Logs and how to read them

Rick Stevens rstevens at vitalstream.com
Wed Apr 21 20:56:36 UTC 2004 

Mike Rambour wrote:
>    I am a very newbie here and my ISP is saying they received a 
> complaint about SPAM being sent from my machine, they claim its my IP 
> that sent it (fixed IP, not DHCP).
> 
>   I have checked and I have relaying turned off and only 6 valid users 
> on the machine, I forced a password change for all accounts.  I also 
> used Abuse.Nets relay test to make sure I was not allowing relays. I 
> have no idea how that SPAM got out.  Since this machine is a firewall 
> for our office,  I tested all internal machines for virus/worms/etc with 
> the latest tools.

Are these Windows machines, by any chance?  Are you sure they don't have
a Bagel or Klez virus?

>  So, in the process I looked at all my logs in /var/log  I specifically 
> grep'd for the email address that the spam was sent as and to and found 
> no references to it in my logs implying it was not my machine.  But I 
> found other things that I dont know how to read.

Such as?  The logs you are interested in are (predominately)
/var/log/messages
/var/log/maillog
/var/log/dmesg (well, you really don't need that one)

>   I googled and found no place for a "how-to read logs and what they 
> mean".  In /var/log/messages, I googled for "lame servers" and found 
> that is ok along with a few other items.
> 
>  in maillog however, I see very few "Relaying denied" messages (I 
> expected more of them) and a lot of "lost input" messages that from 
> googling appears to be a spammer that got blocked and ok (is that 
> true?).  In every case where a "lost input" was I could find 2 lines, 
> one for the "from" and one for lost input with the matching 
> "sendmail[xxxx]" number.

That sounds right.
> 
>   But lines like these 2 below did NOT have matching lines, does this 
> mean they got sent ? relayed thru my machine somehow ?  I could not find 
> a fail or sent line for many lines like the ones below.
> 
> Apr 21 12:25:00 mail sendmail[1067]: MAA01067: 
> from=<postmaster at hoteiscontinental.com.br>, size=1657, class=0, pri=0
> , nrcpts=0, proto=ESMTP, relay=[200.213.72.130]

That looks like a relay attempt.  The sending system's IP was
200.213.72.130.  Look for another entry with that same "sendmail[1067]"
bit, and you'll see the delivery attempt.

> Apr 21 12:29:03 mail sendmail[1214]: MAA01214: from=<>, size=0, class=0, 
> pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [81.80.126.2]

That's also a relay attempt.  Look for another entry with
"sendmail[1214]" in it to see the delivery attempt.  BTW, that's one of
the classic spammer ploys...using "<>" as the sending address.  Your
sendmail.cf should catch that and not relay it.

You should go to sendmail.org's site and read up on anti-spam and anti-
relay setups.  Also make sure you have current sendmail binaries
installed.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-        Artificial Intelligence usually beats real stupidity.       -
----------------------------------------------------------------------

More information about the fedora-list mailing list