I get a self made report about a very high sender count on one of my servers:
2019-01-15 16:39:40 H=myserver.com [xxx.xxx.xxx.xxx]:34752 Warning: Sender rate 50099.3 / 1h
I investigate and see that I have a 6 figure amount of "Rejected relay attempts" on the server. In "Mail Delivery Reports" they look like this, all from unknown addresses to unknown addresses.
xxx.xxx.xxx.xxx is my servers IP.
I have never seen such a large number of these and am wondering how I can trace it. It seems all the connections are local so is it a local script I just cannot find through normal means?
I monitor php scripts but that report does not show anything close to these numbers.
I can find all the attempts in exim_mainlog but no identifying pieces other that it's local.
Anyone able to point me in a new direction? Thanks.
2019-01-15 16:39:40 H=myserver.com [xxx.xxx.xxx.xxx]:34752 Warning: Sender rate 50099.3 / 1h
I investigate and see that I have a 6 figure amount of "Rejected relay attempts" on the server. In "Mail Delivery Reports" they look like this, all from unknown addresses to unknown addresses.
xxx.xxx.xxx.xxx is my servers IP.
Code:
Event: rejected rejected
Sender User: -remote-
Sender Domain:
From Address: [email protected]_not_on_my_server.com
Sender:
Sent Time: Jan 15, 2019, 5:00:17 PM
Sender Host: myserver.com
Sender IP: xxx.xxx.xxx.xxx
Authentication: unauthorized
Recipient: [email protected]
Delivered To:
Delivery User:
Delivery Domain: address.com
Router: reject
Transport: **rejected**
Out Time: Jan 15, 2019, 5:00:17 PM
ID: 1gjR8C-000A2e-Am
Delivery Host: myserver.com
Delivery IP: xxx.xxx.xxx.xxx
Size: 0 bytes
Result: Rejected relay attempt: 'xxx.xxx.xxx.xxx' From: '[email protected]_not_on_my_server.com' To: '[email protected]'
I monitor php scripts but that report does not show anything close to these numbers.
I can find all the attempts in exim_mainlog but no identifying pieces other that it's local.
Anyone able to point me in a new direction? Thanks.