The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help understanding this exim_mainlog entry

Discussion in 'E-mail Discussions' started by Tina, Aug 7, 2016.

  1. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    I have a new joomla website (5 days old) and I use my gmail account as the contact email for the website.

    A couple of days ago I received a joomla update email which looks exactly how it's supposed to except for the update website. I think it is spam and I'm trying to figure out if the email was generated from my website or if it came from an outside source.

    If it came from an outside source then I want to figure out what the security issue is.

    Below is the exim entry but I'm a little confused by the T-value. I think it says that it's incoming but is there a way to know for sure if it was generated by the website?

    Code:
    root@host [/var/log]#  grep "1bVWmn-00006f-I7" exim_mainlog.1
    
    2016-08-05 00:31:05 1bVWmn-00006f-I7 <= myaddress@gmail.com U=myuserid P=local S=3023 id=2be617e65a4ebac7d19c4df17e26354f@www.example.com T="Joomla! Update available for my site name  \342\200\223 http://www.example.com/" for myaddress@gmail.com
    
    2016-08-05 00:31:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bVWmn-00006f-I7
    
    2016-08-05 00:31:05 1bVWmn-00006f-I7 SMTP connection outbound 1470371465 1bVWmn-00006f-I7 mydomainname.com myaddress@gmail.com
    
    2016-08-05 00:31:06 1bVWmn-00006f-I7 => myaddress@gmail.com R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.28.26] X=TLSv1:AES128-SHA:128 CV=yes C="250 2.0.0 OK 1470371467 kv2si18258208pab.145 - gsmtp"
    
    2016-08-05 00:31:06 1bVWmn-00006f-I7 Completed
    


    Thank you for your insight.
    Tina
     
    #1 Tina, Aug 7, 2016
    Last edited by a moderator: Aug 7, 2016
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    118
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Hi Tina,

    There were actually 2 Joomla updates in quick succession on Thursday to 3.8.1 and then again on Friday to 3.8.2.

    Official notification may have come to you by a number of sources - Joomla Security center that uses noreply+feedproxy @ google.com as their from address - or you may have notifications from a provisioning platform like Softaculous if you configured your account to receive them.

    It is highly unlikely that any official notification would include a reference to (warning do not browse to this address) http : // www dot example dot com / which actually takes you to an Asian porn site, so I would defiantly delete the email, but you should look at upgrading your Joomla installations from official sources :cool:

    Sorry, realized I hadn't answered about the T value - subject: The subject of the message is added to the arrival log line, preceded by “T=”

    And the \342\200\223 is an octal character sequence representing the UTF-8 "en dash" character: octal 342 200 223 is the same as hex e2 80 93

    See the exim manual for a full list of codes.

    Thank you
     
    #2 rpvw, Aug 7, 2016
    Last edited by a moderator: Aug 7, 2016
  3. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6

    Thank you rpvw,

    I did do the upgrade from 3.6.1 to 3.6.2.

    Is it possible to know by these log entries if the email was generated by my website or sent from outside the server?
    :)
     
    #3 Tina, Aug 7, 2016
    Last edited by a moderator: Aug 7, 2016
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    118
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    It rather looks like the mail was generated on your server, and sent OUT to your gMail account (<= myaddress@gmail.com) by your user (U=myuserid)

    I can't tell from the data you posted if this was actually generated by the Joomla application, or via some other source. You really need an exim guru to jump onto this topic, they will be able to help you much better than I can :confused:
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The following Exim document will help you to decipher /var/log/exim_mainlog when investigating these types of issues:

    52. Log files

    In particular, the following information will help you to determine if a message is incoming or outgoing:


    You should also view the message headers for the message to see if additional information about the source of the message is available.

    Thank you.
     
Loading...

Share This Page