How to read emails within exim

Portal Home > Knowledgebase > Articles Database > How to read emails within exim

Posted by WTP Admin, 08-25-2010, 06:19 PM
Everyday on one of my servers I am finding the exim mail queue to increase by around 500 emails. I let it be for a while but then I became suspicious of it and so had a look at one of the emails. Here's the content with particular parts blanked out for confidentiality purposes... That's in the top shaded part. I want to know if the above email is being sent to my client or being sent from my client! Hope someone can help regards Paul
Posted by activelobby4u, 08-25-2010, 09:52 PM
The remote server rejected your email (from one of your clients), because if invalid HELO ----------------- 550 Access denied - Invalid HELO name ----------------- The HELO should be a FQDN, otherwise some hosts may reject the emails .
Posted by WHR-Abner, 08-25-2010, 10:10 PM
The first email is a bounce back message. Second email is from an unknown user to a remote host. It seems like someone is sending spoofed emails via your client's domain. Try setting SPF and DKIM records for your domain to prevent such spoofed emails.
Posted by WTP Admin, 08-26-2010, 03:58 AM
So does that mean the client himself isn't actually sending out these emails?
Posted by madaboutlinux, 08-26-2010, 08:31 AM
Right, these are spoofed emails which are sent nowhere with a return address of your client's email ID and they bounce back to his email ID once they are rejected. Make sure the un-routed emails is set to "fail", set SPF record and filters if possible.
Posted by WTP Admin, 08-26-2010, 04:53 PM
ok, how do you mean they are sent nowhere? You mean they arn't intended to be received by anyone? Why would people do that? I understand the return address thing, making it out to be the client who is guilty of sending them? To confirm, un-routed emails set to fail, that would be the setting that's in Tweek settings - Mail Heading - Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks. If that's correct, I already had that set to Fail. I have added an SPF record to the dns zone last night but today I have just checked and the queue was at 400. The only other thing you mention is filters. I have found a global mail filter over at cpanel.net forums... http://forums.cpanel.net/f5/add-glob...tml#post261867 How do I use that filter though? Where do I put it? Thanks and much appreciation. Regards Paul
Posted by madaboutlinux, 08-27-2010, 05:54 AM
This is one sort of attack/spamming to trouble others.. that's the aim. Right, but it's not the actual client that is sending such emails. You stated "" in the logs you provided so if your clients is receiving these emails, he definitely have a catchall address set for his domain. You can either check it from cPanel >> CatchAll Address OR from /etc/valiases/your_client's_domainname file. Catchall address attracts all the un-routed emails send to the domain thus increases the chances of spamming and spoofing. The filtering rules mentioned in the URL are correct and you can modify/add your own rules in them to avoid such spoofing. It is good to set the rules server side to avoid large amount of spams. http://www.webhostgear.com/338.html should explain you properly how to set these server side filters.
Posted by WTP Admin, 08-27-2010, 04:50 PM
If the client had a catch all address, surely the emails wouldn't be in the queue would they? I have figured out how to set the filters, although nothing was happening at first, but I didn't know the file wasn't even being used in the exim configuration! So I set the path to it, we'll see what happens now. The near 1,000 emails that's in the queue, what do you recomend I do with them? Just leave it and hope the filters kick in? Or are the filters supposed to work only before they end up in the queue? Thanks for your help Regards Paul
Posted by InstaCarma_Support, 08-28-2010, 02:58 AM
You can clear the mail queue. If the email spoofing is occurring to a same domain, there is a chance for the IP of the server to get marked as source of spam. So, make sure you create filters rules in way emails wont get send outside.
Posted by madaboutlinux, 08-28-2010, 03:47 AM
Right, the emails won't have stayed in the queue had the client have set a catchall for his domain. By default the file isn't called by the exim configuration file. Make sure to add the path from WHM >> Exim Configuration option else the entry may get removed on next exim update. Remove the emails as the newly added filtering rules won't be applied to the emails already in the queue.
Posted by WTP Admin, 08-28-2010, 06:09 AM
I keep checking the spamhaus daily to make sure my ip isn't listed! It's very hard to keep on top of though as I've noticed emails are being worded in such a way now that they can bypass the filters. I'm having to put whole sentances in sometimes to ensure the relevant mail is filtered. That's just as I thought so it's probably a good idea not to set a catch all then. I think I will recommend that to my clients. I just checked the config file at /etc/exim.conf and it is set correctly there. I guess when I changed it in WHM it updated the config file anyway so hopefully any exim updates won't overright it! Something else I will have to keep an eye on! Done! Thanks very much for all your help madaboutlinux. I feel I've learnt a lot in this thread alone about mail management! Regards Paul
Posted by madaboutlinux, 08-28-2010, 06:56 AM
You don't have to worry about black listing of your IP, since you are receiving spam and spoofed emails and not sending them. No problems.

Add to Favourites Print this Article

Knowledgebase

How to read emails within exim

Our Services

Client Menu

Legal