The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reading exim_mainlog

Discussion in 'E-mail Discussions' started by AndyB78, Aug 28, 2009.

  1. AndyB78

    AndyB78 Active Member

    Joined:
    Oct 7, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Romania
    Hello,

    I have a problem with a hosting account possibly sending spam and upon investigating this was found in exim_mainlog:

    2009-08-28 03:02:13 1Mgpr3-0005ir-Pd <= (user)@(host) U=(user) P=local S=1308
    2009-08-28 03:02:14 1Mgpr3-0005ir-Pd ** (recipient)@yahoo.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host c.mx.mail.yahoo.com [216.39.53.3]: 554 delivery error: dd This user doesn't have a yahoo.com account (user)@yahoo.com [-5] - mta454.mail.re4.yahoo.com
    2009-08-28 03:02:15 1Mgpr4-0005jb-FJ <= <> R=1Mgpr3-0005ir-Pd U=mailnull P=local S=2329

    Where did this mail come from? PHP script or direct SMTP connection from an infected PC or what?

    Is there a guide for all the notations from exim_mainlog?

    Thanks!!
     
  2. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Hi Andy, I can't help, but I too have been looking for a while for a friendly guide to exim_mainlog and what all of the shorthand letters mean. Like many things unix/linux the answers are usually found buried and obfuscated in long texts written by people who just love to write more than is necessary.

    My take on Msg 1Mgpr3-0005ir-Pd is that one of your users tried to email a yahoo.com account that didn't exist.

    <= means message incoming to server (in the case from a local user)
    T=remote_smtp: = Transport method

    I'm still not sure what the P= and S= are!
     
  3. AndyB78

    AndyB78 Active Member

    Joined:
    Oct 7, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Romania
    Hello,

    Yes...I know that this particular Yahoo recipient doesn't exist but this message was extracted from a much larger bulk of 1000s of mails sent from my shared server and I was trying to understand if the mail comes from an abused script or an abused user account etc...

    Thanks Santrix!
     
Loading...

Share This Page