Results 1 to 3 of 3

Thread: LOCALRELAY Alert for mail

  1. #1
    Join Date
    Nov 2004
    Posts
    338

    LOCALRELAY Alert for mail

    Hello

    EDIT: exim version is 4.86.
    I also have easy spam block and CSF installed and working.

    I am having a problem finding out to stop this local mail spam relay.

    I tested the server IP, and it is not a open relay.

    The domain that is sending emails / or using it as a relay, does not even have email (mx) on this server. They use a exchange server.
    So external email configuration.

    The server is receiving all these emails that are being relayd to incorrect email account from account that do not exist.
    The aco**** in question does not seam to be sending emails according to DA... perhaps a relay is not counted ?

    Here is a sample of a header :
    Code:
    1a21v4-0000cV-L6-H
    mail 8 12
    <arzwe@acr-regulation.com>
    1448564966 0
    -helo_name www.acr-regulation.com
    -host_address 204.45.30.196.55355
    -interface_address 37.187.136.150.25
    -active_hostname server.goeticweb.com
    -received_protocol esmtp
    -aclm _is_whitelisted 1
    1
    -body_linecount 78
    -max_received_linelength 303
    -host_lookup_failed
    XX
    1
    dumper@itae.com.br
    
    231P Received: from [204.45.30.196] (helo=www.acr-regulation.com)
    	by server.goeticweb.com with esmtp (Exim 4.86)
    	(envelope-from <arzwe@acr-regulation.com>)
    	id 1a21v4-0000cV-L6
    	for dumper@itae.com.br; Thu, 26 Nov 2015 20:09:27 +0100
    049F From: "Vivo Empresas" <arzwe@acr-regulation.com>
    065  Subject: 100 Minutos + 1 GB Internet + Aparelho Celular por ....
    023T To: dumper@itae.com.br
    024  Content-Type: text/html
    038  Date: Thu, 26 Nov 2015 17:03:03 -0300
    I suppose the emails content is not important.

    Then, here is the log for that same email :
    Code:
    2015-11-26 20:09:27 Received from arzwe@acr-regulation.com H=(www.acr-regulation.com) [204.45.30.196] P=esmtp S=3663 T="100 Minutos + 1 GB Internet + Aparelho Celular por ...."
    2015-11-26 20:09:27 root@server.goeticweb.com <dumper@itae.com.br> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
    Then, i am also receing tones of emails with this sibject : Mail delivery failed: returning message to sender
    Here is the header for that error return email :
    Code:
    1a22hI-000170-QT-H
    mail 8 12
    <>
    1448567956 0
    -active_hostname server.goeticweb.com
    -ident mail
    -received_protocol local
    -aclm _user 0
    
    -aclm _uid 2
    -1
    -aclm _username 7
    unknown
    -body_linecount 115
    -max_received_linelength 303
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -localerror
    XX
    1
    rukfmexf@acr-regulation.com
    
    154P Received: from mail by server.goeticweb.com with local (Exim 4.86)
    	id 1a22hI-000170-QT
    	for rukfmexf@acr-regulation.com; Thu, 26 Nov 2015 20:59:17 +0100
    043  X-Failed-Recipients: ebousada@afadv.com.br
    029  Auto-Submitted: auto-replied
    064F From: Mail Delivery System <Mailer-Daemon@server.goeticweb.com>
    032T To: rukfmexf@acr-regulation.com
    100  Content-Type: multipart/report; report-type=delivery-status; boundary=1448567956-eximdsn-1363980706
    018  MIME-Version: 1.0
    059  Subject: Mail delivery failed: returning message to sender
    053I Message-Id: <E1a22hI-000170-QT@server.goeticweb.com>
    038  Date: Thu, 26 Nov 2015 20:59:16 +0100
    and the content :
    Code:
    1a22hI-000170-QT-D
    --1448567956-eximdsn-1363980706
    Content-type: text/plain; charset=us-ascii
    
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      ebousada@afadv.com.br
        Unrouteable address
    
    --1448567956-eximdsn-1363980706
    Content-type: message/delivery-status
    
    Reporting-MTA: dns; server.goeticweb.com
    
    Action: failed
    Final-Recipient: rfc822;ebousada@afadv.com.br
    Status: 5.0.0
    
    --1448567956-eximdsn-1363980706
    Content-type: message/rfc822
    
    Return-path: <rukfmexf@acr-regulation.com>
    Received: from [204.45.30.196] (helo=www.acr-regulation.com)
    	by server.goeticweb.com with esmtp (Exim 4.86)
    	(envelope-from <rukfmexf@acr-regulation.com>)
    	id 1a22hI-00016o-2B
    	for ebousada@afadv.com.br; Thu, 26 Nov 2015 20:59:16 +0100
    From: "Vivo Empresas" <rukfmexf@acr-regulation.com>
    Subject: 100 Minutos + 1 GB Internet + Aparelho Celular por ....
    To: ebousada@afadv.com.br
    Content-Type: text/html
    Date: Thu, 26 Nov 2015 17:52:52 -0300
    
    ´╗┐<html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    </head>
    <body bgcolor="#ffffff" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" style="TEXT-ALIGN: center"></TABLE>
    <table id="Tabela_01" width="748" height="956" border="0" cellpadding="0" cellspacing="0" align="center" >
    <tr>
    <td align="middle" style="PADDING-BOTTOM: 10px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; COLOR: #777; FONT-SIZE: 9px; PADDING-TOP: 10px" 
       >
    <div align="center">
    <table border="0" width="690" cellspacing="0" cellpadding="0" bgcolor="#00a4ec">
    <tr>
    <td>
    <p align="center"><font size="2"><br>
    </font> <font style="FONT-SIZE: 10pt" face="Arial">Caso tenha problemas em visualizar essa mensagem,&nbsp;copie e<br>
    cole esse link 
    direto no seu navegador: </font> <font color="#0000ff">
    <b>
    <font size="2" style="FONT-SIZE: 10pt" face="Arial">
    <u>
    <a href="http://contato.ms/6YN"><font color="#000000">ofertas-selecionadas.com/vivoempresas</font></a></u></font></b></font><br>&nbsp;</p>
    </td>
    </tr>
    </table>
    </div>
    </td>
    </tr>    
    <tr>
    <td>
    <a href="http://contato.ms/6YN">
    <img src="http://staticsimagem.com/vivolb/01.jpg" alt="" border="0"></a></td>
    </tr>
    <tr>
    <td>
    <a href="http://contato.ms/6YN">
    <img src="http://staticsimagem.com/vivolb/02.jpg"  alt="" border="0"> </a></td><img src="http://8.26.21.109/visitante/?visitante=ebousada@afadv.com.br&amp;visita=49&amp;v=9" height="1" width="1" border="0" 
       >
    </tr>
    </table>
    <table width="748"  align="center" border="0" cellpadding="0" cellspacing="0">
    <tr>
    <td style="MARGIN: 11px">  
    <p style="MARGIN: 10px 5px 10px 10px; FONT-FAMILY: Verdana, Geneva, sans-serif; COLOR: #666; FONT-SIZE: 10px" 
         >*Funcionalidade disponivel para aparelhos compativeis, consulte disponibilidade.
    Preencha o formulario atraves do site e receba o atendimento de um consultor autorizado Vivo Empresa em no maximo 24 horas. Consulte as condicoes dessa oferta junto ao consultor de vendas. Oferta valida para cliente pessoa jur├*dica. Verifique a disponibilidade da oferta e aparelhos para a sua regiao. 
    <br ></p>
    </td>
    </tr>
    </table>
    <table align="center" border="0" cellpadding="0" cellspacing="0" width="748">
    <tr>
    <td align="middle" style="PADDING-BOTTOM: 10px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; COLOR: #777; FONT-SIZE: 9px; PADDING-TOP: 10px" 
       >
    <div align="center">
    <table border="0" width="694" cellspacing="0" cellpadding="0" bgcolor="#00a4ec">
    <tr>
    <td>
    <p align="center"><font size="2"><br>
    </font> <font style="FONT-SIZE: 10pt" face="Arial">Caso tenha problemas em visualizar essa mensagem,&nbsp;copie e<br>
    cole esse link 
    direto no seu navegador: </font> <font color="#0000ff">
    <b>
    <font size="2" style="FONT-SIZE: 10pt" face="Arial">
    <u>
    <a href="http://contato.ms/6YN"><font color="#000000">ofertas-selecionadas.com/vivoempresas</font></a></u></font></b></font><br>&nbsp;</p>
    </td>
    </tr>
    </table>
    </div>
    &nbsp;<p>&nbsp;</p>
    <p>Nos respeitamos sua privacidade, segue 
    <a target="_blank" href="http://contato.ms/6YL">link</a> de 
          remocao automatica.</p>   </td>
    </tr>
    </table>
    <font size=1><p align=left>be9kz</p></font>
    </body>
    </html>
    
    --1448567956-eximdsn-1363980706--

    The emails i am receiving from CSF are wth this subject : lfd on server.goeticweb.com: RELAY Alert for 204.45.30.196 (US/United States/is.not.okay.to.strangled.net)


    The question is : could someone help me out with understanding where the email originate from and why it's getting onto my server ?

    Could it be a "maleware" on someone's computer that has say outlook configured with that domain (acr-regulation.com) ?
    But because my server does not "serv" email for that domain ... i dont understand.

    Any would be appreciated.
    Last edited by sky; 11-26-2015 at 12:10 PM.

  2. #2
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,189
    I'm guessing it's just incoming spam which isn't being recognized as such by the filters. I tested that IP the spam comes from, it's listed on the Barracuda list which isn't an included RBL on DA by default.

    So you could add barracuda rbl, but since it's just one case (I assume) I'd just block that IP address in CSF and see if that's the end of it.
    ~ Arieh

  3. #3
    Join Date
    Nov 2004
    Posts
    338
    There is not only one IP, that's just a example.
    That's what i am doing at the moment, blocking the ip's as they show up.
    Thx

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •