Reading exim_mainlog

[AndyB78]

Hello,

I have a problem with a hosting account possibly sending spam and upon investigating this was found in exim_mainlog:

2009-08-28 03:02:13 1Mgpr3-0005ir-Pd <= (user)@(host) U=(user) P=local S=1308
2009-08-28 03:02:14 1Mgpr3-0005ir-Pd ** (recipient)@yahoo.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host c.mx.mail.yahoo.com [216.39.53.3]: 554 delivery error: dd This user doesn't have a yahoo.com account (user)@yahoo.com [-5] - mta454.mail.re4.yahoo.com
2009-08-28 03:02:15 1Mgpr4-0005jb-FJ <= <> R=1Mgpr3-0005ir-Pd U=mailnull P=local S=2329

Where did this mail come from? PHP script or direct SMTP connection from an infected PC or what?

Is there a guide for all the notations from exim_mainlog?

Thanks!!

 

[santrix]

Hi Andy, I can't help, but I too have been looking for a while for a friendly guide to exim_mainlog and what all of the shorthand letters mean. Like many things unix/linux the answers are usually found buried and obfuscated in long texts written by people who just love to write more than is necessary.

My take on Msg 1Mgpr3-0005ir-Pd is that one of your users tried to email a yahoo.com account that didn't exist.

<= means message incoming to server (in the case from a local user)
T=remote_smtp: = Transport method

I'm still not sure what the P= and S= are!

 

[AndyB78]

Hello,

Yes...I know that this particular Yahoo recipient doesn't exist but this message was extracted from a much larger bulk of 1000s of mails sent from my shared server and I was trying to understand if the mail comes from an abused script or an abused user account etc...

Thanks Santrix!