The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Weird error in exim_mainlog

Discussion in 'General Discussion' started by sivadc, Dec 13, 2004.

  1. sivadc

    sivadc Active Member

    Joined:
    Dec 10, 2003
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    While scanning through my exim_mainlog I noticed that I was getting the following error:

    unexpected disconnection while reading SMTP command from (oneofmydomains.com) [202.22.182.2]

    I know that it doesn't look too strange at first glance, but the thing is, that's not the I.P. for the domain in question. It's not even close. . . well, maybe the same /8. Anyone have an idea what's going on? Thanks in advance for the help.
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Its just Spammers sending mail to nonexistant users or being blocked by a rbl using a open proxy
     
  3. sivadc

    sivadc Active Member

    Joined:
    Dec 10, 2003
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I guess my main concern is that the domain in question is actually hosted on the server that is displaying the error, so I don't understand how it can be displaying the wrong I.P. address. Mind you, it doesn't happen all the time, but it has occured more than once, and each time it displayed the same incorrect address. I apologize if I'm not explaining the problem well and thanks again for the assistance.
     
  4. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    i *think*

    it's one of those smart clients that configured their own domain name on their office network.
    check in the daily LogWatch, do you have entries with "Zone update refused?"
     
  5. sivadc

    sivadc Active Member

    Joined:
    Dec 10, 2003
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the input, I appreciate it. I think I may have figured out the problem though. I didn't mention it earlier, but the reason why I was monitoring the exim logs is that I just recently implemented rbls and wanted to be sure that legitimate emails weren't being blocked. The entire error message I was getting in the logs looked something like this:

    2004-12-14 22:54:57 no host name found for IP address 202.22.182.2
    2004-12-14 22:54:58 H=(mydomain1.com) [202.22.182.2] F=<d11qxbx3xmtrjpy@msn.com> rejected RCPT <validuser@mydomain1.com>: Message rejected because (mydomain1.com) [202.22.182.2] is blacklisted at sbl-xbl.spamhaus.org see http://www.spamhaus.org/query/bl?ip=202.22.182.2
    2004-12-14 22:54:59 unexpected disconnection while reading SMTP command from (mydomain1.com) [202.22.182.2]


    mydomain1.com is hosted on the cpanel server that I was viewing the logs from. The I.P. address that should have been showing was 202.128.*.*. Instead it was showing 202.22.182.2. I decided to look at the previous week's logs (before I had implemented the rbls) and did a grep for "202.22.182.2" and this is what repeatedly came up:

    2004-12-11 05:20:27 1CcqJU-0005xc-E8 H=(mydomain1.com) [202.22.182.2] F=<cham_pride@hotmail.com> rejected after DATA: This message contains a virus or other harmful content (Worm.SomeFool.P)


    I guess it's a worm trying to spread? How is it using one of my domains though? Spoofing? I won't even pretend to be an expert at exim so I apologize if the answer is blatantly obvious.
     
    #5 sivadc, Dec 14, 2004
    Last edited: Dec 14, 2004
  6. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    you get that error because the smtp conection was cut off i nthe middle of transmission... and it's cut off because the sending server is blacklisted.

    That sending server is using your domain as it's own helo, when it talks to your mailserver. It's supposed to be the hostname of the ip/server that sent the mail... but it's untrusted (because it can be anyhting and anyone can change it). Spammers and viruses do this, hoping that it will trick your configuration into accepting their mail/giving them relay access/giving them increased access/whatever. I just block any mailserver using my domains or my ips in their helo. No legitimate mailserver does that.
     
    #6 dezignguy, Dec 15, 2004
    Last edited: Dec 15, 2004
  7. sivadc

    sivadc Active Member

    Joined:
    Dec 10, 2003
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Great explanation, it clears up a lot for me. Thanks!
     
Loading...

Share This Page