Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Reading exim_mainlog

Discussion in 'E-mail Discussion' started by AndyB78, Aug 28, 2009.

  1. AndyB78

    AndyB78 Well-Known Member

    Joined:
    Oct 7, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Romania
    Hello,

    I have a problem with a hosting account possibly sending spam and upon investigating this was found in exim_mainlog:

    2009-08-28 03:02:13 1Mgpr3-0005ir-Pd <= (user)@(host) U=(user) P=local S=1308
    2009-08-28 03:02:14 1Mgpr3-0005ir-Pd ** (recipient)@yahoo.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host c.mx.mail.yahoo.com [216.39.53.3]: 554 delivery error: dd This user doesn't have a yahoo.com account (user)@yahoo.com [-5] - mta454.mail.re4.yahoo.com
    2009-08-28 03:02:15 1Mgpr4-0005jb-FJ <= <> R=1Mgpr3-0005ir-Pd U=mailnull P=local S=2329

    Where did this mail come from? PHP script or direct SMTP connection from an infected PC or what?

    Is there a guide for all the notations from exim_mainlog?

    Thanks!!
     
  2. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    68
    Hi Andy, I can't help, but I too have been looking for a while for a friendly guide to exim_mainlog and what all of the shorthand letters mean. Like many things unix/linux the answers are usually found buried and obfuscated in long texts written by people who just love to write more than is necessary.

    My take on Msg 1Mgpr3-0005ir-Pd is that one of your users tried to email a yahoo.com account that didn't exist.

    <= means message incoming to server (in the case from a local user)
    T=remote_smtp: = Transport method

    I'm still not sure what the P= and S= are!
     
  3. AndyB78

    AndyB78 Well-Known Member

    Joined:
    Oct 7, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Romania
    Hello,

    Yes...I know that this particular Yahoo recipient doesn't exist but this message was extracted from a much larger bulk of 1000s of mails sent from my shared server and I was trying to understand if the mail comes from an abused script or an abused user account etc...

    Thanks Santrix!
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice