false warning?

gate2vn

Verified User
Joined
Nov 9, 2004
Messages
484
Location
Oslo
In the exim mainlog, we have this

2012-11-12 17:15:08 1TXr2p-000OiG-Qf H=([172.16.15.37]) [123.30.181.238] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
2012-11-12 17:15:26 1TXr37-000P3d-2J H=([172.16.15.37]) [123.30.181.238] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
2012-11-13 17:03:20 1TYDKx-000HC3-MY H=([172.16.15.37]) [123.30.181.238] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
2012-11-13 17:03:37 1TYDLE-000HIm-Uh H=([172.16.15.37]) [123.30.181.238] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)

Contacted customer, the IP 123.30.181.238 is not their IP. Also, asked him to change password of those 2 accounts already, but the log keeps coming back. Wondering if someone else sees this on your servers?

This log is from a CloudLinux 5 - 64bits machine with ClamAV 0.97.6/15574.
Thanks.
 
Someone is attempting to send email to someone on your server, using a from address of [email protected] (and [email protected]); that person is using a helo of 172.16.15.37, but their real address is 123.30.181.238. Nothing in the logs show this is an authenticated login; you'd need to post more of the log lines relating to this email in order for any of us to tell you more. When you do, leave the real information in if you want real help.

Jeff
 
Back
Top