Results 1 to 2 of 2

Thread: false warning?

  1. #1
    Join Date
    Nov 2004
    Posts
    236

    false warning?

    In the exim mainlog, we have this

    2012-11-12 17:15:08 1TXr2p-000OiG-Qf H=([172.16.15.37]) [123.30.181.238] F=<email1@domain.com> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
    2012-11-12 17:15:26 1TXr37-000P3d-2J H=([172.16.15.37]) [123.30.181.238] F=<email2@domain.com> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
    2012-11-13 17:03:20 1TYDKx-000HC3-MY H=([172.16.15.37]) [123.30.181.238] F=<email1@domain.com> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
    2012-11-13 17:03:37 1TYDLE-000HIm-Uh H=([172.16.15.37]) [123.30.181.238] F=<email2@domain.com> rejected after DATA: This message contains a virus or other harmful content (Worm.Bagle)
    Contacted customer, the IP 123.30.181.238 is not their IP. Also, asked him to change password of those 2 accounts already, but the log keeps coming back. Wondering if someone else sees this on your servers?

    This log is from a CloudLinux 5 - 64bits machine with ClamAV 0.97.6/15574.
    Thanks.
    Want to purchase G Suite with lower prices?

    As a Google partner, I can offer you that. Just contact!

  2. #2
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Someone is attempting to send email to someone on your server, using a from address of email1@domain.com (and email2@domain.com); that person is using a helo of 172.16.15.37, but their real address is 123.30.181.238. Nothing in the logs show this is an authenticated login; you'd need to post more of the log lines relating to this email in order for any of us to tell you more. When you do, leave the real information in if you want real help.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

Similar Threads

  1. /bin/false
    By ziorufus in forum Admin-Level Difficulties
    Replies: 1
    Last Post: 12-01-2012, 12:17 PM
  2. ProFTPd + Invalid shell: '/bin/false'
    By ccto in forum System-Level Technical Discussion
    Replies: 1
    Last Post: 03-24-2011, 11:24 PM
  3. SPAMCANNIBAL - false positives!!
    By aquila in forum E-Mail
    Replies: 8
    Last Post: 02-10-2011, 10:06 AM
  4. phpmyadmin update available false positive
    By jca in forum CustomBuild
    Replies: 2
    Last Post: 11-19-2008, 10:46 PM
  5. Replies: 5
    Last Post: 05-02-2007, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •