Hi Lewis, > According to Usage Information, Email, Senders localhost on one of my > 5209R servers has sent 13,990 emails this month. Mostly during one week > and one other day. > > Is there any reasonable explanation for this behavior? > > What to do?
No, this sure isn't normal and warrants further investigation. First see what else the GUI says. For that check "Server Management" / "Usage Information" / "Email" and under "Email Traffic as reported by Milter-GeoIP" click on the "All Users" tab. Clicks on this tab sometimes are a bit unresponsive. Give it a bit, click on it again and eventually it should show. Then sort that by "Email out" and it should tell you how much each user account sent in regards to outbound emails. This might help to identify the account that cause it. If you're unlucky, it says "root". Now under "root" it will also register delivery failure notices to local or remote users. However, with the username it told you, you can take it to the logfiles. If it was "root", you could use this for example: cat /var/log/maillog|grep root|grep stat=Sent That will show you all messages in /var/log/maillog that user "root" sent. One example from my logs: Sep 27 06:04:46 kosh sendmail[3353]: v8RB4X6n003345: to=x...@xxx.net, ctladdr=<r...@kosh.smd.net> (0/0), delay=00:00:13, xdelay=00:00:12, mailer=esmtp, pri=61310, relay=mail.solarspeed.net. [208.77.221.199], dsn=2.0.0, stat=Sent (v8RB4YeE001888 Message accepted for delivery) You can then grep for the message ID, which is "v8RB4X6n003345" in this example to get a better picture of that single transaction: Example: [root@kosh ~]# cat /var/log/maillog|grep v8RB4X6n003345 Sep 27 06:04:33 kosh milter-greylist: v8RB4X6n003345: skipping greylist because address 127.0.0.1 is whitelisted, (from=<r...@kosh.smd.net>, rcpt=<r...@kosh.smd.net>, addr=localhost.localdomain[127.0.0.1]) ACL 100 Sep 27 06:04:33 kosh sendmail[3345]: v8RB4X6n003345: from=<r...@kosh.smd.net>, size=822, class=0, nrcpts=1, msgid=<201709271100.v8rb0crr003...@kosh.smd.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Sep 27 06:04:34 kosh sendmail[3353]: v8RB4X6n003345: to=\\admin, ctladdr=<r...@kosh.smd.net> (0/0), delay=00:00:01, xdelay=00:00:01, mailer=local, pri=61310, dsn=2.0.0, stat=Sent Sep 27 06:04:46 kosh sendmail[3353]: v8RB4X6n003345: to=x...@xxx.net, ctladdr=<r...@kosh.smd.net> (0/0), delay=00:00:13, xdelay=00:00:12, mailer=esmtp, pri=61310, relay=mail.solarspeed.net. [208.77.221.199], dsn=2.0.0, stat=Sent (v8RB4YeE001888 Message accepted for delivery) That tells us: It was a 822 byte email from "root" to "admin", which also got forwarded tp x...@xxx.net, because the "admin" on that box has forwarding enabled. See what you can dig up this way and if you need any help with this, please file a support ticket via the GUI and tick the checkbox for "allow access". -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx