Exim log questions

Frosty555
Frosty555 used Ask the Experts™
on
I'm trying to figure out some spam issues we are having with our server (emails we send out are getting rejected as spam). I have a few questions regarding what I'm seeing in the logs.

For argument sake, our server's IP is "123.123.123.123".


Example 1

2012-05-22 02:33:21 H=(123.123.123.123) [117.194.210.132] rejected MAIL <somebody@asdfasdf.be>: Access denied - Invalid HELO name (See RFC2821 4.1.3)

Open in new window


Does this mean that my server rejected INCOMING mail from 117.194.210.132 because THEY had an invalid HELO name? Or does it mean that 117.194.210.132 rejected OUTGOING mail from my server because MY server has an invalid HELO name?

Example 2

2012-05-22 08:45:20 H=(smtp.lanxxxxxxuys.com) [50.xxx.127.244] Warning: "Increment Connection Ratelimit - (smtp.laxxxxxxxuys.com) [50.xxx.127.244] because of RBL match"
2012-05-22 08:45:20 H=(smtp.lanxxxxxxxs.com) [50.xxx.127.244] F=<wizstar@laxxxxxxxuys.com> rejected RCPT <xxx@torxxxxxxa.com>: "JunkMail rejected - (smtp.landbxxxxuys.com) [50.xxx.127.244] is in an RBL, see http://www.spamhaus.org/sbl/query/SBLCSS"

Open in new window


Does this mean that my server saw incoming mail from 50.123.127.244 and then ratelimited, and then rejected it due to THEM being on a blacklist?  Or does this mean that my server tried to SEND mail to 50.123.127.244 and WE were ratelimited and then rejected for being on a blacklist?


Additionally...

Is there any straightforward way to search the logs for errors related to outbound emails that are bouncing back due to spam? Is there something I can GREP for?

I'm looking at /var/log/exim_mainlog. Is there somewhere else I should be looking too? Or something in cPanel WHM I can use to help make this process easier?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
123.123.123.123 is seen as an ip on the remote side that does not match the ip from which the request is comming.

The second part suggests that a mail server IP is blacklisted by spamhaus for spamming.


There are log analyzer/crunchers
http://forums.cpanel.net/f43/exim-log-viewer-analyzer-97425.html
http://www.sawmill.net/formats/exim.html

http://www.exim.org/exim-html-3.20/doc/html/spec_51.html

Author

Commented:
Arnold - can you be more specific? For the two log entries above, is the problem with my server sending outgoing mail, or with an outside mailserver sending incoming mail?
Distinguished Expert 2017
Commented:
The first one seems to be your server rejecting an incoming connection.

The second is unclear given that you masqueraded the hostname and the Ip in the helo message if these are servers that are under your control, that would suggest that the exim where you are looking at a log is a gateway/smart host for your internal mail server.
with that in mind, the first error is a rejection from an external source that tries to send spam and using your servers IP address in the greeting.

The second points to at the time of the processing, that IP was blacklisted by spamhaus and your rbl setting rejected that exchange.

Author

Commented:
Okay I think I understand now.

In the above example, I own "123.123.123.123", no other IP addresses or hostnames are under my control (they are all external sources). We don't use a smarthost or gateway, mail is delivered and received directly.

So the first error is an incoming mailserver that specified an invalid HELO (in this case they tried to use my own server's IP as the HELO, clearly spam)

The second error is the incoming mailserver being on a blacklist, and my mailserver rejected it.

So neither of these things are failures on my part.
Distinguished Expert 2017

Commented:
Correct.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial