|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: log reading help
From: Andreas Winkelmann (ml
awinkelmann.de)
Date: Fri Jan 05 2007 - 18:35:37 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Saturday 06 January 2007 00:51, Dhaval Patel wrote:
> I am seeing something wierd in my logs.
>
> In my mail.log I generally expect to see
> .. from=<extuserextdomain.com> ...
> .. to=<intusermydomain.com> ...
>
> OR
>
> .. from=<intusermydomain.com> ...
> .. to=<extuserextdomain.com> ...
>
> The problem is that I am seeing lots of lines where I see only to, and the
> to address is obviously bad address. For instance
>
> Jan 5 07:00:30 localhost postfix/smtp[1567]: warning: malformed domain
> name in resource data of MX record for hahoo.com:
> Jan 5 07:00:30 localhost postfix/smtp[1567]: B9F7C1A023:
> to=<hotpettit54hahoo.com>, relay=none, delay=319736, status=deferred (Name
> service error for name=hahoo.com type=MX: Malformed name server reply)
The Mail is already 319736 Seconds in your Queue. To find all Lines regarding
this Mail grep for the Queue Id B9F7C1A023 in the Logs (including Logs dated
from 319736 Seconds before).
> AND
>
> Jan 5 07:00:30 localhost postfix/smtp[1458]: C9CBA42137:
> to=<1166blackshadowyhoo.com>, relay=none, delay=314987, status=deferred
> (Name service error for name=yhoo.com type=MX: Malformed name server reply)
>
>
> These messages are also stuck in the mail queue.
>
> I hope that this does mean that a spammer is using my server to send out
> spam somehow. Can somebody please help me make sense of this?
You should look at all Lines regarding this mail. Most times these are Bounces
(you will see an empty from=<> Address). Then these are Backscatter-Mails.
http://www.postfix.org/BACKSCATTER_README.html
--
Andreas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]