lfd on host.yourdomain.com: RELAY Alert for 111.69.139.68 (US/United States)

#1
I am getting hundreds of these errors in my inbox everyday.

Time: Thu Feb 19 23:09:28 2015 -0500
Type: RELAY, Remote IP - 111.69.139.68 (US/United States/mx55.h.outbound.createsend.com)
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2015-02-19 23:02:56 1YOenn-0002bF-RJ <= JustCarInsurance-ihhtydl1jizlkhtp1y@cmail1.com H=mx55.h.outbound.createsend.com [204.75.142.55]:35593 P=esmtp S=50023 id=cm.150013.ihhtydl.jizlkhtp.y@cmail1.com T="Just Car News: Reel Deal Winners, Latest from Mighty Car Mods, ADGP and more" for houlding86@domain.com

do anyone knows what is it?
 

Dan

Moderator
#3
@KH-FreddieA It would be helpful not only to @juliereader but to the rest of us as well to actually say what happened here.

To my knowledge a cPanel installation does not allow relaying and yet, obviously, someone was using her VPS to do exactly that.

If I were to guess I would say that the spammers hacked an email address password and then used it to maximum effect at her cost. But that's just a guess.
 

KH-AmosH

Quality Assurance Manager
Staff member
#4
To my knowledge a cPanel installation does not allow relaying and yet, obviously, someone was using her VPS to do exactly that.
This is not outgoing spam being relayed through the VPS. This is incoming spam being received by the VPS which caused LFD to trigger a RELAY alert due to the remote IP address '111.69.139.68' sending to over 100 recipients within an hour's time.

If anyone receives this type of alert, please open a ticket so we can take a closer look at the logs.
 

KH-FreddieA

Technical Support Operator
Staff member
#5
Sorry for my brevity folks. I was worried about how much I could say in public.

Note the 'RELAY, Remote IP' in the type. This is different than a AUTHRELAY or a LOCALRELAY, both of which indicate a spamming issue.
 
Top