Results 1 to 11 of 11
  1. #1
    Join Date
    May 2008
    Posts
    179

    * lfd: LOCAL RELAY

    hi

    any idea what this might be?

    Time: Tue Jun 17 18:45:49 2008
    Type: LOCALRELAY, Local Account - nobody
    Count: 101 emails relayed
    Blocked: No

    Sample of the first 10 emails:

    2008-06-17 18:45:31 1K8jve-0006PP-Am <= nobody@domain.cl U=nobody P=local S=3247 T="Noticias de 800flores.cl"
    2008-06-17 18:45:31 1K8jvf-0006QE-4U <= nobody@domain.cl U=nobody P=local S=3265 T="Noticias de 800flores.cl"
    Ive received like 8000 warnings like this since yesterday. Plz some1 can tell me what is this? thanks.

  2. #2
    Join Date
    Jun 2008
    Location
    Ukraine
    Posts
    141
    Look where mail is stored and look in body - there will be answer

  3. #3
    Join Date
    Mar 2006
    Posts
    241
    It may not necessarily mean it's spam being relayed but could be normal mails.

    Relay Tracking is a feature of LFD, http://www.configservers.com/blog/index.php?itemid=221

    But since the alert shows nobody mails, some user in the server may be spamming. Dig deeper and try to find out which user/script is involved.
    LiquidSupport - A subsidiary of I-Fort Technologies (Pvt.) Ltd
    Server Administration | Technical Support | Web Development

  4. #4
    Join Date
    Oct 2007
    Posts
    1,903
    Try enabling extended logging in exim and check the exim log /var/log/exim_mainlog to track the script.

    To enable extended logging.

    pico -w /etc/exim.conf

    Find this;

    hostlist auth_relay_hosts = *

    After hostlist auth_relay_hosts = *

    add

    log_selector = \
    +address_rewrite \
    +all_parents \
    +arguments \
    +connection_reject \
    +received_sender \
    +received_recipients \
    +subject \

    Save and restart exim.
    ServerPoint.com - a true hosting company offering online presence solutions since 1998.
    >>Web Hosting, colocation, dedicated servers and virtual private dedicated servers.
    >>>>Wholly owned multi homed network, servers and facilities.

  5. #5
    Join Date
    May 2008
    Posts
    179
    thank u so much for the answers, effectively a user was sending spam

  6. #6
    Join Date
    Jun 2008
    Posts
    205
    (I'm posting this here because this message comes up for a keyword search on this subject, it might help others)

    You can grep your exim log for the message ID number like "1MNzAM-0005F2-4" (the first one on your list) then you can see where it's going.

    What I have found so far on this is that LFD sees over 100 relays in a hour and reports, but the server "relays" internally all the time and I think it's counting that.

    I tracked down a bunch of messages for that alert and they all seem to be going into a legit e-mail account on the server, but they are "relayed" internally to do that.

    If you have a user that posts something on a blog that gets him a lot of e-mail all of a sudden this can happen (from what research I've done so far).

    I haven't had a big problem with this so I'm just leaving it alone for now and see how it goes but I may increase the number to over 100 if it starts to bother me.

    Oh, and if you haven't done this, make sure your server is set up to not allow relays, and test it from outside to make sure. I already did that a long time ago.

  7. #7
    Join Date
    Mar 2009
    Posts
    3,700
    Quote Originally Posted by ~ServerPoint~ View Post
    Try enabling extended logging in exim and check the exim log /var/log/exim_mainlog to track the script.

    To enable extended logging.

    pico -w /etc/exim.conf

    Find this;

    hostlist auth_relay_hosts = *

    After hostlist auth_relay_hosts = *

    add

    log_selector = \
    +address_rewrite \
    +all_parents \
    +arguments \
    +connection_reject \
    +received_sender \
    +received_recipients \
    +subject \

    Save and restart exim.
    does it still work ? because i try to add it and restart exim,it will fail.

  8. #8
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    <<mis-posted>>
    Last edited by Johnny Cache; 10-30-2013 at 12:59 PM.

  9. #9
    It looks like you are running PHP process as a Apache user (nobody). This is not recommended from security point of view. Compile Apache and PHP with suPHP or Mod_ruid2.
    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

  10. #10
    Join Date
    Jan 2006
    Location
    India
    Posts
    637
    I think mod ruid2 is not compatible with mod security.

  11. #11
    Join Date
    Jul 2006
    Location
    Australia
    Posts
    3,809
    Quote Originally Posted by ttgt View Post
    does it still work ? because i try to add it and restart exim,it will fail.
    Probably because there has been changes over the last 5 years.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •