Below is a snippet of a log file which has raised my suspicion. The names and identities of the innocent (and not so innocent) have been obscured. I am trying to understand the *flow* of the traffic and what actually happened.
Any help on the flow and what messages were delivered, where, would be greatly appreciated. Thank you. 2012-06-08 12:51:36 SMTP connection from [77.248.xx.xxx]:63305 (TCP/IP connection count = 1) 2012-06-08 12:51:37 H=(wzhfmiaqb) [77.248.xx.xxx]:63305 rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1) 2012-06-08 12:51:37 SMTP connection from (wzhfmiaqb) [77.248.xx.xxx]:63305 closed by DROP in ACL 2012-06-08 12:51:42 SMTP connection from [124.12.xx.xxx]:60909 (TCP/IP connection count = 1) 2012-06-08 12:51:48 1Sd2Pb-0007mS-He <= [email protected] H=124-12-xx-xxx.dynamic.xxx.xxx.tw (pa91lxxx.com) [124.12.xx.xxx]:60909 P=smtp S=982 id=30v18f98p29-09887224-926q7p37@lkcttldr T="This is It & " for [email protected] 2012-06-08 12:51:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Sd2Pb-0007mS-He 2012-06-08 12:51:48 1Sd2Pb-0007mS-He check_mail_permissions could not determine the sender domain [message_exim_id=1Sd2Pb-0007mS-He sender_host_address=124.12.xxx.xxx recipients_count=1] 2012-06-08 12:51:48 1Sd2Pb-0007mS-He => bluey <[email protected]> P=<[email protected]> R=virtual_user T=virtual_userdelivery 2012-06-08 12:51:49 1Sd2Pb-0007mS-He => [email protected] <[email protected]> P=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.77.27] X=TLSv1:RC4-SHA:128 2012-06-08 12:51:49 1Sd2Pb-0007mS-He Completed 2012-06-08 12:51:50 SMTP connection from 124.12.xx.xxx (pa91lxxx.com) [124.12.xx.xxx]:60909 closed by QUIT -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
