The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help looking at exim log file

Discussion in 'E-mail Discussions' started by n000b, Aug 19, 2007.

  1. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I've had a report from some spam being sent from my server, this is a line in exim_mainlog of one of the offending messages:

    2007-08-19 15:29:29 1IMdLs-0006cl-U4 <= service@postcards.com H=a62-251-26-148.adsl.xs4all.nl (User) [62.251.26.148] P=esmtpa A=fixed_login:brendan S=2835 T="Notification"


    Does this mean that someone sent the e-mail via SMTP (connecting to my server), using the username "brendan"? If this is true, is the only way to do that, is if you know the password of the user "brendan"? Is there any other way the person could have sent the spam?

    Thanks :)
     
  2. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    I just noticed another e-mail that was being used to send spam, mail@ws.com. One of the entries looks like:

    2007-08-19 17:02:42 1IMeo6-0005Sg-O4 <= <> R=1IL9kN-0002wh-5B U=mailnull P=local S=31604 T="Mail delivery failed: returning message to sender"
    2007-08-19 17:02:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IMeo6-0005Sg-O4
    2007-08-19 17:02:59 1IMeo6-0005Sg-O4 ** mail@ws.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<mail@ws.com>: host mail.pc-doctor.com [66.224.119.10]: 553 5.3.0 <mail@ws.com>... >mail<@ws.com.
    2007-08-19 17:02:59 1IMeo6-0005Sg-O4 Frozen (delivery error message)
    2007-08-19 17:15:47 1IMeo6-0005Sg-O4 removed by root
    2007-08-19 17:15:47 1IMeo6-0005Sg-O4 Completed



    What does "U=mailnull" indicate? Is there any way that I can track how this was sent?

    Thanks.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The latter one is just a bounce message.

    As for the former:
    Yes and Yes, or the PC that "brendan" uses is virus infected.
     
  4. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Thanks chirpy, I have changed the user "brendan"'s password, hopefully it doesn't happen again :)

    Regarding the latter e-mail, what should a log entry look like for an e-mail that was sent from mail@ws.com? They sent about 10,000 so there's lots of entries in my log file, and I'm not sure what to look for :)
     
Loading...

Share This Page