My logwatch report is growing every day with strange things for 1 domain. Does this look normal?
Replacing names with xxxxx for security:
--------------------- postfix Begin ------------------------
6082081 bytes transferred
2113 messages sent
2112 messages removed from queue
Top ten senders:
7 messages sent by:
xxx.xxxxx (uid=517):
4 messages sent by:
xxxx (uid=504):
2 messages sent by:
root (uid=0):
All of those messages sent?
more:
Relaying denied:
From unknown[218.16.119.142] to dvdr0503@yahoo.com.cn : 4 Time(s)
From unknown[58.125.124.152] to hudoleev@nvkz.net : 1 Time(s)
From unknown[58.125.124.152] to olgmail@nvkz.net : 1 Time(s)
From unknown[91.188.216.65] to sales@telephant.biz : 1 Time(s)
From unknown[91.188.216.65] to sam@telephant.biz : 1 Time(s)
Whats all of this mean?
Messages rejected to recipient:
451fab43.7090603@xxx.org:
unknown[190.157.31.14] : User unknown in virtual alias table : 1 Time(s)
BARBARA@xxx.ORG:
unknown[222.170.54.198] : User unknown in virtual alias table : 1 Time(s)
MREWOPRETOVWD2@xxx.org:
mx5.netwood.net[63.214.156.45] : User unknown in virtual alias table : 1 Time(s)
barb@xxx.org:
unknown[210.125.162.189] : User unknown in virtual alias table : 1 Time(s)
barbara@xxx.org:
189-68-165-209.dsl.telesp.net.br[189.68.165.209] : User unknown in virtual alias table : 1 Time(s)
201-14-93-166.gnace701.dsl.brasiltelecom.net.br[201.14.93.166] : User unknown in virtual alias table : 1 Time(s)
217.64.255.58.mactelecom.net[217.64.255.58] : User unknown in virtual alias table : 1 Time(s)
5acf07dd.bb.sky.com[90.207.7.221] : User unknown in virtual alias table : 1 Time(s)
ass134.internetdsl.tpnet.pl[83.17.230.134] : User unknown in virtual alias table : 1 Time(s)
athedsl-99188.home.otenet.gr[87.202.188.194] : User unknown in virtual alias table : 1 Time(s)
c193-227.icpnet.pl[85.221.193.227] : User unknown in virtual alias table : 1 Time(s)
dsl-200-67-97-209.prod-empresarial.com.mx[200.67.97.209] : User unknown in virtual alias table : 1 Time(s)
host-89-229-193-212.gizycko.mm.pl[89.229.193.212] : User unknown in virtual alias table : 1 Time(s)
host81-151-208-100.range81-151.btcentralplus.com[81.151.208.100] : User unknown in virtual alias table : 1 Time(s)
ppp85-140-32-98.pppoe.mtu-net.ru[85.140.32.98] : User unknown in virtual alias table : 1 Time(s)
se2-as1590.alshamil.net.ae[92.97.198.66] : User unknown in virtual alias table : 1 Time(s)
spc1-port4-0-0-cust844.cosh.broadband.ntl.com[86.6.47.77] : User unknown in virtual alias table : 1 Time(s)
unknown[125.180.61.23] : User unknown in virtual alias table : 1 Time(s)
unknown[189.77.28.178] : User unknown in virtual alias table : 1 Time(s)
unknown[190.156.61.105] : User unknown in virtual alias table : 1 Time(s)
unknown[190.174.148.208] : User unknown in virtual alias table : 1 Time(s)
unknown[200.123.148.177] : User unknown in virtual alias table : 1 Time(s)
unknown[212.23.89.194] : User unknown in virtual alias table : 1 Time(s)
unknown[59.33.214.67] : User unknown in virtual alias table : 1 Time(s)
unknown[66.94.82.130] : User unknown in virtual alias table : 1 Time(s)
unknown[89.232.124.193] : User unknown in virtual alias table : 1 Time(s)
unknown[90.188.126.23] : User unknown in virtual alias table : 1 Time(s)
obviously all of these email accounts don’t exist, and I only included about 10% of all of the entries that were in the report. This list is growing every day.
I have tested the mail server for open-relays at checkor.com, here is the result with the domain xxxx’d out.
It means someone is trying to send mail to/through your server, and your server is rejecting the messages. logwatch is letting you know about it. Everything is doing its job correctly.
Thanks Joe. Thats what I thought, but what prompted me to post was that this has been going on for weeks and it seems to be the same people. It just seems strange, since it isn’t allowing the traffic through, that they keep at it.
It’s all automatic, and some tools are dumber than others. And, of course, they’re not using their own hardware or network, so it costs them almost nothing. It’s a zombie machine that’s trying to talk to your box, and the spammers have hundreds of thousands more working on the same two problems (1. finding more boxes to take over and 2. sending spam).