Portal Home > Knowledgebase > Articles Database > lfd: LOCAL RELAY
lfd: LOCAL RELAY
| Posted by madpato, 06-18-2008, 09:41 AM |
| hi
any idea what this might be?
Ive received like 8000 warnings like this since yesterday. Plz some1 can tell me what is this? thanks.
|
| Posted by zuborg, 06-18-2008, 09:45 AM |
| Look where mail is stored and look in body - there will be answer
|
| Posted by Lsupport, 06-19-2008, 12:34 AM |
| It may not necessarily mean it's spam being relayed but could be normal mails.
Relay Tracking is a feature of LFD, http://www.configservers.com/blog/index.php?itemid=221
But since the alert shows nobody mails, some user in the server may be spamming. Dig deeper and try to find out which user/script is involved.
|
| Posted by ~ServerPoint~, 06-19-2008, 04:29 AM |
| Try enabling extended logging in exim and check the exim log /var/log/exim_mainlog to track the script.
To enable extended logging.
pico -w /etc/exim.conf
Find this;
hostlist auth_relay_hosts = *
After hostlist auth_relay_hosts = *
add
log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+received_sender \
+received_recipients \
+subject \
Save and restart exim.
|
| Posted by madpato, 06-19-2008, 09:52 AM |
| thank u so much for the answers, effectively a user was sending spam
|
| Posted by web-1, 09-15-2009, 06:39 PM |
| I'm posting this here because this message comes up for a keyword search on this subject, it might help others)
You can grep your exim log for the message ID number like "1MNzAM-0005F2-4" (the first one on your list) then you can see where it's going.
What I have found so far on this is that LFD sees over 100 relays in a hour and reports, but the server "relays" internally all the time and I think it's counting that.
I tracked down a bunch of messages for that alert and they all seem to be going into a legit e-mail account on the server, but they are "relayed" internally to do that.
If you have a user that posts something on a blog that gets him a lot of e-mail all of a sudden this can happen (from what research I've done so far).
I haven't had a big problem with this so I'm just leaving it alone for now and see how it goes but I may increase the number to over 100 if it starts to bother me.
Oh, and if you haven't done this, make sure your server is set up to not allow relays, and test it from outside to make sure. I already did that a long time ago.
|
| Posted by ttgt, 10-30-2013, 09:48 AM |
| does it still work ? because i try to add it and restart exim,it will fail.
|
| Posted by Johnny Cache, 10-30-2013, 12:53 PM |
| mis-posted>>
Last edited by Johnny Cache; 10-30-2013 at 12:59 PM.
|
| Posted by Kailash12, 10-30-2013, 12:55 PM |
| It looks like you are running PHP process as a Apache user (nobody). This is not recommended from security point of view. Compile Apache and PHP with suPHP or Mod_ruid2.
|
| Posted by starline, 10-31-2013, 01:10 AM |
| I think mod ruid2 is not compatible with mod security.
|
| Posted by BeZazz, 10-31-2013, 01:16 AM |
| Probably because there has been changes over the last 5 years.
|
Add to Favourites 
Print this Article
Also Read
Swap in VPS (Views: 638)
