I can not figure out this EXIM log entry. Need help with this one.

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
I'm try to figure out if the email account has been compromised or not.

I found several lines like the following, from several IPs (from suspicious locations), and all have "Sender verify failed" at the end, but wait... I don't think this related to received email because a courier_login: command is also in each line:


2013-08-11 05:26:18 H=(cyericlh) [59.99.227.57]:1413 F=<[email protected]> A=courier_login:eek:[email protected] rejected RCPT <[email protected]>: Sender verify failed

All the email addresses near the end of the log entry are different. So did they break into the email account, try to send a bunch of spam though, got all "Sender verify" failures and then give up, or???
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Yes, that indicates there was an attempt to send an email to a remote mail server from an authenticated sender. The message was rejected because the remote email address could not pass verification. I recommend changing the password of the account to see if the issue continues. The following document may be useful:

How to: Prevent Email Abuse

Thank you.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Thanks very much for the response.

Yes, I see that there was a verification issue, but where? On our server, or on the target servers (to there the spam messages were sent, or attempted to be sent)?
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
WHM --> Exim Configuration Manager --> Basic Editor --> Mail

Check to see if you have this enabled:

Sender Verification Callouts

If you DO have this enabled, you might want to disable it. I think it is disabled by default.

Do not confuse this with Sender Verification farther down. They are two separate things. I suggest:

Sender Verification Callouts : Disabled
Sender Verification : Enabled

Sender Verification Callouts actually makes a call out to the sender domain's mail exchanger to attempt to see if the sending email address is valid. For various reasons this can fail even if you are sending legitimate mail. For instance, if somebody connects to your mailserver and attempts to send a mail with a FROM address of [email protected] and you have Sender Verification Callouts enabled, your server will attempt to connect to the mail exchanger for user-domain.com to verify that [email protected] exists. If it can't connect to the mail exchanger for user-domain.com or the mail exchanger for user-domain.com will not report whether [email protected] is a valid address, the callout fails and the message will not go through.


M

PS: DO check to make sure the entries you are seeing are legitimate senders authenticating. If you do have a hijacked email account and you have Sender Verification Callouts enabled, it actually did help you somewhat to prevent some spam going out. But, that entry could be completely legitimate [i.e. legitimate user sending legitimate mail], and Sender Verification Callouts may be enabled and may be blocking the mail from going through.
 
Last edited: