Spam being sent via IMAP AUTHRELAY

Suddenly the Spam being sent via IMAP AUTHRELAY (30000+ mail’s in queue) and found that our IP got black listed all the major “SPAM” databases. I can’t able to control it.





1) Email alert message

The below email alert message which i received from exim.

subject : lfd on server.2daygeek.com: AUTHRELAY Alert for 173.9.238.226 (US/United States/173-9-238-226-Illinois.hfc.comcastbusiness.net)

Time: Fri Oct 25 10:19:15 2013 +0100
Type: AUTHRELAY, Remote IP - 173.9.238.226 (US/United States/173-9-238-226-Illinois.hfc.comcastbusiness.net)
Count: 150 emails relayed
Blocked: No

Sample of the first 10 emails:

2013-10-25 10:19:11 1VZdXz-0001Bg-8K <= [email protected] H=173-9-238-226-illinois.hfc.comcastbusiness.net (User) [173.9.238.226]:64000 P=esmtpa A=dovecot_login:[email protected] S=761 T="Account Information" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

2013-10-25 10:19:12 1VZdY0-0001CK-HN <= [email protected] H=173-9-238-226-illinois.hfc.comcastbusiness.net (User) [173.9.238.226]:64001 P=esmtpa A=dovecot_login:[email protected] S=761 T="Account Information" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]gmail.com [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

2013-10-25 10:19:13 1VZdY0-0001CR-Ph <= [email protected] H=173-9-238-226-illinois.hfc.comcastbusiness.net (User) [173.9.238.226]:64002 P=esmtpa A=dovecot_login:[email protected] S=761 T="Account Information" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

2) How I would identify the causes of issues ?

I have analysed the log The /var/log/exim_mainlog text file on our server contains entries for all recent eamil traffic on the server (older logs are saved as compressed exim_mainlog files also in /var/log/). All entries contain the email ID ([email protected]), so you can search the log by ID. which is provided an email ID in your message (1VZdXz-0001Bg-8K) so we were able to locate the entry in an older log and investigate further from there. We also examined the current email queue to confirm, and found over 30000 emails related to [email protected] This is because the email header can contain falsified data, but the server logs can always show which account the email was actually sent from.

3) How to resolved ?

The emails are all being sent using the [email protected] mail account. They appear to be originating from a desktop PC, not the server itself, which means that the owner of the [email protected] account had their PC compromised. I have changed the account password for [email protected] immediately, then contact the person who using the [email protected] accountr and have them scan their PC with antivirus and antimalware programs, then i have provided the new password once they’re done.

To delete the mail queue Click Here

Note :

Don’t forget to delete the email queue, after that you need to restart the (exim,apache,imap and dovecot) services.

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...