daveboulter42

Member
Oct 20, 2014
12
0
1
cPanel Access Level
Reseller Owner
Hi,

I am getting a lot of these emails. Should there be a user call [email protected]

Thanks

/daveb
Code:
Time:  Fri Jan 12 06:56:07 2018 +1100

Type:  AUTHRELAY, Remote IP - 61.177.248.202 (CN/China/-)

Count: 150 emails relayed

Blocked: No


Sample of the first 10 emails:


2018-01-12 06:55:41 1eZiwu-0003wr-VW <= [EMAIL][email protected][/EMAIL] H=(User) [61.177.248.202]:59943 P=esmtpa A=dovecot_login:[email protected] S=1319 T="DRINGEND" for [EMAIL]-- Removed -[/EMAIL] [EMAIL]- Removed -[/EMAIL]

- Removed -
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
460
113
UK
cPanel Access Level
Root Administrator
The alerts you are getting appear to be generated by CSF/LFD

I would not have expected to see a mail account that was [email protected] but addresses are easily spoofed by scripts.

You may like to review this thread and see if it has anything that might help you.

SOLVED - Difference between alerts?

Personally, I would be doing a lot of investigation into the account (domain) that is sending the mails, to try and establish if it has been compromised in any way, or if any deployed software (eg CMS) is being leveraged as a mass mailer.

Lets have a closer look at the parts of the log:
<= Indicates the arrival of a message for incoming mail
H= Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25
P= This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:.
A= If A= is present, then SMTP AUTH was used for the delivery.
S= Is the delivery size of the message
T= The relay used to transmit the message. Example: T=remote_smtp T=local_delivery

You may need to enlist the help of the server administrator if your reseller privileges don't give you enough access to the various log files you will probably need to check to pin this down.

Hope this helps
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello,

The previous post should help. Let us know if you have any additional questions.

Thank you.