Hi Can someone tell me what's going on here :)
Nov 8 16:09:37 mail postfix/smtpd[30205]: connect from unknown[94.20.38.50] Nov 8 16:09:41 mail postfix/smtpd[30205]: C985FC8C005: client=unknown[94.20.38.50] Nov 8 16:09:50 mail postfix/cleanup[30235]: C985FC8C005: message-id=<000e01cc51a0$5768b980$32261...@eftps.com> Nov 8 16:10:07 mail postfix/qmgr[30195]: C985FC8C005: from=<message.dae...@eftps.com>, size=30170, nrcpt=1 (queue active) Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) ESMTP::10024 /var/lib/amavis/tmp/amavis-20111108T130836-28776: <message.dae...@eftps.com> -> <joseph....@mydomain.net> SIZE=30170 Received: from mail.myserverdomain.net ([127.0.0.1]) by amavisd.myserverdomain.net (mail.myserverdomain.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <joseph....@mydomain.net>; Tue, 8 Nov 2011 16:10:07 +0000 (UTC) Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) Checking: QWIgMcifqXRS [94.20.38.50] <message.dae...@eftps.com> -> <joseph....@mydomain.net> Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) p003 1 Content-Type: multipart/mixed Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) p001 1/1 Content-Type: text/plain, size: 574 B, name: Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) p002 1/2 Content-Type: text/plain, size: 20750 B, name: report.18653.pdf Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) p.path BANNED:1 joseph....@mydomain.net: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=text/plain,T=zip,N=report.18653.pdf | P=p004,L=1/2/1,T=exe,T=exe-ms,N=report.18653.pdf.exe", matching_key="(?i-xsm:\\.[^./]*\\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\\.?$)" Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) local delivery: <message.dae...@eftps.com> -> banned-quarantine, mbx=/var/spool/mail/quarantine/banned-QWIgMcifqXRS Nov 8 16:10:07 mail postfix/smtpd[30243]: connect from localhost[127.0.0.1] Nov 8 16:10:07 mail postfix/smtpd[30243]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command: <postmaster@!change-mydomain-variable!.example.com> Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) smtp resp to RCPT (pip) (<postmaster@!change-mydomain-variable!.example.com>): 501 5.1.3 Bad recipient address syntax Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) Negative SMTP resp. to DATA: 554 5.5.1 Error: no valid recipients Nov 8 16:10:07 mail postfix/smtpd[30243]: disconnect from localhost[127.0.0.1] Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) (!)SEND via SMTP: <postmas...@mail.myserverdomain.net> -> <postmaster@!change-mydomain-variable!.example.com>,ENVID=am..20111108t1610...@mail.myserverdomain.net 501 5.1.3 Failed, id=28776-15, from MTA([127.0.0.1]:10025): 501 5.1.3 Bad recipient address syntax Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) (!)FAILED to notify admin: 501 5.1.3 Failed, id=28776-15, from MTA([127.0.0.1]:10025): 501 5.1.3 Bad recipient address syntax Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) Blocked BANNED (.exe,.exe-ms,report.18653.pdf.exe), [94.20.38.50] [12.36.213.133] <message.dae...@eftps.com> -> <joseph....@mydomain.net>, quarantine: banned-QWIgMcifqXRS, Message-ID: <000e01cc51a0$5768b980$32261...@eftps.com>, mail_id: QWIgMcifqXRS, Hits: -, size: 30169, 232 ms Nov 8 16:10:07 mail postfix/smtp[30237]: C985FC8C005: to=<joseph....@mydomain.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=27, delays=27/0/0/0.23, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=28776-15 - BANNED: .exe,.exe-ms,report.18653.pdf.exe) Nov 8 16:10:07 mail postfix/qmgr[30195]: C985FC8C005: removed Nov 8 16:10:07 mail amavisd-new[28776]: (28776-15) TIMING [total 234 ms] - SMTP greeting: 1 (0%)0, SMTP EHLO: 0 (0%)1, SMTP pre-MAIL: 0 (0%)1, SMTP pre-DATA-flush: 1 (0%)1, SMTP DATA: 39 (17%)18, check_init: 0 (0%)18, digest_hdr: 1 (0%)18, digest_body_dkim: 0 (0%)18, gen_mail_id: 1 (0%)19, mime_decode: 7 (3%)22, get-file-type2: 12 (5%)27, decompose_part: 21 (9%)36, get-file-type1: 11 (5%)40, decompose_part: 30 (13%)53, parts_decode: 0 (0%)53, check_header: 1 (0%)53, AV-scan-1: 43 (18%)72, update_cache: 1 (0%)72, decide_mail_destiny: 1 (0%)73, notif-quar: 1 (0%)73, stat-mbx: 1 (1%)74, open-mbx: 0 (0%)74, write-header: 0 (0%)74, save-to-local-mailbox: 0 (0%)74, fwd-connect: 52 (22%)96, fwd-mail-pip: 1 (0%)97, fwd-rcpt-pip: 0 (0%)97, fwd-data-chkpnt: 0 (0%)97, fwd-end-chkpnt: 1 (0%)97, prepare-dsn: 1 (0%)97, main_log_entry: 4 (2%)99, update_snmp: 2 (1%)100, SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-2-files: 0 (0%)100, rundown: 0 (0%)100 Nov 8 16:10:08 mail postfix/smtpd[30205]: disconnect from unknown[94.20.38.50] What I understand is: - The sending host connected and postfix accepted the mail - postfix passed the message to amavis - who found a banned file - and tried to notify someone. But it's not clear to me who it tried to notify. I don't want it trying to notify the sender because this (was in this case and almost always) is a virus. I don't really want it notifying me (postmas...@myserverdomain.net) because that's where the mail was quarantined anyway. Who is it trying to notify and why? And how do I turn it off? Thanks. Simon
