On 6/8/2012 2:23 PM, Heiko Schlittermann wrote:
> Chip <jeffsch...@gmail.com> (Fr 08 Jun 2012 19:11:39 CEST):
>> Below is a snippet of a log file which has raised my suspicion. The
>> names and identities of the innocent (and not so innocent) have been
>> obscured. I am trying to understand the *flow* of the traffic and what
>> actually happened.
>>
>> Any help on the flow and what messages were delivered, where, would be
>> greatly appreciated.
>
> Obscuring logs is mostly a bad idea, since it prevents helpful people
> from checking e.g. MX records of related domains, or prevents from doing
> some tests against the mentioned servers.
>
> And not linebreaking the logs is helpful too. (I re-unbroke the lines).
>
> 2012-06-08 12:51:36 SMTP connection from [77.248.xx.xxx]:63305 (TCP/IP
connection count = 1)
> 2012-06-08 12:51:37 H=(wzhfmiaqb) [77.248.xx.xxx]:63305 rejected MAIL
<lakenxxx...@xxxxxxxx.com>: Access denied - Invalid HELO name (See
RFC2821 4.1.1.1)
> 2012-06-08 12:51:37 SMTP connection from (wzhfmiaqb)
[77.248.xx.xxx]:63305 closed by DROP in ACL
>
> So far the connection was rejected by the logging host. If an invalid
> HELO should lead to such drastic action?? How do you accept mails for
> postmaster@…?
>
> 2012-06-08 12:51:42 SMTP connection from [124.12.xx.xxx]:60909 (TCP/IP
connection count = 1)
> 2012-06-08 12:51:48 1Sd2Pb-0007mS-He <= dawn...@jamesxxx.com
H=124-12-xx-xxx.dynamic.xxx.xxx.tw (pa91lxxx.com) [124.12.xx.xxx]:60909
P=smtp S=982 id=30v18f98p29-09887224-926q7p37@lkcttldr T="This is It & "
for bl...@blablabla.com
> 2012-06-08 12:51:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
1Sd2Pb-0007mS-He
> 2012-06-08 12:51:48 1Sd2Pb-0007mS-He check_mail_permissions could not
determine the sender domain [message_exim_id=1Sd2Pb-0007mS-He
sender_host_address=124.12.xxx.xxx recipients_count=1]
>
> check_mail_permissions … never have seen it. Probably cpanel? But it
> doesn't seem like a reason for rejecting the mail, because the the exim
> spool id appears on the next lines again, until exim logs the
> "Completed" line. This ("Completed") is a strong indication that the
> "transaction" is done. The => lines are a strong indication for a
> successful delivery to the local mailbox and for the remote delivery.
>
> 2012-06-08 12:51:48 1Sd2Pb-0007mS-He => bluey <bl...@blablabla.com>
P=<dawn...@jamesxxx.com> R=virtual_user T=virtual_userdelivery
> 2012-06-08 12:51:49 1Sd2Pb-0007mS-He => jeff...@gmail.com
<bl...@blablabla.com> P=<dawn...@jamesxxx.com> R=lookuphost
T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.77.27]
X=TLSv1:RC4-SHA:128
> 2012-06-08 12:51:49 1Sd2Pb-0007mS-He Completed
> 2012-06-08 12:51:50 SMTP connection from 124.12.xx.xxx (pa91lxxx.com)
[124.12.xx.xxx]:60909 closed by QUIT
>
> After all, this second connection lead to two mail deliveries, one local
> and one remote. It does not look unusual, except the fact of the
> rejection at the MAIL command already.
>
>
>
Additionally, I'm confounded on the use of P= which according to the
exim manual indicates the protocol . . . how can a protocol be someone's
email address as indicated in the snippet right below this line:2012-06-08 12:51:48 1Sd2Pb-0007mS-He => bluey <bl...@blablabla.com> P=<dawn...@jamesxxx.com> R=virtual_user T=virtual_userdelivery -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
