Thousands of emails being sent via remote
My server has been blocked for sending spam emails. Further investigation revealed these are being sent "remote" - the sent summary shows that the domains that are on my server are sending what you would expect, low amounts, but remote at the top is in the thousands.
Clicking on remote shows that emails from addresses not on my server are being sent but only to domains on my server!
I am totally confused. Any help would be gratefully appreciated.
Thanks in Advance, phil.
-
Hey there! Can you paste one of the mail transactions here so we can see that? You can get that with the following command:
grep ######-##########-#### /var/log/exim_mainlog
where that string of numbers and letters is the mail ID. Just be sure to remove any personal info like IP addresses and domains before sharing the data.
0 -
Hi and thank you for taking the time to reply. This is the info you asked for:
root [/]# grep 1sHPx1-0000000EdoP-4Ag9 /var/log/exim_mainlog
2024-06-12 15:31:59 1sHPx1-0000000EdoP-4Ag9 H=mail4.update.cineworld.com [35.157.55.212]:36447 Warning: "SpamAssassin as personal detected message as NOT spam (-2.0)"
2024-06-12 15:31:59 1sHPx1-0000000EdoP-4Ag9 <= cineworld@update.cineworld.com H=mail4.update.cineworld.com [35.157.55.212]:36447 P=esmtps X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=157347 id=a476dbc628cd11efb44476375321aa80@update.cineworld.com T="This week at Cineworld \342\234\250\360\237\247\231\342\200\215\342\231\202\357\270\217" for personal@personal.co.uk
2024-06-12 15:31:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1sHPx1-0000000EdoP-4Ag9
2024-06-12 15:32:00 1sHPx1-0000000EdoP-4Ag9 ** personal <personal> R=send_to_smart_host T=remote_smtp H=n1smtpout.europe.secureserver.net [92.204.64.1] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 552 5.2.0 HPx9sWSnO9u7l :DED: Access to this mail system has been blocked for 92.205.27.25 due to spam activity. Spam was seen coming from this IP, and possibly other scripts running on it. Once the compromise has been cleaned, please contact customer support to remove the block.
2024-06-12 15:32:00 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1sHPx1-0000000EdoP-4Ag9
2024-06-12 15:32:00 1sHPxA-0000000Edrb-1eme <= <> R=1sHPx1-0000000EdoP-4Ag9 U=mailnull P=local S=5726 T="Mail delivery failed: returning message to sender" for cineworld@update.cineworld.com
2024-06-12 15:32:00 1sHPx1-0000000EdoP-4Ag9 Completed
root [/]#cineworld.com is not a domain on the server. The one it is sending to is.
Thanks again.
0 -
Thanks for that. As a test, does this command show a large number of messages being sent from somewhere that isn't /var/spool/exim on the server?
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
0 -
Thank you for your help. That command returned this:
root [/]# awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr 11694 cwd=/var/spool/exim 104 cwd=/home/mccombie/public_html 76 cwd=/home/aggelikistyliano/public_html 49 cwd=/home/bestadmin/public_html 44 cwd=/home/iconembroideryco/public_html/opencart 37 cwd=/home/roserock/public_html 36 cwd=/home/backstreetmechan/public_html 32 cwd=/home/andyseconomycarh/public_html 15 cwd=/home/hairdesignairdri/public_html 14 cwd=/home/newdadmin/public_html 11 cwd=/home/dennathornedesig/public_html 10 cwd=/home/shrewdmovenet/public_html/wp-admin 7 cwd=/home/dwgwalkingco 7 cwd=/home/bestadmin/public_html/wp-includes/ID3 4 cwd=/home/vivavocehypnothe/public_html 4 cwd=/home/juliavandenbosch/public_html 4 cwd=/home/dunoonopenbowls 3 cwd=/var/installatron/cache 3 cwd=/home/theukghostbuster/public_html/forum 2 cwd=/home/redhousefarmfish/public_html/wp-admin 2 cwd=/home/lemonaris/public_html 2 cwd=/home/davidlavelleco/public_html/wordpress/wp-admin 1 cwd=/home/warpedplasticco/public_html 1 cwd=/home/shrewdmovenet/public_html 1 cwd=/home/furnitureoutletc/public_html 1 cwd=/home/davidlavelleco/public_html 1 cwd=/home/blingerbell/public_html 1 cwd=/home/aggelikistyliano/public_html/administrator root [/]# _
those are all accounts on the server.0 -
It might be best to create a ticket so the server can be examined directly, as none of that looks particularly interesting or helpful.
0 -
Ok. Thanks for your time anyway.
Cheers.
0 -
Sure thing - sorry I can't offer more at this time.
0 -
The results of the awk stuff really doesn't look odd to me. Looks fairly normal.
11694 cwd=/var/spool/exim
- pretty normal. that is always going to be a high value because that is all the mail (including inbound / outbound legitimate) running through Exim.
Everything else looks pretty normal. if one of the others was in the 1000s I'd be worried that an email account was hijacked.
You might want to run your 92.x.x.x address through https://multirbl.valli.org/ and see what blacklists it is on. Some of the blacklists it is on are either bogus or ones that want you to pay for removal and you shouldn't do that. But there may be one or two (such as Abusix) where you do want to get your server IP off of that list.
Looks like in this particular scenario where you posted logs, a message came in from Cineworld to personal@personal.co.uk and then was possibly forwarded back out to some external address -- and that email got sent through your Smarthost. Is that right?
At any rate, try to get off of any blacklists that you could reasonably expect to be removed from. Some blacklists you will never get off of, and those are usually inconsequential blacklists that no company handling email [and who is in their right mind] should ever be using as an RBL.
0 -
Hi and thanks for the advice, I will do as you suggest.
"and that email got sent through your Smarthost. Is that right?" - yes.
Thanks again,
Phil.
0
Please sign in to leave a comment.
Comments
9 comments