Need help understanding this exim_mainlog entry

[Tina]

Hi

I have a new joomla website (5 days old) and I use my gmail account as the contact email for the website.

A couple of days ago I received a joomla update email which looks exactly how it's supposed to except for the update website. I think it is spam and I'm trying to figure out if the email was generated from my website or if it came from an outside source.

If it came from an outside source then I want to figure out what the security issue is.

Below is the exim entry but I'm a little confused by the T-value. I think it says that it's incoming but is there a way to know for sure if it was generated by the website?

[email protected] [/var/log]#  grep "1bVWmn-00006f-I7" exim_mainlog.1

2016-08-05 00:31:05 1bVWmn-00006f-I7 <= [email protected] U=myuserid P=local S=3023 [email protected] T="Joomla! Update available for my site name  \342\200\223 http://www.example.com/" for [email protected]

2016-08-05 00:31:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bVWmn-00006f-I7

2016-08-05 00:31:05 1bVWmn-00006f-I7 SMTP connection outbound 1470371465 1bVWmn-00006f-I7 mydomainname.com [email protected]

2016-08-05 00:31:06 1bVWmn-00006f-I7 => [email protected] R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.28.26] X=TLSv1:AES128-SHA:128 CV=yes C="250 2.0.0 OK 1470371467 kv2si18258208pab.145 - gsmtp"

2016-08-05 00:31:06 1bVWmn-00006f-I7 Completed

Thank you for your insight.
Tina

 

[rpvw]

Hi Tina,

There were actually 2 Joomla updates in quick succession on Thursday to 3.8.1 and then again on Friday to 3.8.2.

Official notification may have come to you by a number of sources - Joomla Security center that uses noreply+feedproxy @ google.com as their from address - or you may have notifications from a provisioning platform like Softaculous if you configured your account to receive them.

It is highly unlikely that any official notification would include a reference to (warning do not browse to this address) http : // www dot example dot com / which actually takes you to an Asian porn site, so I would defiantly delete the email, but you should look at upgrading your Joomla installations from official sources

Sorry, realized I hadn't answered about the T value - subject: The subject of the message is added to the arrival log line, preceded by “T=”

And the \342\200\223 is an octal character sequence representing the UTF-8 "en dash" character: octal 342 200 223 is the same as hex e2 80 93

See the exim manual for a full list of codes.

Thank you

 

[Tina]

Hi Tina,

There were actually 2 Joomla updates in quick succession on Thursday to 3.8.1 and then again on Friday to 3.8.2.

Official notification may have come to you by a number of sources - Joomla Security center that uses noreply+feedproxy @ google.com as their from address - or you may have notifications from a provisioning platform like Softaculous if you configured your account to receive them.

It is highly unlikely that any official notification would include a reference to (warning do not browse to this address) http : // www dot example dot com / which actually takes you to an Asian porn site, so I would defiantly delete the email, but you should look at upgrading your Joomla installations from official sources

Sorry, realized I hadn't answered about the T value - subject: The subject of the message is added to the arrival log line, preceded by “T=”

And the \342\200\223 is an octal character sequence representing the UTF-8 "en dash" character: octal 342 200 223 is the same as hex e2 80 93

See the exim manual for a full list of codes.

Thank you

Thank you rpvw,

I did do the upgrade from 3.6.1 to 3.6.2.

Is it possible to know by these log entries if the email was generated by my website or sent from outside the server?

 

[rpvw]

It rather looks like the mail was generated on your server, and sent OUT to your gMail account (<= [email protected]) by your user (U=myuserid)

I can't tell from the data you posted if this was actually generated by the Joomla application, or via some other source. You really need an exim guru to jump onto this topic, they will be able to help you much better than I can

 

[cPanelMichael]

Hello,

The following Exim document will help you to decipher /var/log/exim_mainlog when investigating these types of issues:

52. Log files

In particular, the following information will help you to determine if a message is incoming or outgoing:

Show/Hide: Exim Log Line Flags

5. Log line flags
One line is written to the main log for each message received, and for each successful, unsuccessful, and delayed delivery. These lines can readily be picked out by the distinctive two-character flags that immediately follow the timestamp. The flags are:

<= message arrival
=> normal message delivery
-> additional address in same delivery
>> cutthrough message delivery
*> delivery suppressed by -N
** delivery failed; address bounced
== delivery deferred; temporary problem

You should also view the message headers for the message to see if additional information about the source of the message is available.

Thank you.