsequential blacklists that no company handling  email [and who is in their right mind] should ever be using as an RBL.

    0
  • phild

    Hi and thanks for the advice, I will do as you suggest.

    "and that email got sent through your Smarthost.  Is that right?" - yes.

    Thanks again,

    Phil.

    0

Please sign in to leave a comment.