Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Difference between alerts?

Discussion in 'E-mail Discussions' started by kabatak, Oct 15, 2017.

  1. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    95
    Likes Received:
    3
    Trophy Points:
    58
    1. What's the difference between:

    RELAY Alert
    LOCALHOSTRELAY Alert
    AUTHRELAY Alert
    LOCALRELAY Alert

    2. I am currently getting "RELAY Alert" presumably from a compromised account, however even after changing the email account's password the alert keeps on happening, any suggestions?
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Your Relay Alert is probably from an external account, so changing your receiving account password is unlikely to help.

    From the .knownhost.com/wiki/security/csf-lfd/notifications
    Common Notifications from CSF/LFD
     
    #2 rpvw, Oct 15, 2017
    Last edited by a moderator: Oct 15, 2017
  3. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    95
    Likes Received:
    3
    Trophy Points:
    58
    This is confusing, if Relay Alert is incoming emails from an external server then does that mean there's nothing we can do about it?

    BTW here's the alert I got:

    Code:
    [INDENT]Time:  Sun Oct 15 13:57:02 2017 +0800
    Type:  RELAY, Remote IP - 111.179.74.55 (CN/China/-)
    Count: 101 emails relayed
    Blocked: No
    
    Sample of the first 10 emails:
    
    
    2017-10-15 13:00:46 1e3b2b-003reZ-Rs <= 541275877@qq.com H=(jsgh.org) [111.179.74.55]:52973 P=smtp S=1085 id=be571a8de1a396fb496fb6e21f7044a1@qq.com T="" for info@example.com
    2017-10-15 13:01:18 1e3b38-003rfy-6j <= 413494655@qq.com H=(mail.10000hotel.cn) [111.179.74.55]:53129 P=smtp S=1257 id=16e7f38d8fef2b3bfcf37f242857b1fe@qq.com T="" for info@example.com
    2017-10-15 13:01:48 1e3b3b-003riz-Rj <= 58076895@qq.com H=(xinyiglass.com) [111.179.74.55]:53282 P=smtp S=1094 id=b4849d2f51548844625f5c2d313641a2@qq.com T="" for info@example.com
    2017-10-15 13:02:19 1e3b47-003rl5-6g <= 104172241@qq.com H=(seuic.com) [111.179.74.55]:53437 P=smtp S=1226 id=6b01c38dea002540d7ad63ca3a117a77@qq.com T="" for info@example.com
    2017-10-15 13:02:51 1e3b4d-003rn0-Ep <= 253655513@qq.com H=(huayechuchen.com) [111.179.74.55]:53592 P=smtp S=1254 id=30380ba90e46c810ca14425c04676d43@qq.com T="" for info@example.com
    2017-10-15 13:03:54 1e3b5e-003rqP-FF <= 316467386@qq.com H=(venice666.com) [111.179.74.55]:53900 P=smtp S=1243 id=0cecfa957a2df88f50835795162264f9@qq.com T="" for info@example.com
    ....
    [/INDENT]
    
    Note: example.com is a Cpanel account in our server while qq.com and the other domains are not from our server. What do you make of it?
     
    #3 kabatak, Oct 15, 2017
    Last edited by a moderator: Oct 15, 2017
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Your alert is being triggered by over 100 emails (101) in the past hour from the qq.com domain (note that all the user-names before the @ are just random numbers) being received by your server for delivery to your email user info@example.com

    In the sample you posted - the mails are being sent from the IP 111.179.74.55 which is reported to be in China, and which may not necessarily have anything to do with the qq.com domain, the sender domain is trivial to spoof.

    It is likely that a script is running on, or through, the server or device that is using the IP 111.179.74.55.

    This device may be a genuine mail-server that has been compromised by a script, or that has had an email account compromised, or it may be any device connected to the internet that is being levered for bulk mail, either knowingly, or because it has been exploited.

    There is little you can do other than to block all mails from qq.com and/or from the IP that you are seeing. However, the spammers usually rapidly change both their IP's and their spoofed domains, so you may be chasing them for some time !

    The recommended way to limit the impact of this type of spam (which is almost email ddos) is to enable greylisting to eliminate non genuine mail-servers from getting through, and by configuring your CSF to suit your hardware environment and your clients. You may want to adjust the CSF configuration Relay Tracking section to trigger on a lower setting and to block for longer periods. If you do change settings, monitor the results carefully to ensure you are not getting too many false positives that block genuine mail senders.

    Take note that the default setting for CSF 'Relay' is to NOT block incoming mails, but rather to just send you an alert that something unusual is happening.

    Remember that bulk spam you receive because some user somewhere had their email account, server, or device hacked or compromised (however they achieved it) is a constant reminder to you to ensure both you, and your clients, follow best practices and set passwords that are non dictionary, nor trivial to guess. o_O
     
    #4 rpvw, Oct 15, 2017
    Last edited: Oct 15, 2017
  5. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    95
    Likes Received:
    3
    Trophy Points:
    58
    @rpvw Thanks. Is it safe to say that no email account is compromised within our server? Because I've change cpanel and email passwords already, still email keep coming. Also, the public_html folder of the cpanel account has no malicious scripts (just basic HTML page).

    I have enabled Cpanel Greylisting, seems to catch it (the reports tab is flooded with that IP 111.179.74.55).

    How do I block the offending external IP 111.179.74.55 from ever sending email to us on a system level?
     
  6. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I think it is unlikely that your email account is currently compromised. (But keep checking, anything can happen in the future :-D )

    You can use the Exim Blacklist to refuse all SMTP traffic from an IP
    WHM >> Service Configuration >> Exim Configuration Manager
    Basic Editor
    Access Lists
    Blacklisted SMTP IP addresses (IP addresses from which SMTP connections are dropped unconditionally)
     
    kabatak likes this.
  7. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    I'm glad to see @rpvw was able to help. It's also worth noting these alerts are not from cPanel, but from the 3rd-party firewall CSF(ConfigServer Community Forum - Index page). You may find more detailed assistance directly in their forums.
     
Loading...

Share This Page