Need help understanding this exim_mainlog entry

Tina

Well-Known Member
Jan 27, 2003
63
0
156
Hi

I have a new joomla website (5 days old) and I use my gmail account as the contact email for the website.

A couple of days ago I received a joomla update email which looks exactly how it's supposed to except for the update website. I think it is spam and I'm trying to figure out if the email was generated from my website or if it came from an outside source.

If it came from an outside source then I want to figure out what the security issue is.

Below is the exim entry but I'm a little confused by the T-value. I think it says that it's incoming but is there a way to know for sure if it was generated by the website?

Code:
[email protected] [/var/log]#  grep "1bVWmn-00006f-I7" exim_mainlog.1

2016-08-05 00:31:05 1bVWmn-00006f-I7 <= [email protected] U=myuserid P=local S=3023 [email protected] T="Joomla! Update available for my site name  \342\200\223 http://www.example.com/" for [email protected]

2016-08-05 00:31:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bVWmn-00006f-I7

2016-08-05 00:31:05 1bVWmn-00006f-I7 SMTP connection outbound 1470371465 1bVWmn-00006f-I7 mydomainname.com [email protected]

2016-08-05 00:31:06 1bVWmn-00006f-I7 => [email protected] R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.28.26] X=TLSv1:AES128-SHA:128 CV=yes C="250 2.0.0 OK 1470371467 kv2si18258208pab.145 - gsmtp"

2016-08-05 00:31:06 1bVWmn-00006f-I7 Completed


Thank you for your insight.
Tina
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator
Hi Tina,

There were actually 2 Joomla updates in quick succession on Thursday to 3.8.1 and then again on Friday to 3.8.2.

Official notification may have come to you by a number of sources - Joomla Security center that uses noreply+feedproxy @ google.com as their from address - or you may have notifications from a provisioning platform like Softaculous if you configured your account to receive them.

It is highly unlikely that any official notification would include a reference to (warning do not browse to this address) http : // www dot example dot com / which actually takes you to an Asian porn site, so I would defiantly delete the email, but you should look at upgrading your Joomla installations from official sources :cool:

Sorry, realized I hadn't answered about the T value - subject: The subject of the message is added to the arrival log line, preceded by “T=”

And the \342\200\223 is an octal character sequence representing the UTF-8 "en dash" character: octal 342 200 223 is the same as hex e2 80 93

See the exim manual for a full list of codes.

Thank you
 
Last edited by a moderator:

Tina

Well-Known Member
Jan 27, 2003
63
0
156
Hi Tina,

There were actually 2 Joomla updates in quick succession on Thursday to 3.8.1 and then again on Friday to 3.8.2.

Official notification may have come to you by a number of sources - Joomla Security center that uses noreply+feedproxy @ google.com as their from address - or you may have notifications from a provisioning platform like Softaculous if you configured your account to receive them.

It is highly unlikely that any official notification would include a reference to (warning do not browse to this address) http : // www dot example dot com / which actually takes you to an Asian porn site, so I would defiantly delete the email, but you should look at upgrading your Joomla installations from official sources :cool:

Sorry, realized I hadn't answered about the T value - subject: The subject of the message is added to the arrival log line, preceded by “T=”

And the \342\200\223 is an octal character sequence representing the UTF-8 "en dash" character: octal 342 200 223 is the same as hex e2 80 93

See the exim manual for a full list of codes.

Thank you

Thank you rpvw,

I did do the upgrade from 3.6.1 to 3.6.2.

Is it possible to know by these log entries if the email was generated by my website or sent from outside the server?
:)
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator
It rather looks like the mail was generated on your server, and sent OUT to your gMail account (<= [email protected]) by your user (U=myuserid)

I can't tell from the data you posted if this was actually generated by the Joomla application, or via some other source. You really need an exim guru to jump onto this topic, they will be able to help you much better than I can :confused:
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello,

The following Exim document will help you to decipher /var/log/exim_mainlog when investigating these types of issues:

52. Log files

In particular, the following information will help you to determine if a message is incoming or outgoing:

5. Log line flags
One line is written to the main log for each message received, and for each successful, unsuccessful, and delayed delivery. These lines can readily be picked out by the distinctive two-character flags that immediately follow the timestamp. The flags are:

<= message arrival
=> normal message delivery
-> additional address in same delivery
>> cutthrough message delivery
*> delivery suppressed by -N
** delivery failed; address bounced
== delivery deferred; temporary problem

You should also view the message headers for the message to see if additional information about the source of the message is available.

Thank you.