|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Suspicious Email Logs...
From: mouss (usebsd
free.fr)
Date: Sat Apr 01 2006 - 17:55:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Conall O'Brien wrote:
> Hello,
>
>
> I've just noticed that my 2 backup MX postfix servers appear to have
> sent more emails than I expect in a day, especially since my primary MX
> is running fine.
>
>
> Investigating my mail.logs, has produced some interesting logs which
> look like:
>
> Apr 1 04:33:19 castor postfix/cleanup[21583]: B9CE3775:
> message-id=<20060401043319.B9CE3775castor.asclepian.ie>
> Apr 1 04:33:19 castor postfix/qmgr[21148]: B9CE3775: from=<>,
> size=52034, nrcpt=1 (queue active)
> Apr 1 04:33:22 castor postfix/smtp[21586]: B9CE3775:
> to=<qvqlsfullermotion.com>, relay=mail13.webcontrolcent
> er.com[216.119.106.129], delay=3, status=sent (250 OK)
> Apr 1 04:33:22 castor postfix/qmgr[21148]: B9CE3775: removed
>
>
> The complete collection suspicious logs for both servers are available
> at http://icarus.asclepian.ie/~conall/suspicious.logs
>
>
> I've considered the possibility of scatterback, which is an issue I
> haven't specifically addressed previously, but grepping mail.log files
> on my other MX servers for mentioned domain names reveals that in most
> cases, this isn't scatterback (I did find 1 case). I'm also a little
> suspicious because the message ID looks a little bit too deterministic
> for my liking, looking at the least significant digits.
>
> Hence I'd like to know if anyone else has seen this before. Any help is
> appreciated...
>
>
> Both server's are almost identically configured, diffing the output of
> postconf -n shows only different values for $myhostname ,
> $smtpd_tls_cert_file and $smtpd_tls_key_file . Hence, below is the
> postconf -n output for one server.
>
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> home_mailbox = Maildir/
> inet_interfaces = all
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> myhostname = castor.asclepian.ie
> mynetworks = 127.0.0.0/8
> myorigin = $myhostname
> recipient_delimiter = +
> relay_domains = $mydestinations, $mx_backups
I see no relay_recipient_maps. so you're not validating relay recipients.
PS. you have mydestinations with an 's' above.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]