Michael Stauber wrote:
Hi Lewis,
According to Usage Information, Email, Senders localhost on one of my
5209R servers has sent 13,990 emails this month. Mostly during one week
and one other day.
Is there any reasonable explanation for this behavior?
What to do?
No, this sure isn't normal and warrants further investigation. First see
what else the GUI says. For that check "Server Management" / "Usage
Information" / "Email" and under "Email Traffic as reported by
Milter-GeoIP" click on the "All Users" tab.
Clicks on this tab sometimes are a bit unresponsive. Give it a bit,
click on it again and eventually it should show. Then sort that by
"Email out" and it should tell you how much each user account sent in
regards to outbound emails.
This might help to identify the account that cause it. If you're
unlucky, it says "root". Now under "root" it will also register delivery
failure notices to local or remote users.
The user with the highest message count only sent 79 messages in
September. The table below this "Messaging flows" reports "Total
outgoing" as 12,684. Below that is a very frighting graph...
However, with the username it told you, you can take it to the logfiles.
If it was "root", you could use this for example:
cat /var/log/maillog|grep root|grep stat=Sent
For root the output looks normal and legit.
Dropping "grep root" returns a fckton that look questionable.
One such record:
sendmail[10392]: v8KIPviO025185: to=<craigbecking...@btinternet.com>,
delay=4+13:23:55, xdelay=00:00:00, mailer=esmtp, pri=5340717,
relay=mx.bt.lon5.cpcloud.co.uk. [65.20.0.49], dsn=4.0.0, stat=Deferred: 421 Too many
messages (1.5.7.3) on 2017/09/25 08:51:00 BST from un-validated IP address: 6...to
the volume of email being sent from this IP address. Guide for bulk senders
www.bt.com/bulksender
You can then grep for the message ID, which is "v8RB4X6n003345" in this
example to get a better picture of that single transaction:
From the above:
# cat /var/log/maillog|grep v8P7oUsO000785
sendmail[785]: v8P7oUsO000785: from=<>, size=662, class=0, nrcpts=1,
msgid=<134237383.20179257...@stadt.freiburg.de>, proto=ESMTP, daemon=MTA,
relay=pD9F635BE.dip0.t-ipconnect.de [217.246.53.190]
sendmail[785]: v8P7oUsO000785: Milter add: header: X-Virus-Scanned:
clamav-milter 0.99.2 at colo2.boxwrench.com
sendmail[785]: v8P7oUsO000785: Milter add: header: X-Virus-Status: Clean
sendmail[785]: v8P7oUsO000785: Milter add: header: X-Spam-Status: No, score=1.6
required=5.0 tests=ALL_TRUSTED,FROM_NO_USER,\n\tTVD_RCVD_IP,TVD_RCVD_IP4
autolearn=no autolearn_force=no version=3.4.0
sendmail[785]: v8P7oUsO000785: Milter add: header: X-Spam-Level: *
sendmail[785]: v8P7oUsO000785: Milter add: header: X-Spam-Checker-Version:
SpamAssassin 3.4.0 (2014-02-07) on colo2.boxwrench.com
sendmail[1373]: v8P7oUsO000785: to=<ob.salo...@stadt.freiburg.de>, delay=00:00:06,
xdelay=00:00:02, mailer=esmtp, pri=120662, relay=erelay01.kivbf.de. [194.59.36.38],
dsn=4.2.0, stat=Deferred: 450 4.2.0 <ob.salo...@stadt.freiburg.de>: Recipient address
rejected: Service temporarily unavailable, http://mailsupport.kivbf.de
sendmail[1373]: v8P7oUsO000785: to=<ob.salo...@stadt.freiburg.de>, delay=00:00:08,
xdelay=00:00:04, mailer=esmtp, pri=120662, relay=erelay02.kivbf.de. [194.59.36.39],
dsn=4.2.0, stat=Deferred: 450 4.2.0 <ob.salo...@stadt.freiburg.de>: Recipient address
rejected: Service temporarily unavailable, http://mailsupport.kivbf.de
sendmail[1373]: v8P7oUsO000785: to=<ob.salo...@stadt.freiburg.de>, delay=00:00:10,
xdelay=00:00:06, mailer=esmtp, pri=120662, relay=erelay03.kivbf.de. [194.59.36.40],
dsn=4.2.0, stat=Deferred: 450 4.2.0 <ob.salo...@stadt.freiburg.de>: Recipient address
rejected: Service temporarily unavailable, http://mailsupport.kivbf.de
sendmail[19307]: v8P7oUsO000785: to=<ob.salo...@stadt.freiburg.de>,
delay=00:28:51, xdelay=00:00:06, mailer=esmtp, pri=210662, relay=erelay02.kivbf.de.
[194.59.36.39], dsn=2.0.0, stat=Sent (Ok, discarded, id=04066-10 - spam)
To me it looks like my server made 4 attempts to send mail from nobody
"<>" to someone in a beautiful town in Germany. As a side note I'd
prefer to not harass the citizenry there seeing as they have taken down
the US flag from their translate and tourism click things...
See what you can dig up this way and if you need any help with this,
please file a support ticket via the GUI and tick the checkbox for
"allow access".
Filed! Any help is always very much appreciated!
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
