store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Oct 18, 2019 9:22 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Help to identify source of outgoing email
Unread postPosted: Fri Feb 21, 2014 10:09 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Dec 16, 2008 8:01 am
Posts: 369
Location: United Kingdom
Can anyone help. There is some mail (I do not THINK ti is Spam) going from our server but the domain is not hosted on our server. They must have put on one of our accounts as the authentication.

I would like to try and identify which email address is being used to authenticate it. Can anyone help, please?

Code:
Feb 21 12:59:11 plesk3 qmail: 1392987551.169718 starting delivery 745: msg 5367103 to remote ser@remote-domain.com
Feb 21 12:59:11 plesk3 qmail: 1392987551.169754 status: local 0/10 remote 1/20
Feb 21 12:59:11 plesk3 qmail-remote-handlers[21297]: Handlers Filter before-remote for qmail started ...
Feb 21 12:59:11 plesk3 qmail-remote-handlers[21297]: from=charlie@domain1.com
Feb 21 12:59:11 plesk3 qmail-remote-handlers[21297]: to=user@remote-domain.com
Feb 21 12:59:11 plesk3 spamd[5944]: spamd: connection from localhost [127.0.0.1] at port 35391
Feb 21 12:59:11 plesk3 spamd[5944]: spamd: setuid to qscand succeeded
Feb 21 12:59:11 plesk3 spamd[5944]: spamd: checking message <4e076713cb694887ab888aff46ecea69@AM3PR03MB483.eurprd03.prod.outlook.com> for qscand:10002
Feb 21 12:59:13 plesk3 spamd[5944]: spamd: clean message (0.0/5.0) for qscand:10002 in 1.9 seconds, 28359 bytes.
Feb 21 12:59:13 plesk3 spamd[5944]: spamd: result: . 0 - HTML_MESSAGE,T_FILL_THIS_FORM_SHORT scantime=1.9,size=28359,user=qscand,uid=10002,required_score=5.0,rhost=localhost,raddr=127.0.0.1,
rport=35391,mid=<4e076713cb694887ab888aff46ecea69@AM3PR03MB483.eurprd03.prod.outlook.com>,autolearn=disabled


We do not host domain1.com. I'm thinking it MIGHT be an online form because of the 127.0.0.1. I looked up the uid but that did not tell me anything:

Code:
[root@plesk3 ~]# grep 10002 /etc/passwd
qscand:x:10002:492:Qmail-Scanner Account:/var/spool/qscan:/bin/false
[root@plesk3 ~]#


I have tried emailing charlie@domain1.com to see what he has to say - no response as yet.

Can the combined expert knowledge help me in any way. Many thanks in advance for assistance and advice.


Last edited by coolemail on Fri Feb 21, 2014 1:53 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Help to identify source of outgoing email
Unread postPosted: Fri Feb 21, 2014 11:46 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Look for a qmail-scanner log event on these messages, in that it will indicate what the Relay Client (RC:) is. If its coming from the local system, that will indicate localhost.


Top
 Profile  
Reply with quote  
 Post subject: Re: Help to identify source of outgoing email
Unread postPosted: Fri Feb 21, 2014 1:50 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Dec 16, 2008 8:01 am
Posts: 369
Location: United Kingdom
thanks for your help Scott. We got to the root of it!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group