Strange entries in exim_mainlog?

Harryhood

Well-Known Member
Jun 3, 2003
57
0
156
Gamehenge
I have started seeing entries such as the one below in exim_mainlog recently. Servernames, email addrs. and ip addresses have been changed

2005-01-12 05:02:58 H=servername.domainname.com (localhost.localhost) [xxx.xxx.xxx.xxx]:51605 I=[127.0.0.100]:25 F=<[email protected]> rejected RCPT <[email protected]***********>: servername.domainname.com (localhost.localhost) [xxx.xxx.xxx.xxx]:51605 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.



Can someone explain what this could mean. Of course I am afraid it is a spammer on the server and if so need to figure out how it is being sent.
 

haze

Well-Known Member
Dec 21, 2001
1,540
3
318
The message itself, could be a client trying to check their mail without the option in their email client selected: "Server requires authentication". If it was a spammer ( could have been ), it was stopped.
 

Harryhood

Well-Known Member
Jun 3, 2003
57
0
156
Gamehenge
Thanks Haze. A couple of questions..

The

H=servername.domainname.com (localhost.localhost) [xxx.xxx.xxx.xxx]:
portion of the log entry is the actual servername and ip address of the server, so it would seem the email originated (or tried to originate on the server). Is that true?

One thing in paticular that I am not clear on is whether the error message:

is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
Was generated by the local server or was a response from the mail server where the message was sent to (or attempted to be sent to)

Are you able to confirm one or either of those?

Thanks
 

haze

Well-Known Member
Dec 21, 2001
1,540
3
318
That does sound like it might be origonating from your server, then again it could be spoofed. I see a heck of a lot of spammers connecting to our servers using our hostname and or our IP to try and fool the mail server, this may be the case.

The error message essentially says.. "Hey, your trying to relay on this server, and relaying ( unless your authenticated ), is NOT allowed! BUGGER OFF!!" and the error message is coming from your server.