Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AUTHRELAY emails

Discussion in 'E-mail Discussion' started by daveboulter42, Jan 11, 2018.

  1. daveboulter42

    daveboulter42 Member

    Joined:
    Oct 20, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Hi,

    I am getting a lot of these emails. Should there be a user call smtp@

    Thanks

    /daveb
    Code:
    Time:  Fri Jan 12 06:56:07 2018 +1100
    
    Type:  AUTHRELAY, Remote IP - 61.177.248.202 (CN/China/-)
    
    Count: 150 emails relayed
    
    Blocked: No
    
    
    Sample of the first 10 emails:
    
    
    2018-01-12 06:55:41 1eZiwu-0003wr-VW <= [EMAIL]smtp@example.com.au[/EMAIL] H=(User) [61.177.248.202]:59943 P=esmtpa A=dovecot_login:smtp@example.com.au S=1319 T="DRINGEND" for [EMAIL]-- Removed -[/EMAIL] [EMAIL]- Removed -[/EMAIL]
    
    - Removed -
    
     
    #1 daveboulter42, Jan 11, 2018
    Last edited by a moderator: Jan 11, 2018
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    981
    Likes Received:
    384
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The alerts you are getting appear to be generated by CSF/LFD

    I would not have expected to see a mail account that was smtp@ but addresses are easily spoofed by scripts.

    You may like to review this thread and see if it has anything that might help you.

    SOLVED - Difference between alerts?

    Personally, I would be doing a lot of investigation into the account (domain) that is sending the mails, to try and establish if it has been compromised in any way, or if any deployed software (eg CMS) is being leveraged as a mass mailer.

    Lets have a closer look at the parts of the log:
    <= Indicates the arrival of a message for incoming mail
    H= Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25
    P= This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:.
    A= If A= is present, then SMTP AUTH was used for the delivery.
    S= Is the delivery size of the message
    T= The relay used to transmit the message. Example: T=remote_smtp T=local_delivery

    You may need to enlist the help of the server administrator if your reseller privileges don't give you enough access to the various log files you will probably need to check to pin this down.

    Hope this helps
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The previous post should help. Let us know if you have any additional questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice