Reading exim_mainlog

exim

I have a question about exim_mainlog.

I am currently investigating a server that was used to send out spam. The log is full of messages (about 12 per min) that read;

2012-04-04 11:42:55 1SFNfz-0005Nv-EN => user R=localuser T=local_delivery

I have omitted the domain and user.

Does this log indicate that this server is not sending mail, but receiving mail from some other source?

Best Answer

That log means that the message ID 1SFNfz-0005Nv-EN was routed through the localuser router and ultimately delivered via the local_delivery transport.

Without looking at your config in detail, it's impossible to know what exactly happened, but unless you've changed a lot, it's fairly safe to say that the mail was sent to user@example.com where user is an actual user on your mailserver, and example.com is a local domain for exim to deliver to.

Related Solutions

Make Exim send bounces to postmaster instead of the sender, for non-local sender

Some rules are dumb because they cause more harm than good! And people advocating and creating them know that. I would care more about postmaster ethics than the dumb rules. And I hate dumb rules and obviously the people setting those rules. If you are like me, aware of consequences (see above) and want to screw the rules then sure,

1) Establish sender and recipient verification to secure yourself OR

2) Fail or freeze all null postmaster bounces. Do it with an exim system filter

system_filter = /etc/exim/screwtherules.exim
vi /etc/exim/screwtherules.exim
if $sender_address is ""
then
if ${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains}{yes}{no}} is "no"
then
fail text "Delayed bounce message ignored"
seen finish
endif
endif

3) OR create an ACL at acl_smtp_data check time to forward, fail or freeze the null bounce emails being sent to or not to specific hosts. You can extract received header info as described in https://grepular.com/Exim_Trick_to_Extract_Received_Header_IP_Addresses

Limitation of sent messages in exim

If you want to do this as is, you are going to need to write a custom exim ACL that extracts the sending domain.

Alternatively you can run php via su_php or use mod_ruid2 to run each vhost as a unique user. Or block direct sendmail injection and require all scripts to send email via authenticated SMTP accounts. Then you can use all of the existing available ACLs.

Best Answer

Related Solutions

Make Exim send bounces to postmaster instead of the sender, for non-local sender

Limitation of sent messages in exim

Related Topic