HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Mail Log Question - Is This Normal (http://www.howtoforge.com/forums/showthread.php?t=39006)

gwiz 9th September 2009 21:49

Mail Log Question - Is This Normal
 
Is this a normal log file?

Wondering why pop3d/amopd/postfix keep connecting and disconnecting when I am not initiating the activity & Wondering why I am getting this warning from google:

smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines.

Does this mean someone has tapped into my system, and are bouncing spam mail off my server. This is just a partial of my log file, every 5 minutes or so there is activity, and the entire log is way to long to post here

Is there a setting I need to change, or is this normal activity?



Sep 9 12:40:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:40:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:40:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:40:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:40:02 www postfix/smtpd[2837]: connect from localhost[127.0.0.1]
Sep 9 12:40:02 www postfix/smtpd[2837]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:40:02 www postfix/smtpd[2837]: disconnect from localhost[127.0.0.1]
Sep 9 12:41:27 www postfix/smtpd[2775]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
Sep 9 12:41:27 www postfix/smtpd[2775]: disconnect from localhost[127.0.0.1]
Sep 9 12:43:34 www postfix/qmgr[2534]: 5AF5E2C2F2: from=<web2@www.damutt.com>, size=1283, nrcpt=1 (queue active)
Sep 9 12:44:05 www postfix/smtp[2876]: 5AF5E2C2F2: host gmail-smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xxx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. 13si2998532pxi.23 (in reply to end of DATA command)
Sep 9 12:44:36 www postfix/smtp[2876]: 5AF5E2C2F2: to=<magicg@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[209.85.211.100]:25, delay=489, delays=427/0.09/31/31, dsn=2.0.0, status=sent (250 2.0.0 OK 1252521876 40si15158245ywh.73)
Sep 9 12:44:36 www postfix/qmgr[2534]: 5AF5E2C2F2: removed
Sep 9 12:45:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:45:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:45:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:45:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:45:01 www postfix/smtpd[2903]: connect from localhost[127.0.0.1]
Sep 9 12:45:01 www postfix/smtpd[2903]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:45:01 www postfix/smtpd[2903]: disconnect from localhost[127.0.0.1]
Sep 9 12:50:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:50:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:50:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:50:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:50:01 www postfix/smtpd[2967]: connect from localhost[127.0.0.1]
Sep 9 12:50:01 www postfix/smtpd[2967]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:50:01 www postfix/smtpd[2967]: disconnect from localhost[127.0.0.1]
Sep 9 12:55:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:55:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:55:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:55:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:55:01 www postfix/smtpd[3031]: connect from localhost[127.0.0.1]
Sep 9 12:55:01 www postfix/smtpd[3031]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:55:01 www postfix/smtpd[3031]: disconnect from localhost[127.0.0.1]
Sep 9 13:00:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:00:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:00:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:00:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:00:01 www postfix/smtpd[3095]: connect from localhost[127.0.0.1]
Sep 9 13:00:01 www postfix/smtpd[3095]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:00:01 www postfix/smtpd[3095]: disconnect from localhost[127.0.0.1]
Sep 9 13:05:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:05:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:05:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:05:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:05:01 www postfix/smtpd[3172]: connect from localhost[127.0.0.1]
Sep 9 13:05:01 www postfix/smtpd[3172]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:05:01 www postfix/smtpd[3172]: disconnect from localhost[127.0.0.1]
Sep 9 13:10:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:10:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:10:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:10:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:10:02 www postfix/smtpd[3248]: connect from localhost[127.0.0.1]
Sep 9 13:10:02 www postfix/smtpd[3248]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:10:02 www postfix/smtpd[3248]: disconnect from localhost[127.0.0.1]
Sep 9 13:15:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:15:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:15:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:15:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:15:02 www postfix/smtpd[3312]: connect from localhost[127.0.0.1]
Sep 9 13:15:02 www postfix/smtpd[3312]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:15:02 www postfix/smtpd[3312]: disconnect from localhost[127.0.0.1]
Sep 9 13:20:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:20:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:20:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:20:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:20:01 www postfix/smtpd[3379]: connect from localhost[127.0.0.1]
Sep 9 13:20:01 www postfix/smtpd[3379]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:20:01 www postfix/smtpd[3379]: disconnect from localhost[127.0.0.1]
Sep 9 13:25:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:25:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:25:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:25:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:25:01 www postfix/smtpd[3443]: connect from localhost[127.0.0.1]
Sep 9 13:25:01 www postfix/smtpd[3443]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:25:01 www postfix/smtpd[3443]: disconnect from localhost[127.0.0.1]

dclardy 9th September 2009 22:12

The connections every 5 minutes are the ISPConfig installation checking to make sure that necessary modules are running.

It sounds like someone else is using your server to relay mail for them. Not sure though. I am sure that someone else will be able to help more with that.

primal23 9th September 2009 23:02

It does read, to me at least, as a sign of a possible open relay.

gwiz 9th September 2009 23:15

2 Votes Saying Not Normal?
 
Quote:

Originally Posted by dclardy (Post 203851)

It sounds like someone else is using your server to relay mail for them. Not sure though. I am sure that someone else will be able to help more with that.

If I was to post the whole log -- There at least 30 of these warnings:

host gmail-smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xxx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines.

Funny thing is I just got this ISPConfig running 2 days ago, and have only sent out a couple testers to see if my contact forms are working.

Sad if someone hacked in already, before I have had a chance to figure ISPConfig out.

Either get rid of it --Or -- I just wait for the SPAM Police to come and take me away ... lol

primal23 9th September 2009 23:33

My server had ping open for maybe an hour, and it was enough for us to get hit at least 30 times a day by spambots.

gwiz 9th September 2009 23:46

Re:
 
Quote:

Originally Posted by primal23 (Post 203856)
My server had ping open for maybe an hour, and it was enough for us to get hit at least 30 times a day by spambots.

Well none of my configuration files have been changed from fresh install -- Not that I would know how too change anything without breaking the system -- So unless it comes pre-set with open ports, I don't know.

My main goal was for my Father-In-Law to be able to access and control his own websites which I host, and to be able to run contact forms - Rather than posting an e-mail address on my sites.

Not so sure all the aggravation over the last week is worth opening my server up to the world to use at their own free will. I will watch the mail logs for a few days, and see if it mellows out - If not, I will have to try another way I guess.

falko 10th September 2009 18:26

This is normal activity from ISPConfig's monitoring module which tries to check if Postfix and Courier are still up and running.

dclardy 12th September 2009 03:09

Just so you know, I am pretty sure that error is due to the fact that you have a blacklisted IP address. I got the same thing on mine when my IP address changed yesterday. The other IP that I had was removed from some of the blacklist of there, and it got through. I am guessing that you are on a dynamic IP from a supplier who has supplied that information to the databases. You could try getting a Static IP, but I am not lucky enough to have a supplier who will give me one.


All times are GMT +2. The time now is 06:24.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.