Relay Alerts

enginaar

Verified User
Joined
May 20, 2004
Messages
158
Location
Turkiye
Hello,

I'm having a problem with csf's relay alerts. I've checked my server many times with some open relay checkers including http://www.abuse.net/relay.html and it's absolutely not open to relay. Also I've checked all files starting with whitelist in /etc/virtual they are all empty.

Is there anyone here who can tell why I'm getting these Relay Alerts from csf.

Time: Thu Sep 22 04:44:33 2011 +0300
Type: RELAY, Remote IP - 201.68.133.221 (BR/Brazil/201-68-133-221.dsl.telesp.net.br)
Count: 15 emails relayed
Blocked: Permanent Block

Sample of the first 10 emails:

2011-09-22 04:44:32 1R6YL1-0001Qt-Tm <= [email protected] H=201-68-133-221.dsl.telesp.net.br [201.68.133.221] P=smtp S=3645 [email protected] T="Error: Your FDIC Certificate canceled" from <[email protected]> for info@********* ayseacar@********* mustafaozmaden@********* muhipbaykal@********* ahmetgozen@********* denizyagdogan@********* dagca@********* sales@********* canzadur@********* yasarz@********* marketing@********* aliagca@********* ismetteper@********* iyavuz@********* kartallioglu@*********
 
I know it's old but I couldn't find the time to check/edit the new file. I guess this is the time now. Thanks, but I'll keep posting if the problem will still exist :)
 
It looks like the problem still continues but the recipients of that log below is all my domains, so I think you can't count on it as an open relay. Someone sends e-mails to accounts on my server and it doesn't need an smtp authentication because it's a local delivery. It that it? How can I get protected from that?

Time: Fri Sep 23 15:03:10 2011 +0300
Type: RELAY, Remote IP - 195.232.224.72 (DE/Germany/mailout03.vodafone.com)
Count: 11 emails relayed
Blocked: Permanent Block

Sample of the first 10 emails:

2011-09-23 15:03:03 1R74T9-0004BS-Dr <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14612 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for ahmetonkol@***
2011-09-23 15:03:03 1R74T9-0004BT-EG <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14614 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for semihdoylan@***
2011-09-23 15:03:03 1R74T9-0004BU-FZ <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14606 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for ncguner@***
2011-09-23 15:03:03 1R74T9-0004BV-E7 <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14628 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for muhammetdegirmanci@***
2011-09-23 15:03:03 1R74T9-0004BW-Gg <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14608 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for alpersen@***
2011-09-23 15:03:04 1R74TA-0004Bd-3N <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14616 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for nuriyebilgen@***
2011-09-23 15:03:04 1R74TA-0004Be-56 <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14614 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for aysahhaldiz@***
2011-09-23 15:03:04 1R74TA-0004Bh-8y <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14606 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for msozden@***
2011-09-23 15:03:04 1R74TA-0004Bi-Ba <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14610 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for boradagli@***
2011-09-23 15:03:09 1R74TE-0004CG-Ra <= [email protected] H=mailout03.vodafone.com [195.232.224.72] P=esmtps X=TLSv1:AES256-SHA:256 S=14614 id=OFE4A68EEC.9DD07B3D-ONC2257914.004144FF-C2257914.0042318C@LocalDomain T="ÇOK ÖNEMLÝ/ :25 EYLÜL PAZAR GÜNÜ\r\n MAÐAZALARIMIZIN AÇILMASI GEREKLÝLÝÐÝ\r\n HAKKINDA !!!" from <[email protected]> for sevilkaplan@***
 
Last edited:
No they're all empty.

-rw-r--r-- 1 mail mail 0 Feb 25 2009 /etc/virtual/whitelist_domains
-rw-r--r-- 1 mail mail 0 Feb 25 2009 /etc/virtual/whitelist_from
-rw-r--r-- 1 mail mail 0 Feb 25 2009 /etc/virtual/whitelist_hosts
-rw-r--r-- 1 mail mail 0 Oct 28 2009 /etc/virtual/whitelist_hosts_ip
-rw-r--r-- 1 mail mail 0 Feb 25 2009 /etc/virtual/whitelist_senders
 
I think this is not open relay problem.

There is options in csf config file (and csf directadmin plugin) called: RT_RELAY_LIMIT, RT_AUTHRELAY_LIMIT

You should increase this value. (For example there are 100 in default config files)
 
One more point ...

You've been warned because of user ([email protected]) sent your server's users more than RT_RELAY_LIMIT or RT_AUTHRELAY_LIMIT emails in same time.
 
Thank you muarifer,

I thought the same way when I saw all recipients are on my server. I increased the limit to 100 so I can track it when it really matters.

thanks again.
 
Back
Top