My logwatch report is growing every day with strange things for 1 domain. Does this look normal? Replacing names with xxxxx for security:
--------------------- postfix Begin ------------------------ 6082081 bytes transferred 2113 messages sent 2112 messages removed from queue Top ten senders: 7 messages sent by: xxx.xxxxx (uid=517): 4 messages sent by: xxxx (uid=504): 2 messages sent by: root (uid=0):All of those messages sent?
more:
Relaying denied: From unknown[218.16.119.142] to dvdr0503@yahoo.com.cn : 4 Time(s) From unknown[58.125.124.152] to hudoleev@nvkz.net : 1 Time(s) From unknown[58.125.124.152] to olgmail@nvkz.net : 1 Time(s) From unknown[91.188.216.65] to sales@telephant.biz : 1 Time(s) From unknown[91.188.216.65] to sam@telephant.biz : 1 Time(s)Whats all of this mean?
Messages rejected to recipient: 451fab43.7090603@xxx.org: unknown[190.157.31.14] : User unknown in virtual alias table : 1 Time(s) BARBARA@xxx.ORG: unknown[222.170.54.198] : User unknown in virtual alias table : 1 Time(s) MREWOPRETOVWD2@xxx.org: mx5.netwood.net[63.214.156.45] : User unknown in virtual alias table : 1 Time(s) barb@xxx.org: unknown[210.125.162.189] : User unknown in virtual alias table : 1 Time(s) barbara@xxx.org: 189-68-165-209.dsl.telesp.net.br[189.68.165.209] : User unknown in virtual alias table : 1 Time(s) 201-14-93-166.gnace701.dsl.brasiltelecom.net.br[201.14.93.166] : User unknown in virtual alias table : 1 Time(s) 217.64.255.58.mactelecom.net[217.64.255.58] : User unknown in virtual alias table : 1 Time(s) 5acf07dd.bb.sky.com[90.207.7.221] : User unknown in virtual alias table : 1 Time(s) ass134.internetdsl.tpnet.pl[83.17.230.134] : User unknown in virtual alias table : 1 Time(s) athedsl-99188.home.otenet.gr[87.202.188.194] : User unknown in virtual alias table : 1 Time(s) c193-227.icpnet.pl[85.221.193.227] : User unknown in virtual alias table : 1 Time(s) dsl-200-67-97-209.prod-empresarial.com.mx[200.67.97.209] : User unknown in virtual alias table : 1 Time(s) host-89-229-193-212.gizycko.mm.pl[89.229.193.212] : User unknown in virtual alias table : 1 Time(s) host81-151-208-100.range81-151.btcentralplus.com[81.151.208.100] : User unknown in virtual alias table : 1 Time(s) ppp85-140-32-98.pppoe.mtu-net.ru[85.140.32.98] : User unknown in virtual alias table : 1 Time(s) se2-as1590.alshamil.net.ae[92.97.198.66] : User unknown in virtual alias table : 1 Time(s) spc1-port4-0-0-cust844.cosh.broadband.ntl.com[86.6.47.77] : User unknown in virtual alias table : 1 Time(s) unknown[125.180.61.23] : User unknown in virtual alias table : 1 Time(s) unknown[189.77.28.178] : User unknown in virtual alias table : 1 Time(s) unknown[190.156.61.105] : User unknown in virtual alias table : 1 Time(s) unknown[190.174.148.208] : User unknown in virtual alias table : 1 Time(s) unknown[200.123.148.177] : User unknown in virtual alias table : 1 Time(s) unknown[212.23.89.194] : User unknown in virtual alias table : 1 Time(s) unknown[59.33.214.67] : User unknown in virtual alias table : 1 Time(s) unknown[66.94.82.130] : User unknown in virtual alias table : 1 Time(s) unknown[89.232.124.193] : User unknown in virtual alias table : 1 Time(s) unknown[90.188.126.23] : User unknown in virtual alias table : 1 Time(s)obviously all of these email accounts don't exist, and I only included about 10% of all of the entries that were in the report. This list is growing every day. I have tested the mail server for open-relays at checkor.com, here is the result with the domain xxxx'd out.
Checking mail.xxx.org: 220 xxx.com ESMTP Postfix HELO ortest.checkor.com 250 xxx.com RSET 250 Ok MAIL FROM: test@checkor.com 250 Ok RCPT TO: test1@checkor.com 554 : Relay access denied ------------------------- RSET 250 Ok MAIL FROM: 501 Syntax: MAIL FROM: RCPT TO: test1@checkor.com 503 Error: need MAIL command ------------------------- RSET 250 Ok MAIL FROM: spam@mail.xxx.org 250 Ok RCPT TO: test1@checkor.com 554 : Relay access denied --------------------------- RSET 250 Ok MAIL FROM: spam@mail.xxx.org 250 Ok RCPT TO: test1@checkor.com 554 : Relay access denied --------------------------- RSET 250 Ok MAIL FROM: spam@mail.xxx.org 250 Ok RCPT TO: test1@mail.xxx.org 554 : Relay access denied ----------------------------- RSET 250 Ok MAIL FROM: spam@mail.xxx.org 250 Ok RCPT TO: "test1@test.com"@mail.xxx.org 554 : Relay access denied ------------------------------ RSET 250 Ok MAIL FROM: spam@mail.xxx.org 250 Ok RCPT TO: @mail.xxx.org:spamtest@checkor.com 554 : Relay access deniedxxx.org is the virtual server with the problem, xxx.com is the main server.
Running CentOS 4.6, current vm, webmin, etc.
Any guidance/explanation is appreciated.
It means someone is trying to send mail to/through your server, and your server is rejecting the messages. logwatch is letting you know about it. Everything is doing its job correctly. ;-)
--
Check out the forum guidelines!
Thanks Joe. Thats what I thought, but what prompted me to post was that this has been going on for weeks and it seems to be the same people. It just seems strange, since it isn't allowing the traffic through, that they keep at it.
It's all automatic, and some tools are dumber than others. And, of course, they're not using their own hardware or network, so it costs them almost nothing. It's a zombie machine that's trying to talk to your box, and the spammers have hundreds of thousands more working on the same two problems (1. finding more boxes to take over and 2. sending spam).
--
Check out the forum guidelines!