Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!


Discussion in 'E-mail Discussion' started by daveboulter42, Jan 11, 2018.

  1. daveboulter42

    daveboulter42 Member

    Oct 20, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Reseller Owner

    I am getting a lot of these emails. Should there be a user call smtp@


    Time:  Fri Jan 12 06:56:07 2018 +1100
    Type:  AUTHRELAY, Remote IP - (CN/China/-)
    Count: 150 emails relayed
    Blocked: No
    Sample of the first 10 emails:
    2018-01-12 06:55:41 1eZiwu-0003wr-VW <= [EMAIL][/EMAIL] H=(User) []:59943 P=esmtpa S=1319 T="DRINGEND" for [EMAIL]-- Removed -[/EMAIL] [EMAIL]- Removed -[/EMAIL]
    - Removed -
    #1 daveboulter42, Jan 11, 2018
    Last edited by a moderator: Jan 11, 2018
  2. rpvw

    rpvw Well-Known Member

    Jul 18, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    The alerts you are getting appear to be generated by CSF/LFD

    I would not have expected to see a mail account that was smtp@ but addresses are easily spoofed by scripts.

    You may like to review this thread and see if it has anything that might help you.

    SOLVED - Difference between alerts?

    Personally, I would be doing a lot of investigation into the account (domain) that is sending the mails, to try and establish if it has been compromised in any way, or if any deployed software (eg CMS) is being leveraged as a mass mailer.

    Lets have a closer look at the parts of the log:
    <= Indicates the arrival of a message for incoming mail
    H= Represents the host: H=localhost ( []:39753 5.1) H=mail.fictional.example [] U=exim 6) I=[]:25
    P= This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:.
    A= If A= is present, then SMTP AUTH was used for the delivery.
    S= Is the delivery size of the message
    T= The relay used to transmit the message. Example: T=remote_smtp T=local_delivery

    You may need to enlist the help of the server administrator if your reseller privileges don't give you enough access to the various log files you will probably need to check to pin this down.

    Hope this helps
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    The previous post should help. Let us know if you have any additional questions.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice