Results 1 to 11 of 11
Thread: lfd: LOCAL RELAY
-
06-18-2008, 09:41 AM #1Junior Guru
- Join Date
- May 2008
- Posts
- 179
lfd: LOCAL RELAY
hi
any idea what this might be?
Time: Tue Jun 17 18:45:49 2008
Type: LOCALRELAY, Local Account - nobody
Count: 101 emails relayed
Blocked: No
Sample of the first 10 emails:
2008-06-17 18:45:31 1K8jve-0006PP-Am <= nobody@domain.cl U=nobody P=local S=3247 T="Noticias de 800flores.cl"
2008-06-17 18:45:31 1K8jvf-0006QE-4U <= nobody@domain.cl U=nobody P=local S=3265 T="Noticias de 800flores.cl"
-
06-18-2008, 09:45 AM #2WHT Addict
- Join Date
- Jun 2008
- Location
- Ukraine
- Posts
- 141
Look where mail is stored and look in body - there will be answer
-
06-19-2008, 12:34 AM #3Junior Guru
- Join Date
- Mar 2006
- Posts
- 241
It may not necessarily mean it's spam being relayed but could be normal mails.
Relay Tracking is a feature of LFD, http://www.configservers.com/blog/index.php?itemid=221
But since the alert shows nobody mails, some user in the server may be spamming. Dig deeper and try to find out which user/script is involved.LiquidSupport - A subsidiary of I-Fort Technologies (Pvt.) Ltd
Server Administration | Technical Support | Web Development
-
06-19-2008, 04:29 AM #4Web Hosting Master
- Join Date
- Oct 2007
- Posts
- 1,903
Try enabling extended logging in exim and check the exim log /var/log/exim_mainlog to track the script.
To enable extended logging.
pico -w /etc/exim.conf
Find this;
hostlist auth_relay_hosts = *
After hostlist auth_relay_hosts = *
add
log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+received_sender \
+received_recipients \
+subject \
Save and restart exim.ServerPoint.com - a true hosting company offering online presence solutions since 1998.
>>Web Hosting, colocation, dedicated servers and virtual private dedicated servers.
>>>>Wholly owned multi homed network, servers and facilities.
-
06-19-2008, 09:52 AM #5Junior Guru
- Join Date
- May 2008
- Posts
- 179
thank u so much for the answers, effectively a user was sending spam
-
09-15-2009, 06:39 PM #6Junior Guru
- Join Date
- Jun 2008
- Posts
- 205
(I'm posting this here because this message comes up for a keyword search on this subject, it might help others)
You can grep your exim log for the message ID number like "1MNzAM-0005F2-4" (the first one on your list) then you can see where it's going.
What I have found so far on this is that LFD sees over 100 relays in a hour and reports, but the server "relays" internally all the time and I think it's counting that.
I tracked down a bunch of messages for that alert and they all seem to be going into a legit e-mail account on the server, but they are "relayed" internally to do that.
If you have a user that posts something on a blog that gets him a lot of e-mail all of a sudden this can happen (from what research I've done so far).
I haven't had a big problem with this so I'm just leaving it alone for now and see how it goes but I may increase the number to over 100 if it starts to bother me.
Oh, and if you haven't done this, make sure your server is set up to not allow relays, and test it from outside to make sure. I already did that a long time ago.
-
10-30-2013, 09:48 AM #7Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,700
-
10-30-2013, 12:53 PM #8Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
<<mis-posted>>
Last edited by Johnny Cache; 10-30-2013 at 12:59 PM.
-
10-30-2013, 12:55 PM #9Web Hosting Master
- Join Date
- Jan 2008
- Posts
- 1,204
It looks like you are running PHP process as a Apache user (nobody). This is not recommended from security point of view. Compile Apache and PHP with suPHP or Mod_ruid2.
|| Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
|| Web Hosting Discussion - A Web Hosting community
-
10-31-2013, 01:10 AM #10Web Hosting Master
- Join Date
- Jan 2006
- Location
- India
- Posts
- 637
I think mod ruid2 is not compatible with mod security.
-
10-31-2013, 01:16 AM #11