GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from

Home » GFI User Forums » Kerio Connect » Do I have a security breach? (Weird sender or possible relay)
Do I have a security breach? [message #129412] Thu, 05 May 2016 02:06 Go to next message
Gaby is currently offline  Gaby
Messages: 34
Registered: March 2010
Checking the queue in Kerio Connect I noticed a weird thing: the sender showed <>.

Checking the debug file I noticed something that i suspect it may be an intent of relay using my mail server. Check out the following, particularily the first line

[04/May/2016 20:12:54][4444] {smtpc} Sending email to SMTP server, delivering mail from <>
[04/May/2016 20:12:55][4444] {smtpc} Connecting to ( using local interface
[04/May/2016 20:12:55][4444] {smtpc} Connected to
[04/May/2016 20:12:55][4444] {smtpc} Received greeting: 220 ESMTP eXpurgate 4.0.10
[04/May/2016 20:12:55][4444] {smtpc} Sending EHLO
[04/May/2016 20:12:56][4444] {smtpc} Switching connection to TLS
[04/May/2016 20:12:57][4444] {smtpc} Sending EHLO
[04/May/2016 20:12:57][4444] {smtpc} Sent MAIL command
[04/May/2016 20:12:57][4444] {smtpc} Got reply: 250 OK
[04/May/2016 20:12:57][4444] {smtpc} Sent RCPT TO: <SkinnerRosalinda51596<_at_>>
[04/May/2016 20:12:58][4444] {smtpc} Got reply: 250 OK
[04/May/2016 20:12:58][4444] {smtpc} Sent DATA command
[04/May/2016 20:12:58][4444] {smtpc} Got reply: 354 End data with <CR><LF>.<CR><LF>
[04/May/2016 20:12:58][4444] {smtpc} Sending message body...
[04/May/2016 20:12:58][4444] {smtpc} Data sent, got reply: 450 4.7.1 <SkinnerRosalinda51596<_at_>>: Relay access denied
[04/May/2016 20:12:58][4444] {smtpc} Data not accepted: 450 4.7.1 <SkinnerRosalinda51596<_at_>>: Relay access denied
[04/May/2016 20:12:59][4444] {smtpc} QUIT sent, got reply: 221 Bye
[04/May/2016 20:12:59][4444] {smtpc} Delivery to other mx servers was skipped.

I can't fully understand what is going on, but seems that someone called <> is trying to send a message through my server. Can it be?

Thanks in advance
Re: Do I have a security breach? [message #129418 is a reply to message #129412] Thu, 05 May 2016 18:14 Go to previous message
Bud Durland is currently offline  Bud Durland
Messages: 586
Registered: December 2013
Location: Plattsburgh, NY
Since the "from" is empty ("<>"), this is probably backscatter. Wiki link. The server will give up trying to deliver it after a certain period and will delete the message.

Had there been a real address in the from value, that might indicate a compromised user account.
Previous Topic: Whitelist IP no longer working
Next Topic: How to make sure that ALL local messages are on the server
Goto Forum:

Current Time: Sun May 28 23:57:27 CEST 2023

Total time taken to generate the page: 0.05405 seconds