The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I can not figure out this EXIM log entry. Need help with this one.

Discussion in 'E-mail Discussions' started by jols, Aug 11, 2013.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I'm try to figure out if the email account has been compromised or not.

    I found several lines like the following, from several IPs (from suspicious locations), and all have "Sender verify failed" at the end, but wait... I don't think this related to received email because a courier_login: command is also in each line:


    2013-08-11 05:26:18 H=(cyericlh) [59.99.227.57]:1413 F=<signup@user-domain.com> A=courier_login:eek:nline.purchases@user-domain.com rejected RCPT <my_storie@windowslive.com>: Sender verify failed

    All the email addresses near the end of the log entry are different. So did they break into the email account, try to send a bunch of spam though, got all "Sender verify" failures and then give up, or???
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, that indicates there was an attempt to send an email to a remote mail server from an authenticated sender. The message was rejected because the remote email address could not pass verification. I recommend changing the password of the account to see if the issue continues. The following document may be useful:

    How to: Prevent Email Abuse

    Thank you.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks very much for the response.

    Yes, I see that there was a verification issue, but where? On our server, or on the target servers (to there the spam messages were sent, or attempted to be sent)?
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    WHM --> Exim Configuration Manager --> Basic Editor --> Mail

    Check to see if you have this enabled:

    Sender Verification Callouts

    If you DO have this enabled, you might want to disable it. I think it is disabled by default.

    Do not confuse this with Sender Verification farther down. They are two separate things. I suggest:

    Sender Verification Callouts : Disabled
    Sender Verification : Enabled

    Sender Verification Callouts actually makes a call out to the sender domain's mail exchanger to attempt to see if the sending email address is valid. For various reasons this can fail even if you are sending legitimate mail. For instance, if somebody connects to your mailserver and attempts to send a mail with a FROM address of signup@user-domain.com and you have Sender Verification Callouts enabled, your server will attempt to connect to the mail exchanger for user-domain.com to verify that signup@user-domain.com exists. If it can't connect to the mail exchanger for user-domain.com or the mail exchanger for user-domain.com will not report whether signup@user-domain.com is a valid address, the callout fails and the message will not go through.


    M

    PS: DO check to make sure the entries you are seeing are legitimate senders authenticating. If you do have a hijacked email account and you have Sender Verification Callouts enabled, it actually did help you somewhat to prevent some spam going out. But, that entry could be completely legitimate [i.e. legitimate user sending legitimate mail], and Sender Verification Callouts may be enabled and may be blocking the mail from going through.
     
    #4 mtindor, Aug 13, 2013
    Last edited: Aug 13, 2013
Loading...

Share This Page