Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
K. A.2018-03-05 10:32:01
Exim
K. A., 2018-03-05 10:32:01

Is it possible to find out which file opened an SMTP connection on an Exim server?

The hoster often blocks mail traffic on the server, after the last check it was not possible to detect any malicious scripts, it was possible to get a list of files that sent the messages from the headers - they were also checked and do not carry any threats. There was a suspicion that in addition to spam using the mail () function on the server, the server picked up something that sends spam through a third-party server.
lsof | grep smtp output:

[[email protected] ~]# lsof | grep smtp
exim      12669                exim    3u     IPv6         1617849445         0t0        TCP *:smtp (LISTEN)
exim      12669                exim    4u     IPv4         1617849446         0t0        TCP *:smtp (LISTEN)
exim      21248                exim    10u    IPv4         1791358785         0t0        TCP domain.ru:52790->ol-in-f27.1e100.net:smtp (SYN_SENT)
exim      21957                exim    9u     IPv4         1791378187         0t0        TCP  domain.ru:smtp->52.175.23.137:63597 (CLOSE_WAIT)
exim      21957                exim    10u    IPv4         1791378187         0t0        TCP  domain.ru:smtp->52.175.23.137:63597 (CLOSE_WAIT)

After restarting Exim:
[[email protected]~]# lsof | grep smtp
exim      12669                exim    3u     IPv6         1617849445         0t0        TCP *:smtp (LISTEN)
exim      12669                exim    4u     IPv4         1617849446         0t0        TCP *:smtp (LISTEN)
exim      25222                exim    9u     IPv4         1792563905         0t0        TCP domain.ru:smtp->52.175.23.137:54652 (CLOSE_WAIT)
exim      25222                exim   10u     IPv4         1792563905         0t0        TCP domain.ru:smtp->52.175.23.137:54652 (CLOSE_WAIT)
exim      25227                exim    9u     IPv4         1792575077         0t0        TCP domain.ru:smtp->52.175.23.137:54046 (ESTABLISHED)
exim      25227                exim   10u     IPv4         1792575077         0t0        TCP domain.ru:smtp->52.175.23.137:54046 (ESTABLISHED)

Not strong in administration, but as I understand it, before the restart, a connection was opened with the ol-in-f27.1e100.net server - obviously some kind of evil spirits. UDP - I found out that this is Google, but nothing should be sent from the server through its SMTP. Only Yandex and a dedicated mail server are on the side of the small ones.
Actually, the question arose: is it possible to find out which file on the server opened a connection to a particular server from the output of this command? Thank you.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)
Report
K
Kir aka Dober, 2018-03-05
@dobergroup

netstat -tap |grep smtp won't work?

Similar questions
R
Roman2016-02-27 10:16:01
Blocking spammers, what do you recommend? 1Reply
A
AnonDanon2020-07-22 22:38:45
How to make Nextcloud work with mail? 1Reply
S
Schoolboy.2016-05-10 17:31:13
Why is Exim not receiving/sending emails? 1Reply
S
Sergey Goryachev2016-06-04 16:02:47
I don't understand why emails go to spam? 1Reply
M
Maxim E2016-06-18 22:06:16
How to make a stub for SMTP (outgoing messages)? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question