LOCALRELAY Alert for mail

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Hello

EDIT: exim version is 4.86.
I also have easy spam block and CSF installed and working.

I am having a problem finding out to stop this local mail spam relay.

I tested the server IP, and it is not a open relay.

The domain that is sending emails / or using it as a relay, does not even have email (mx) on this server. They use a exchange server.
So external email configuration.

The server is receiving all these emails that are being relayd to incorrect email account from account that do not exist.
The aco**** in question does not seam to be sending emails according to DA... perhaps a relay is not counted ?

Here is a sample of a header :
Code:
1a21v4-0000cV-L6-H
mail 8 12
<arzwe@acr-regulation.com>
1448564966 0
-helo_name www.acr-regulation.com
-host_address 204.45.30.196.55355
-interface_address 37.187.136.150.25
-active_hostname server.goeticweb.com
-received_protocol esmtp
-aclm _is_whitelisted 1
1
-body_linecount 78
-max_received_linelength 303
-host_lookup_failed
XX
1
dumper@itae.com.br

231P Received: from [204.45.30.196] (helo=www.acr-regulation.com)
	by server.goeticweb.com with esmtp (Exim 4.86)
	(envelope-from <arzwe@acr-regulation.com>)
	id 1a21v4-0000cV-L6
	for dumper@itae.com.br; Thu, 26 Nov 2015 20:09:27 +0100
049F From: "Vivo Empresas" <arzwe@acr-regulation.com>
065  Subject: 100 Minutos + 1 GB Internet + Aparelho Celular por ....
023T To: dumper@itae.com.br
024  Content-Type: text/html
038  Date: Thu, 26 Nov 2015 17:03:03 -0300
I suppose the emails content is not important.

Then, here is the log for that same email :
Code:
2015-11-26 20:09:27 Received from arzwe@acr-regulation.com H=(www.acr-regulation.com) [204.45.30.196] P=esmtp S=3663 T="100 Minutos + 1 GB Internet + Aparelho Celular por ...."
2015-11-26 20:09:27 root@server.goeticweb.com <dumper@itae.com.br> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
Then, i am also receing tones of emails with this sibject : Mail delivery failed: returning message to sender
Here is the header for that error return email :
Code:
1a22hI-000170-QT-H
mail 8 12
<>
1448567956 0
-active_hostname server.goeticweb.com
-ident mail
-received_protocol local
-aclm _user 0

-aclm _uid 2
-1
-aclm _username 7
unknown
-body_linecount 115
-max_received_linelength 303
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-localerror
XX
1
rukfmexf@acr-regulation.com

154P Received: from mail by server.goeticweb.com with local (Exim 4.86)
	id 1a22hI-000170-QT
	for rukfmexf@acr-regulation.com; Thu, 26 Nov 2015 20:59:17 +0100
043  X-Failed-Recipients: ebousada@afadv.com.br
029  Auto-Submitted: auto-replied
064F From: Mail Delivery System <Mailer-Daemon@server.goeticweb.com>
032T To: rukfmexf@acr-regulation.com
100  Content-Type: multipart/report; report-type=delivery-status; boundary=1448567956-eximdsn-1363980706
018  MIME-Version: 1.0
059  Subject: Mail delivery failed: returning message to sender
053I Message-Id: <E1a22hI-000170-QT@server.goeticweb.com>
038  Date: Thu, 26 Nov 2015 20:59:16 +0100
and the content :
Code:
1a22hI-000170-QT-D
--1448567956-eximdsn-1363980706
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  ebousada@afadv.com.br
    Unrouteable address

--1448567956-eximdsn-1363980706
Content-type: message/delivery-status

Reporting-MTA: dns; server.goeticweb.com

Action: failed
Final-Recipient: rfc822;ebousada@afadv.com.br
Status: 5.0.0

--1448567956-eximdsn-1363980706
Content-type: message/rfc822

Return-path: <rukfmexf@acr-regulation.com>
Received: from [204.45.30.196] (helo=www.acr-regulation.com)
	by server.goeticweb.com with esmtp (Exim 4.86)
	(envelope-from <rukfmexf@acr-regulation.com>)
	id 1a22hI-00016o-2B
	for ebousada@afadv.com.br; Thu, 26 Nov 2015 20:59:16 +0100
From: "Vivo Empresas" <rukfmexf@acr-regulation.com>
Subject: 100 Minutos + 1 GB Internet + Aparelho Celular por ....
To: ebousada@afadv.com.br
Content-Type: text/html
Date: Thu, 26 Nov 2015 17:52:52 -0300

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body bgcolor="#ffffff" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" style="TEXT-ALIGN: center"></TABLE>
<table id="Tabela_01" width="748" height="956" border="0" cellpadding="0" cellspacing="0" align="center" >
<tr>
<td align="middle" style="PADDING-BOTTOM: 10px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; COLOR: #777; FONT-SIZE: 9px; PADDING-TOP: 10px" 
   >
<div align="center">
<table border="0" width="690" cellspacing="0" cellpadding="0" bgcolor="#00a4ec">
<tr>
<td>
<p align="center"><font size="2"><br>
</font> <font style="FONT-SIZE: 10pt" face="Arial">Caso tenha problemas em visualizar essa mensagem, copie e<br>
cole esse link 
direto no seu navegador: </font> <font color="#0000ff">
<b>
<font size="2" style="FONT-SIZE: 10pt" face="Arial">
<u>
<a href="http://contato.ms/6YN"><font color="#000000">ofertas-selecionadas.com/vivoempresas</font></a></u></font></b></font><br> </p>
</td>
</tr>
</table>
</div>
</td>
</tr>    
<tr>
<td>
<a href="http://contato.ms/6YN">
<img src="http://staticsimagem.com/vivolb/01.jpg" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://contato.ms/6YN">
<img src="http://staticsimagem.com/vivolb/02.jpg"  alt="" border="0"> </a></td><img src="http://8.26.21.109/visitante/?visitante=ebousada@afadv.com.br&visita=49&v=9" height="1" width="1" border="0" 
   >
</tr>
</table>
<table width="748"  align="center" border="0" cellpadding="0" cellspacing="0">
<tr>
<td style="MARGIN: 11px">  
<p style="MARGIN: 10px 5px 10px 10px; FONT-FAMILY: Verdana, Geneva, sans-serif; COLOR: #666; FONT-SIZE: 10px" 
     >*Funcionalidade disponivel para aparelhos compativeis, consulte disponibilidade.
Preencha o formulario atraves do site e receba o atendimento de um consultor autorizado Vivo Empresa em no maximo 24 horas. Consulte as condicoes dessa oferta junto ao consultor de vendas. Oferta valida para cliente pessoa jurÃ*dica. Verifique a disponibilidade da oferta e aparelhos para a sua regiao. 
<br ></p>
</td>
</tr>
</table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="748">
<tr>
<td align="middle" style="PADDING-BOTTOM: 10px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; COLOR: #777; FONT-SIZE: 9px; PADDING-TOP: 10px" 
   >
<div align="center">
<table border="0" width="694" cellspacing="0" cellpadding="0" bgcolor="#00a4ec">
<tr>
<td>
<p align="center"><font size="2"><br>
</font> <font style="FONT-SIZE: 10pt" face="Arial">Caso tenha problemas em visualizar essa mensagem, copie e<br>
cole esse link 
direto no seu navegador: </font> <font color="#0000ff">
<b>
<font size="2" style="FONT-SIZE: 10pt" face="Arial">
<u>
<a href="http://contato.ms/6YN"><font color="#000000">ofertas-selecionadas.com/vivoempresas</font></a></u></font></b></font><br> </p>
</td>
</tr>
</table>
</div>
 <p> </p>
<p>Nos respeitamos sua privacidade, segue 
<a target="_blank" href="http://contato.ms/6YL">link</a> de 
      remocao automatica.</p>   </td>
</tr>
</table>
<font size=1><p align=left>be9kz</p></font>
</body>
</html>

--1448567956-eximdsn-1363980706--

The emails i am receiving from CSF are wth this subject : lfd on server.goeticweb.com: RELAY Alert for 204.45.30.196 (US/United States/is.not.okay.to.strangled.net)


The question is : could someone help me out with understanding where the email originate from and why it's getting onto my server ?

Could it be a "maleware" on someone's computer that has say outlook configured with that domain (acr-regulation.com) ?
But because my server does not "serv" email for that domain ... i dont understand.

Any would be appreciated.
 
Last edited:

Arieh

Verified User
Joined
May 27, 2008
Messages
1,208
Location
The Netherlands
I'm guessing it's just incoming spam which isn't being recognized as such by the filters. I tested that IP the spam comes from, it's listed on the Barracuda list which isn't an included RBL on DA by default.

So you could add barracuda rbl, but since it's just one case (I assume) I'd just block that IP address in CSF and see if that's the end of it.
 

sky

Verified User
Joined
Nov 12, 2004
Messages
338
There is not only one IP, that's just a example.
That's what i am doing at the moment, blocking the ip's as they show up.
Thx :)
 
Top