assistanz
Assistanz

Different types of Relay Alerts

Different types of Relay Alerts

Different types of Relay Alerts
 

Different types of Relay Alerts. Relay Alerts come in various forms, which is explained in this blog.

  1. Relay Alerts
  2. Authrelay Alerts
  3. Poprelay Alerts
  4. Localrelay Alerts
  5. Localhostrelay Alerts
  

Relay Alert:
 

A “Relay Alert”, as opposed to the Authrelay, Poprelay, Localrelay, or Localhostrelay alerts, is triggered by “external mail”, that is, messages that are coming from another email server. Usually, these are incoming messages. Although they are not usually indicative of spam being generated within the server, if enough messages are coming from the same IP address quickly enough to trigger this alert type, it is probably worth looking into why they are sending so much mail, and determine if there is anything that needs to be adjusted.

 

Authrelay Alert:

An “Authrelay Alert” is triggered by an “email authenticated by SMTP AUTH”. This is one method of logging into the email server to send messages. Most modern mail clients log in by this method. If these messages should not be sent or should not be sent this quickly, then that email address is likely to need a new password, since whoever is sending the messages demonstrably has the current password.

 

Poprelay Alert:
 

A “Poprelay Alert” is triggered by an “email authenticated by POP before SMTP”. Some older mail clients authenticate using this method, but it is recommended to use SMTP AUTH instead, in part because it makes the logs clearer which makes it easier to find causes of spam issues or similar if they occur.

 

Localrelay Alert:

A “Localrelay Alert” is triggered by “email sent via /usr/sbin/sendmail or /usr/sbin/exim“. This is usually done by scripts. If a script is sending too much mail, it will need to be reconfigured accordingly. If a script is sending mail that it shouldn’t, it will need to be disabled or fixed so that it only sends the messages that it should.

 

Localhostrelay Alert:
 

A “Localhostrelay Alert” is triggered by an “email sent via a local IP address”. This means that the message is coming from within the server. If messages are being sent from within the server without authenticating, then changing email passwords will not prevent them from being sent. If the messages are not authorized, the source of the message will need to be found and stopped.


Way of solution:

 

1) To find out which mail-id sending mails via dovecot login with help of the below commands.

# egrep -o ‘A=dovecot_(login|plain):[a-zA-Z0-9.@_-]+’ /var/log/exim_mainlog | sort | uniq -c | sort -n


2) Check the Exim mainlog (/var/log/exim_mainlog) with the email address:

Example: # grep jp@domain.in /var/log/exim_mainlog


1. dovecot_login:
 

2021-08-16 10:52:55 1mFV5M-0002oC-6s <= jp@domain.in H=(Jignesh) [103.238.107.113]:9639
P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
A=dovecot_login:jp@domain .in S=22568
id=010401d7925e$c59ada00$50d08e00$@atechnocrats.in T=”FW: [SPAM]- Buyer Details
for \”Copper RO Dosing Pump\”” for abd@domain1.in chirag@domain2.in orders@domain3.in sales1@domain4.in sales2@domain5.in sales3@domain6.in

 
2. dovecot_plan:
 

2021-08-16 10:52:55 1mFV5M-0002oC-6s <= jp@domain.in H=(Jignesh) [103.238.107.113]:9639
P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
A=dovecot_plan:jp@domain.in S=22568
id=010401d7925e$c59ada00$50d08e00$@atechnocrats.in T=”FW: [SPAM]- Buyer Details
for \”Copper RO Dosing Pump\”” for abd@domain1.in chirag@domain2.in orders@domain3.in sales1@domain4.in sales2@domain5.in sales3@domain6.in


3. Spoofing:
 

2021-08-16 10:52:55 1mFV5M-0002oC-6s <= jp@domain.in H=(Jignesh) [103.238.107.113]:9639
P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
A=dovecot_login:info@domain.in S=22568
id=010401d7925e$c59ada00$50d08e00$@atechnocrats.in T=”FW: [SPAM]- Buyer Details
for \”Copper RO Dosing Pump\”” abd@domain1.in chirag@domain2.in orders@domain3.in sales1@domain4.in sales2@domain5.in sales3@domain6.in


3) Analyze the Exim logs grep with ID to get the sending and receiving a report

Sample syntax: # grep 1mFV5M-0002oC-6s /var/log/exim_mainlog

Notes:
First, it is a good idea to get to know the following symbols:
<= (When the email arrives in the server from an outside email server Or ) => (When the email goes to the outside email server)
-> (additional address in same delivery)
*> (delivery suppressed by -N)
** (delivery failed; address bounced)
== (delivery deferred; temporary problem)


4) Solution is to change the given mail ID password
 

– Login WHM Home » Account Information » List Accounts
– Search the domain name under the find box and login into the cPanel with help of the cPanel icon.
– Locate the “Email Accounts” and enter the Manage an Email Account for the given mail address.
– Change the mail-ID password


5) To remove all the frozen mails from the Exim queue

# exim -bp | grep ‘frozen’ | awk ‘{print $3}’ | xargs exim -Mrm

6) To remove all the undelivered/bounce back emails from the Exim queue

# exim -bp|grep ‘<>’|awk ‘{print $3}’ |xargs exim -Mrm

7) To remove the queues related to the given mail ID by using the following command:
 

# exim -bpc
# exim -bc
# exim -bp | grep ‘<info@domain.in>’ | awk ‘{print $3}’ | xargs exim -Mrm

8) Restart the Exim and dovecot services to apply his changes

# systemctl restart {exim,dovecot}

9) To check the status of the Exim and dovecot services

# systemctl status {exim,dovecot}

10) Please advise the client to check and follow the below steps regularly to avoid these types of issues

 

Steps to prevent spamming:

 
– Change the email account password with a strong one.

– set a strong password for the email account and change the password regularly.
– Don’t save the password in any mail client or in the browser.
– Scan the local machine(email configured system) for any malware or viruses.
– Keep updating the operating system and the antivirus program with the latest patches.


Please follow the below steps to avoid email hacking and spoofing.

 

1. Reset all email id passwords, especially the ones which you doubt may have weak passwords.
2. Make sure to scan all computers used to access FTP or email or control panel with any leading 2 antivirus software.
3. Never have any name123 or similar easy to crack passwords. Visit the website, like
https://randomkeygen.com/ to know some samples of a secure password.
If affordable for you, we highly recommend website firewall like SecureDash
4. Be sure to use your legit Windows or any other operating system and software at your local PC wherever you access the emails. Never use any pirated OS on anywhere, as software piracy itself is done by cybercriminals.

DirectAdmin Server Management Plans

Premium Support

24/7 End User Support from your Helpdesk
$ 99 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • NDA & SLA
  • SLA Review Meetings
  • FREE Consultancy Services
  • Simple SignUp Process
  • Instant Account Activation
  •  

Platinum Support

24/7 Proactive Support
$ 49 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • Advance Proactive Monitoring
  • Guaranteed SLA
  • SLA Review Meetings
  • 3rd Party Application Support
  • FREE Consultancy Services
  • Server Migration Support
  • Weekly Status Report
  • No End User Support
Popular

Unlimited Support

24/7 Support

$ 30 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Support
  • Basic Monitoring
  • 30 Minutes Response Time
  • 4 Hours Resolution time for the Possible Issues
  • Security and Performance Optimization
  • React to Customers queries
  • Simple SignUp Process
  • Instant Account Activation
  • No Third party application support
  • No Migration and End User Support

Cpanel Server Management Plans

Premium Support

24/7 End User Support from your Helpdesk

$ 99 Monthly / Server
  • 24/7 End User White Label Support
  • Unlimited Number of Tickets
  • Chat Support for Admin
  • Separate Account Manager
  • Guaranteed SLA
  • Weekly Status Reports
  • FREE Consultancy Services
  • Simple SignUp Process
  • Instant Account Activation

Platinum Support

24/7 Proactive Server Management
$ 49 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • Advance Proactive Monitoring
  • Guaranteed SLA
  • SLA Review Meetings
  • 3rd Party Application Support
  • FREE Consultancy Services
  • Server Migration Support
  • Weekly Status Report
  • No End User Support
Popular

Unlimited Support

24/7 Server Management

$ 29 Monthly / Server
  • Unlimited Admin Tasks
  • 24/7 Support
  • Basic Monitoring
  • 30 Minutes Response time
  • 4 hours Response time for possible issues
  • Security and Performance Optimization
  • React to Customers queries
  • No Third party application support
  • No Migration and End User Support

Cpanel Server Management Plans

Premium Support

24/7 End User Support from your Helpdesk

$ 99 Monthly / Server
  • 24/7 End User White Label Support
  • Unlimited Number of Tickets
  • Chat Support for Admin
  • Separate Account Manager
  • Guaranteed SLA
  • Weekly Status Reports
  • FREE Consultancy Services
  • Simple SignUp Process
  • Instant Account Activation

Platinum Support

24/7 Proactive Server Management
$ 49 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • Advance Proactive Monitoring
  • Guaranteed SLA
  • SLA Review Meetings
  • 3rd Party Application Support
  • FREE Consultancy Services
  • Server Migration Support
  • Weekly Status Report
  • No End User Support
Popular

Unlimited Support

24/7 Server Management

$ 29 Monthly / Server
  • Unlimited Admin Tasks
  • 24/7 Support
  • Basic Monitoring
  • 30 Minutes Response time
  • 4 hours Response time for possible issues
  • Security and Performance Optimization
  • React to Customers queries
  • No Third party application support
  • No Migration and End User Support