Mysterious login maillog message

epanagio

Well-Known Member
May 26, 2012
50
1
58
cPanel Access Level
Website Owner
I have been alerted of spam being sent from one of my servers and I looked in the /var/log/maillog and saw the following strange messages:

dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

also

dovecot: imap-login: Disconnected (no auth attempts): rip=198.20.99.130, lip=68.233.34.83, TLS: Disconnected

I also saw many, many messages like:

dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=202.107.225.31, lip=68.233.34.86

The following message scares me the most because looks like someone logged in:

dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

HELP!
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
I'm sure someone will correct me if I'm wrong, but iirc the cpanel__service__auth__imap entry is cPanel monitoring the imap service to ensure it is working.

The pop3-login example is an attempt to find accounts to login to / brute force, unrelated to the above.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Yes, those are simply access attempts by Chkservd to ensure the service is running. If you want to determine the source of SPAM, I recommend checking the following log file:

Code:
/var/log/exim_mainlog
You can search this log file using the "exigrep" utility in order to search for specific email addresses or message subjects. It should help you to determine which account the SPAM is originating form.

Thank you.
 

epanagio

Well-Known Member
May 26, 2012
50
1
58
cPanel Access Level
Website Owner
I looked in
/var/log/exim_manlog
and I saw some random email messages that were received from a variety of senders.

I also saw a lot, and I mean a lot of:
2013-09-03 01:55:52 SMTP connection from [202.107.225.31]:56748 lost
2013-09-03 01:55:54 SMTP connection from [202.107.225.31]:57017 (TCP/IP connection count = 1)
2013-09-03 01:55:54 no host name found for IP address 202.107.225.31
2013-09-03 01:55:55 SMTP connection from [202.107.225.31]:57017 lost
2013-09-03 01:55:57 SMTP connection from [202.107.225.31]:57296 (TCP/IP connection count = 1)
I also saw a few
2013-09-03 13:21:45 H=(<my domain name> [198.24.175.151]:1775 F=<[email protected]> rejected RCPT <[email protected]>: Please turn on SMTP Authentication in your mail client. (<my domain name>) [198.24.175.151]:1775 is not permitted to relay through this server without authentication.
2013-09-03 13:21:45 H=(<my domain name>) [198.24.175.151]:1775 Warning: "Detected session with all messages failed"
2013-09-03 13:21:45 H=(<my domain name>) [198.24.175.151]:1775 Warning: "Increment slow_fail_block Ratelimit - (<my domain name>) [198.24.175.151]:1775 because of all messages failed"
2013-09-03 13:21:45 SMTP connection from (<my domain name>) [198.24.175.151]:1775 closed by QUIT
The last message worried me but I am not sure it it is real or not.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
You should search this log for the email address that reported your server as sending out SPAM. Simply viewing the full log is going to output a large amount of data.

Thank you.