On 6/8/2012 2:23 PM, Heiko Schlittermann wrote: > Chip <jeffsch...@gmail.com> (Fr 08 Jun 2012 19:11:39 CEST): >> Below is a snippet of a log file which has raised my suspicion. The >> names and identities of the innocent (and not so innocent) have been >> obscured. I am trying to understand the *flow* of the traffic and what >> actually happened. >> >> Any help on the flow and what messages were delivered, where, would be >> greatly appreciated. > > Obscuring logs is mostly a bad idea, since it prevents helpful people > from checking e.g. MX records of related domains, or prevents from doing > some tests against the mentioned servers. > > And not linebreaking the logs is helpful too. (I re-unbroke the lines). > > 2012-06-08 12:51:36 SMTP connection from [77.248.xx.xxx]:63305 (TCP/IP connection count = 1) > 2012-06-08 12:51:37 H=(wzhfmiaqb) [77.248.xx.xxx]:63305 rejected MAIL <lakenxxx...@xxxxxxxx.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1) > 2012-06-08 12:51:37 SMTP connection from (wzhfmiaqb) [77.248.xx.xxx]:63305 closed by DROP in ACL > > So far the connection was rejected by the logging host. If an invalid > HELO should lead to such drastic action?? How do you accept mails for > postmaster@…? > > 2012-06-08 12:51:42 SMTP connection from [124.12.xx.xxx]:60909 (TCP/IP connection count = 1) > 2012-06-08 12:51:48 1Sd2Pb-0007mS-He <= dawn...@jamesxxx.com H=124-12-xx-xxx.dynamic.xxx.xxx.tw (pa91lxxx.com) [124.12.xx.xxx]:60909 P=smtp S=982 id=30v18f98p29-09887224-926q7p37@lkcttldr T="This is It & " for bl...@blablabla.com > 2012-06-08 12:51:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Sd2Pb-0007mS-He > 2012-06-08 12:51:48 1Sd2Pb-0007mS-He check_mail_permissions could not determine the sender domain [message_exim_id=1Sd2Pb-0007mS-He sender_host_address=124.12.xxx.xxx recipients_count=1] > > check_mail_permissions … never have seen it. Probably cpanel? But it > doesn't seem like a reason for rejecting the mail, because the the exim > spool id appears on the next lines again, until exim logs the > "Completed" line. This ("Completed") is a strong indication that the > "transaction" is done. The => lines are a strong indication for a > successful delivery to the local mailbox and for the remote delivery. > > 2012-06-08 12:51:48 1Sd2Pb-0007mS-He => bluey <bl...@blablabla.com> P=<dawn...@jamesxxx.com> R=virtual_user T=virtual_userdelivery > 2012-06-08 12:51:49 1Sd2Pb-0007mS-He => jeff...@gmail.com <bl...@blablabla.com> P=<dawn...@jamesxxx.com> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.77.27] X=TLSv1:RC4-SHA:128 > 2012-06-08 12:51:49 1Sd2Pb-0007mS-He Completed > 2012-06-08 12:51:50 SMTP connection from 124.12.xx.xxx (pa91lxxx.com) [124.12.xx.xxx]:60909 closed by QUIT > > After all, this second connection lead to two mail deliveries, one local > and one remote. It does not look unusual, except the fact of the > rejection at the MAIL command already. > > > Additionally, I'm confounded on the use of P= which according to the exim manual indicates the protocol . . . how can a protocol be someone's email address as indicated in the snippet right below this line:
2012-06-08 12:51:48 1Sd2Pb-0007mS-He => bluey <bl...@blablabla.com> P=<dawn...@jamesxxx.com> R=virtual_user T=virtual_userdelivery -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/