1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Exim mainlog meaning of the auth_relay log line

Discussion in 'Site & Server Administration' started by postcd, Nov 9, 2019.

  1. #1
    In /var/log/exim/mainlog was two lines related to my hosting account with username "user" and account domain "domain.net".
    it is claimed to be related to SPAM and i want to ask if you can please explain in detail how to read these log lines so i can find exactly how the site is exploited by the spammer so i can fix this. Thank You
    SEMrush
    
    messageid1 ** me@gmail.com F=<user@domain.net> R=smart_route T=auth_relay H=smtp.mailchannels.net [52.35.171.68] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 550 5.7.1 [SS] Blocked. See https://console.mailchannels.net/insights/bounce?auid=*&sender=user%40domain.net&txid=*
    
    messageid2 ** me@gmail.com <mymailbox@domain.net> F=<dureotaraletnokoem@cox.net> R=smart_route T=auth_relay H=smtp.mailchannels.net [34.223.74.227] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 550 5.7.1 [STFWRBL] Blocked. See https://console.mailchannels.net/insights/bounce?auid=*&sender=srs0%3Dnaob51%3Dyx%3Dcox.net%3Ddureotaraletnokoem%40domain.net&txid=*
    
    Code (markup):
     
    postcd, Nov 9, 2019 IP
    SEMrush
  2. FaveHosting

    FaveHosting Member

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    33
    #2
    Are you using cPanel? If yes you can learn how to read it and understanding it here: https://forums.cpanel.net/resources/reading-and-understanding-the-exim-main_log.383/
     
    FaveHosting, Nov 17, 2019 IP
  3. tuxandrew

    tuxandrew Active Member

    Messages:
    35
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    68
    #3
    >> SMTP error from remote mail server after end of data: 550 5.7.1 [SS] Blocked

    From the above bounced error it appears the remote email server has detected an abuse originating from your email account.
    The " 550 5.7.1 [SS]" error indicates that the subject line in this/these message(s) contained one or multiple spam-like keywords commonly used on abusive or unsolicited email which caused the remote email filter to block the email.
     
    tuxandrew, Nov 18, 2019 IP
  4. postcd

    postcd Well-Known Member

    Messages:
    1,005
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    190
    #4
    Thanks, another explanation of the:

    messageid1 ** me@gmail.com F=<user@domain.net> R=smart_route T=auth_relay H=smtp.mailchannels.net [52.35.171.68] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 550 5.7.1 [SS] Blocked. See https://console.mailchannels.net/insights/bounce?auid=*&sender=user@domain.net&txid=*
    Code (markup):
    here:

    
    messageid1 : message id
    ** : delivery failed; address bounced
    me@gmail.com : the destination email
    F=<user@domain.net> : sender address
    R=smart_route : the router name, here dynamic
    T=auth_relay : not documented
    H=smtp.mailchannels.net [52.35.171.68] : host name and IP (of the relay)
    X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 : TLS cipher suite (the way it was encrypted)
    CV=yes : certificate verification status
    SMTP error from remote mail server after end of data : error message
    550 : SMTP error code
    5.7.1 : Detailed error code
    [SS] Blocked. See https://console.mailchannels.net/insights/bounce?auid=*&sender=user@domain.net&txid=* : the message provided by the server
    
    
    So what's happening ? You Exim server tries to send a message to me@gmail.com from user@domain.net using an SMTP relay "mailchannels.net" but "mailchannels.net" didn't accept to forward the message because "Blocked".
    Code (markup):
     
    postcd, Nov 18, 2019 IP
  5. tuxandrew

    tuxandrew Active Member

    Messages:
    35
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    68
    #5
    Since the bounced logs you have provided contains only limited information, for that reason it is not possible to provide a detailed explanation for that log.

    As mentioned earlier the relay server, smtp.mailchannels.net has blocked the message with an error " 550 5.7.1 [SS]", you may need to check this with mailchannels.net and collect the exact logs from their filter system and it will explain a bit more.
     
    tuxandrew, Nov 18, 2019 IP