Email concerns for one domain.

Help! (Home for newbies)
1

My logwatch report is growing every day with strange things for 1 domain. Does this look normal?
Replacing names with xxxxx for security:

--------------------- postfix Begin ------------------------

6082081 bytes transferred
2113 messages sent
2112 messages removed from queue

Top ten senders:
7 messages sent by:
xxx.xxxxx (uid=517):
4 messages sent by:
xxxx (uid=504):
2 messages sent by:
root (uid=0):

All of those messages sent?

more:

Relaying denied: From unknown[218.16.119.142] to dvdr0503@yahoo.com.cn : 4 Time(s) From unknown[58.125.124.152] to hudoleev@nvkz.net : 1 Time(s) From unknown[58.125.124.152] to olgmail@nvkz.net : 1 Time(s) From unknown[91.188.216.65] to sales@telephant.biz : 1 Time(s) From unknown[91.188.216.65] to sam@telephant.biz : 1 Time(s)

Whats all of this mean?

Messages rejected to recipient: 451fab43.7090603@xxx.org: unknown[190.157.31.14] : User unknown in virtual alias table : 1 Time(s) BARBARA@xxx.ORG: unknown[222.170.54.198] : User unknown in virtual alias table : 1 Time(s) MREWOPRETOVWD2@xxx.org: mx5.netwood.net[63.214.156.45] : User unknown in virtual alias table : 1 Time(s) barb@xxx.org: unknown[210.125.162.189] : User unknown in virtual alias table : 1 Time(s) barbara@xxx.org: 189-68-165-209.dsl.telesp.net.br[189.68.165.209] : User unknown in virtual alias table : 1 Time(s) 201-14-93-166.gnace701.dsl.brasiltelecom.net.br[201.14.93.166] : User unknown in virtual alias table : 1 Time(s) 217.64.255.58.mactelecom.net[217.64.255.58] : User unknown in virtual alias table : 1 Time(s) 5acf07dd.bb.sky.com[90.207.7.221] : User unknown in virtual alias table : 1 Time(s) ass134.internetdsl.tpnet.pl[83.17.230.134] : User unknown in virtual alias table : 1 Time(s) athedsl-99188.home.otenet.gr[87.202.188.194] : User unknown in virtual alias table : 1 Time(s) c193-227.icpnet.pl[85.221.193.227] : User unknown in virtual alias table : 1 Time(s) dsl-200-67-97-209.prod-empresarial.com.mx[200.67.97.209] : User unknown in virtual alias table : 1 Time(s) host-89-229-193-212.gizycko.mm.pl[89.229.193.212] : User unknown in virtual alias table : 1 Time(s) host81-151-208-100.range81-151.btcentralplus.com[81.151.208.100] : User unknown in virtual alias table : 1 Time(s) ppp85-140-32-98.pppoe.mtu-net.ru[85.140.32.98] : User unknown in virtual alias table : 1 Time(s) se2-as1590.alshamil.net.ae[92.97.198.66] : User unknown in virtual alias table : 1 Time(s) spc1-port4-0-0-cust844.cosh.broadband.ntl.com[86.6.47.77] : User unknown in virtual alias table : 1 Time(s) unknown[125.180.61.23] : User unknown in virtual alias table : 1 Time(s) unknown[189.77.28.178] : User unknown in virtual alias table : 1 Time(s) unknown[190.156.61.105] : User unknown in virtual alias table : 1 Time(s) unknown[190.174.148.208] : User unknown in virtual alias table : 1 Time(s) unknown[200.123.148.177] : User unknown in virtual alias table : 1 Time(s) unknown[212.23.89.194] : User unknown in virtual alias table : 1 Time(s) unknown[59.33.214.67] : User unknown in virtual alias table : 1 Time(s) unknown[66.94.82.130] : User unknown in virtual alias table : 1 Time(s) unknown[89.232.124.193] : User unknown in virtual alias table : 1 Time(s) unknown[90.188.126.23] : User unknown in virtual alias table : 1 Time(s)

obviously all of these email accounts don’t exist, and I only included about 10% of all of the entries that were in the report. This list is growing every day.
I have tested the mail server for open-relays at checkor.com, here is the result with the domain xxxx’d out.

Checking mail.xxx.org:

220 xxx.com ESMTP Postfix
HELO ortest.checkor.com
250 xxx.com
RSET
250 Ok
MAIL FROM: test@checkor.com
250 Ok
RCPT TO: test1@checkor.com
554 : Relay access denied

RSET
250 Ok
MAIL FROM:
501 Syntax: MAIL FROM:

RCPT TO: test1@checkor.com
503 Error: need MAIL command

RSET
250 Ok
MAIL FROM: spam@mail.xxx.org
250 Ok
RCPT TO: test1@checkor.com
554 : Relay access denied

RSET
250 Ok
MAIL FROM: spam@mail.xxx.org
250 Ok
RCPT TO: test1@checkor.com
554 : Relay access denied

RSET
250 Ok
MAIL FROM: spam@mail.xxx.org
250 Ok
RCPT TO: test1@mail.xxx.org
554 : Relay access denied

RSET
250 Ok
MAIL FROM: spam@mail.xxx.org
250 Ok
RCPT TO: "test1@test.com"@mail.xxx.org
554 : Relay access denied

RSET
250 Ok
MAIL FROM: spam@mail.xxx.org
250 Ok
RCPT TO: @mail.xxx.org:spamtest@checkor.com
554 : Relay access denied

xxx.org is the virtual server with the problem, xxx.com is the main server.

Running CentOS 4.6, current vm, webmin, etc.

Any guidance/explanation is appreciated.

2

It means someone is trying to send mail to/through your server, and your server is rejecting the messages. logwatch is letting you know about it. Everything is doing its job correctly. :wink:

3

Thanks Joe. Thats what I thought, but what prompted me to post was that this has been going on for weeks and it seems to be the same people. It just seems strange, since it isn’t allowing the traffic through, that they keep at it.

4

It’s all automatic, and some tools are dumber than others. And, of course, they’re not using their own hardware or network, so it costs them almost nothing. It’s a zombie machine that’s trying to talk to your box, and the spammers have hundreds of thousands more working on the same two problems (1. finding more boxes to take over and 2. sending spam).