Logs and how to read them

Wed Apr 21 22:50:19 UTC 2004

Am Do, den 22.04.2004 schrieb Mike Rambour um 00:32:

> I am not sure there were relay attempts, they were not incompletely 
> pasted they were complete and there are NO other lines in /var/log/maillog 
> to correspond to them.  Most items in maillog have 2 lines for each PID, 
> but I have maybe a dozen that only have one line, I posted only 2 examples 
> of those.  It is because those are different that I am concerned they are 
> relayed, they may not be.  As I mentioned, I am a newbie thrown into this

Ok, I did not mean that you did past incomplete but that the pasted
lines where no complete mail processing maillog entries. And as said
before, you better scan for the messag queue ID and not a sendmail PID.

If you like you could send me by private mail a bigger part of maillog -
let's say from over 1 or 2 hours, dependent on how much mail is
transfered in that period - and i'll investigate suspicious entries.

>  
> by my boss due to a departing system manager. When I picked this 
> responsibility up (with protest), I found that we were running a un-updated 
> Fedora, it took 2 days to get updated.  I am now enjoying this process of 
> searching and looking for answers.  This is FUN a lot more than what I was 
> doing for this company.

2 days for updating? Then you certainly did not setup mirror usage :(

> >As advised by Peter you better ask your ISP for details of the SPAM
> >report.
> 
>    I have asked but not received these yet.

Ok, insist on a data based report.

> >Are you running Apache on the mailserver too? If yes you might have a
> >misusable formmail on it through which foreign people can send SPAM.
> 
>    There is Apache running but no formail or like that, only one form sends 
> mail through a PERL program and its sends mail to me only and writes a log 
> file.

Sounds safe. I did say it only because formmails are a very common way
foreign mail and web server are misused for SPAMing.

Be also sure the Apache is not misconfigured as an open proxy for
outside connects. Saying that, you should see that in maillog. If the
maillog entries you initially pasted were really just single line
entries then there must have been timeouts when the sending MTA
connected, at least the first one. The second maillog entry even tells
about a mail size of 0 bytes. So there was not any DATA transfered. You
can forget such entries. That are harmless connects, sending no data.

> >http://spamlinks.openrbl.org/tools-relay.htm
> 
>   didnt know about the spamlinks one, ran the other 2
> 
>    Thanks for the help
>          mike 

Alexander

-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
Sirendipity 00:37:30 up 3 days, 7:23, load average: 0.30, 0.23, 0.21 
                   [ Γνωθι σ'αυτον - gnothi seauton ]
             my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040422/c0e3c44f/attachment-0001.sig>