Email sending as root - possible solutions.

[crystalfat]

Hi there,

I wonder if anyone could point me in the right direction, yes i have read the prevent abuse doc but i fear a compromise may already have taken place.

Here is what i have so far;

On the mail delivery reports there are two emails trying to send from the root user every 8 mins.
At first i thought because it was getting deffered it was just retrying but it seems as though it gets rejected first and then deferred. There is no sign of it in the mail Queue manager.

Any advice is appreciated
Please find the log below;

Event: defer warning
Sender User: root
Sender Domain:
Sender: [email protected]
Sent Time: Mar 5, 2015 8:42:08 AM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score: 0
Recipient: [email protected]
Delivered To:
deliveryuser:
deliverydomain:
Router: lookuphost
Transport: remote_smtp
Out Time: Mar 5, 2015 8:42:08 AM
ID: 1YTRMI-00056c-2i
Delivery Host:
Delivery IP:
Size: 802 bytes
Result: remote host address is the local host

 

[cPanelMichael]

Hello

Are you able to determine the source of the message by reviewing /var/log/exim_mainlog for messages coming from "root"?

Thank you.

 

[crystalfat]

Hello

Are you able to determine the source of the message by reviewing /var/log/exim_mainlog for messages coming from "root"?

Thank you.

Thank you for the response.
I am not well versed enough to search for a string in what i assume will be a huge file?
i did try to locate the message details using the ID however the message had been deleted. when the message is sent it is deferred for a retry and then when retried it is deleted. It doesnt seem to log.

 

[cPanelMichael]

You can use the "exigrep" utility to search /var/log/exim_mainlog. EX:

exigrep MSGID /var/log/exim_mainlog

Thank you.

 

[crystalfat]

This is what i got from the mainlog. It

2015-03-05 18:37:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YTaeT-0000Ho -O2

2015-03-05 18:37:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1YTaeT-0000Ho-O2

2015-03-05 18:37:42 1YTaeT-0000Ho-O2 <= [email protected] U= root P=local S=777 T="lfd on Vps.mydomain.com: SSH login alert f or user root from 82.17.147.242 (GB/United" for root
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 remote host address is the local host: vps. mydomain.com
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 == [email protected] R= lookuphost defer (-1): remote host address is the local host
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 ** [email protected]: r etry timeout exceeded
2015-03-05 18:37:42 1YTaeT-0000Ho-O2 Completed

2015-03-05 18:37:42 1YTaeU-0000I7-DI <= <> R=1YTaeT-0000Ho-O2 U=mailnull P=local S=1730 T="Mail delivery failed: returning message to sender" for [email protected] mydomain.com
2015-03-05 18:37:42 1YTaeU-0000I7-DI remote host address is the local host: vps. mydomain.com
2015-03-05 18:37:42 1YTaeU-0000I7-DI == [email protected] R= dkim_lookuphost defer (-1): remote host address is the local host
2015-03-05 18:37:42 1YTaeU-0000I7-DI ** [email protected]: r etry timeout exceeded
2015-03-05 18:37:42 1YTaeU-0000I7-DI [email protected]: erro r ignored
2015-03-05 18:37:42 1YTaeU-0000I7-DI Completed

 

[cPanelMichael]

It looks like this message stems from your LFD application. Is a valid email address configured as the "root" contact address in "WHM Home » Server Contacts » Edit System Mail Preferences"?

Thank you.

 

[crystalfat]

It looks like this message stems from your LFD application. Is a valid email address configured as the "root" contact address in "WHM Home » Server Contacts » Edit System Mail Preferences"?

Thank you.

Having checked i can see there are no forwards set up for root, nobody or cpanel. I shall correct this now.

thanks for your help.

best
chris