PDA

View Full Version : postmaster



Alejandro
10-07-2003, 12:48 AM
Hello,

Since I upgraded to wh2 I receive a LOT of "postmaster notifications" in most of them I see in the "to" field an unknown adress, so I didn't sent that email... is it normal? someone is trying to send emails from my server??? I hope someone knows... thank you!

wildjokerdesign
10-07-2003, 09:16 AM
No I do not belive that is normal. You might want to try looking at your maillog located in /var/log to see if you can see who is useing your sendmail. Not real familiar with reading the log but have been able to figure that

First the date is listed
Then your.com sendmail
Then a "refrence number"
Then what happened

Look for "refrence numbers" that are the same and see if you can follow what happened. Here is one example from my log.

Sep 23 00:41:26 wildjokerdesign.com sendmail[4228]: h8N6f4F04300: <wedesign@wildjokerdesign.com>... User unknown

Sep 23 00:41:27 wildjokerdesign.com sendmail[4228]: h8N6f4F04300: lost input channel from ool-44c217b0.dyn.optonline.net [68.194.23.176] to stdin after rcpt

Sep 23 00:41:27 wildjokerdesign.com sendmail[4228]: h8N6f4F04300: from=<7tynvq@hotmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, relay=ool-44c217b0.dyn.optonline.net [68.194.23.176]

In this example notice that they tried to send to wedesign and the result was User unknown. Then they lost input channel. The last entry shows the address they where trying to send from.

Hope that helps Alejandro.

P.S. Anyone out there know of a script that can read the maillog?

Alejandro
10-07-2003, 01:59 PM
Thank you wjd, right now I'm out of town but I'll check that when I arrive THANK YOU

Alejandro
10-08-2003, 11:15 AM
Thanks wjd...

I checked the log... strange... in the last 11 days I found 12 records like this one:

Sep 25 01:14:06 [mydomain].com sendmail[30432]: h8L5E1G07218: to=<mortgage@kl56.com>, delay=4+01:59:04, xdelay=00:00:00, mailer=esmtp, pri=4440100, relay=mail.kl56.com., dsn=4.0.0, stat=Deferred: Connection reset by mail.kl56.com.

I don't know mortgage@kl56.com!!! and I'm pretty sure that I didn't sent anything o that email...

Also I found ABOUT 200 records like this one:

Oct 3 21:03:15 [mydomain].com /bin/popd[12376]: alejandro@[mydomain] at dup-148-221-19-74.prodigy.net.mx (148.221.19.74): -ERR [AUTH] Password supplied for "alejandro@[mydomain]" is incorrect.

Oct 6 11:53:05 [mydomain].com /bin/popd[32380]: alejandro at dsl-201-128-131-90.prodigy.net.mx (201.128.131.90): -ERR POP EOF or I/O Error

???

Any one knows what it all means???

wildjokerdesign
10-08-2003, 12:25 PM
Hmm well I did a look up on the kl56.com and it is owned by
Active Services '86
1280 West Boca Blvd
Boca Raton, FL 33433
US
With Domain Servers listed as
Domain servers in listed order:
NS1.KL56.COM 66.239.205.201
NS2.KL56.COM 66.239.205.202

If you go to the kl56.com url you get the Apache Test Page. Sorry I can't be of more help since I am not sure if this entry was able to do something or not.

The other one looks like it did return an error so if someone was trying to use your address it seems to have failed.

I think I might submit a support ticket on the first one and ask tech if you should be concerned? Most likely it will take a while for them to responde unless it gets flagged as something that is a security risk when the scan the tickets. I have a feeling that with the amount of tickets they have been recieveing they scan them quickly and try to catagorize them on importance so make sure you make it a short and sweet with the error very clear.

jalal
10-08-2003, 04:21 PM
Hmm, I thought it was just me... so interesting that someone else also suffers from the same thing.
I checked through the logs and one thing i noticed is that on or about the 25th Sept, the amount of logging dropped dramatically, in fact since then, only the occasional error gets logged, anyone else noticed the same thing? So, means I can't check the logs from that time on.

Interesting, I just checked half a dozen of my sites, and they all stop logging the mails on Sept. 25th. One site has no maillog at all.

Further investigation needed here, methinks...

FZ
10-08-2003, 04:28 PM
jalal,

WestHost made some global sendmail.cf changes. Refer to this post for more info (and the solution): http://forums.westhost.com/phpBB2/viewtopic.php?t=1063

jalal
10-08-2003, 04:34 PM
Well to answer one part of the above, logging level got reduced from 0 to 9 on all my domains on Sept. 25th, which is why there's nutting there from then on.