lfd on host.yourdomain.com: RELAY Alert for 111.69.139.68 (US/United States)

Discussion in 'Linux VPS/Dedicated - General' started by juliereader, Feb 20, 2015.

  1. juliereader

    juliereader New Member

    I am getting hundreds of these errors in my inbox everyday.

    Time: Thu Feb 19 23:09:28 2015 -0500
    Type: RELAY, Remote IP - 111.69.139.68 (US/United States/mx55.h.outbound.createsend.com)
    Count: 101 emails relayed
    Blocked: No

    Sample of the first 10 emails:

    2015-02-19 23:02:56 1YOenn-0002bF-RJ <= JustCarInsurance-ihhtydl1jizlkhtp1y@cmail1.com H=mx55.h.outbound.createsend.com [204.75.142.55]:35593 P=esmtp S=50023 id=cm.150013.ihhtydl.jizlkhtp.y@cmail1.com T="Just Car News: Reel Deal Winners, Latest from Mighty Car Mods, ADGP and more" for houlding86@domain.com

    do anyone knows what is it?
     
  2. KH-FreddieA

    KH-FreddieA Technical Support Operator Staff Member

    We've addressed this in a ticket. Lots of email from that hostname.
     
  3. Dan

    Dan Moderator

    @KH-FreddieA It would be helpful not only to @juliereader but to the rest of us as well to actually say what happened here.

    To my knowledge a cPanel installation does not allow relaying and yet, obviously, someone was using her VPS to do exactly that.

    If I were to guess I would say that the spammers hacked an email address password and then used it to maximum effect at her cost. But that's just a guess.
     
  4. KH-AmosH

    KH-AmosH Quality Assurance Manager Staff Member

    This is not outgoing spam being relayed through the VPS. This is incoming spam being received by the VPS which caused LFD to trigger a RELAY alert due to the remote IP address '111.69.139.68' sending to over 100 recipients within an hour's time.

    If anyone receives this type of alert, please open a ticket so we can take a closer look at the logs.
     
  5. KH-FreddieA

    KH-FreddieA Technical Support Operator Staff Member

    Sorry for my brevity folks. I was worried about how much I could say in public.

    Note the 'RELAY, Remote IP' in the type. This is different than a AUTHRELAY or a LOCALRELAY, both of which indicate a spamming issue.
     

Share This Page