Large number of Rejected relay attempts on server

domeneas

Active Member
Sep 20, 2013
40
3
8
cPanel Access Level
Root Administrator
I get a self made report about a very high sender count on one of my servers:

2019-01-15 16:39:40 H=myserver.com [xxx.xxx.xxx.xxx]:34752 Warning: Sender rate 50099.3 / 1h

I investigate and see that I have a 6 figure amount of "Rejected relay attempts" on the server. In "Mail Delivery Reports" they look like this, all from unknown addresses to unknown addresses.

xxx.xxx.xxx.xxx is my servers IP.

Code:
Event:    rejected rejected
Sender User:    -remote-
Sender Domain:   
From Address:    [email protected]_not_on_my_server.com
Sender:   
Sent Time:    Jan 15, 2019, 5:00:17 PM
Sender Host:    myserver.com
Sender IP:    xxx.xxx.xxx.xxx
Authentication:    unauthorized
Recipient:    [email protected]
Delivered To:   
Delivery User:   
Delivery Domain:    address.com
Router:    reject
Transport:    **rejected**
Out Time:    Jan 15, 2019, 5:00:17 PM
ID:    1gjR8C-000A2e-Am
Delivery Host:    myserver.com
Delivery IP:    xxx.xxx.xxx.xxx
Size:    0 bytes
Result:    Rejected relay attempt: 'xxx.xxx.xxx.xxx' From: '[email protected]_not_on_my_server.com' To: '[email protected]'
I have never seen such a large number of these and am wondering how I can trace it. It seems all the connections are local so is it a local script I just cannot find through normal means?

I monitor php scripts but that report does not show anything close to these numbers.

I can find all the attempts in exim_mainlog but no identifying pieces other that it's local.

Anyone able to point me in a new direction? Thanks.