Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th September 2009, 21:49
gwiz gwiz is offline
Junior Member
 
Join Date: Sep 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Mail Log Question - Is This Normal

Is this a normal log file?

Wondering why pop3d/amopd/postfix keep connecting and disconnecting when I am not initiating the activity & Wondering why I am getting this warning from google:

smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines.

Does this mean someone has tapped into my system, and are bouncing spam mail off my server. This is just a partial of my log file, every 5 minutes or so there is activity, and the entire log is way to long to post here

Is there a setting I need to change, or is this normal activity?



Sep 9 12:40:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:40:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:40:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:40:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:40:02 www postfix/smtpd[2837]: connect from localhost[127.0.0.1]
Sep 9 12:40:02 www postfix/smtpd[2837]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:40:02 www postfix/smtpd[2837]: disconnect from localhost[127.0.0.1]
Sep 9 12:41:27 www postfix/smtpd[2775]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
Sep 9 12:41:27 www postfix/smtpd[2775]: disconnect from localhost[127.0.0.1]
Sep 9 12:43:34 www postfix/qmgr[2534]: 5AF5E2C2F2: from=<web2@www.damutt.com>, size=1283, nrcpt=1 (queue active)
Sep 9 12:44:05 www postfix/smtp[2876]: 5AF5E2C2F2: host gmail-smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xxx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. 13si2998532pxi.23 (in reply to end of DATA command)
Sep 9 12:44:36 www postfix/smtp[2876]: 5AF5E2C2F2: to=<magicg@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[209.85.211.100]:25, delay=489, delays=427/0.09/31/31, dsn=2.0.0, status=sent (250 2.0.0 OK 1252521876 40si15158245ywh.73)
Sep 9 12:44:36 www postfix/qmgr[2534]: 5AF5E2C2F2: removed
Sep 9 12:45:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:45:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:45:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:45:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:45:01 www postfix/smtpd[2903]: connect from localhost[127.0.0.1]
Sep 9 12:45:01 www postfix/smtpd[2903]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:45:01 www postfix/smtpd[2903]: disconnect from localhost[127.0.0.1]
Sep 9 12:50:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:50:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:50:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:50:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:50:01 www postfix/smtpd[2967]: connect from localhost[127.0.0.1]
Sep 9 12:50:01 www postfix/smtpd[2967]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:50:01 www postfix/smtpd[2967]: disconnect from localhost[127.0.0.1]
Sep 9 12:55:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:55:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 12:55:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 12:55:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 12:55:01 www postfix/smtpd[3031]: connect from localhost[127.0.0.1]
Sep 9 12:55:01 www postfix/smtpd[3031]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 12:55:01 www postfix/smtpd[3031]: disconnect from localhost[127.0.0.1]
Sep 9 13:00:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:00:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:00:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:00:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:00:01 www postfix/smtpd[3095]: connect from localhost[127.0.0.1]
Sep 9 13:00:01 www postfix/smtpd[3095]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:00:01 www postfix/smtpd[3095]: disconnect from localhost[127.0.0.1]
Sep 9 13:05:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:05:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:05:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:05:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:05:01 www postfix/smtpd[3172]: connect from localhost[127.0.0.1]
Sep 9 13:05:01 www postfix/smtpd[3172]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:05:01 www postfix/smtpd[3172]: disconnect from localhost[127.0.0.1]
Sep 9 13:10:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:10:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:10:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:10:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:10:02 www postfix/smtpd[3248]: connect from localhost[127.0.0.1]
Sep 9 13:10:02 www postfix/smtpd[3248]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:10:02 www postfix/smtpd[3248]: disconnect from localhost[127.0.0.1]
Sep 9 13:15:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:15:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:15:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:15:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:15:02 www postfix/smtpd[3312]: connect from localhost[127.0.0.1]
Sep 9 13:15:02 www postfix/smtpd[3312]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:15:02 www postfix/smtpd[3312]: disconnect from localhost[127.0.0.1]
Sep 9 13:20:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:20:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:20:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:20:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:20:01 www postfix/smtpd[3379]: connect from localhost[127.0.0.1]
Sep 9 13:20:01 www postfix/smtpd[3379]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:20:01 www postfix/smtpd[3379]: disconnect from localhost[127.0.0.1]
Sep 9 13:25:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:25:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 9 13:25:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 9 13:25:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 9 13:25:01 www postfix/smtpd[3443]: connect from localhost[127.0.0.1]
Sep 9 13:25:01 www postfix/smtpd[3443]: lost connection after CONNECT from localhost[127.0.0.1]
Sep 9 13:25:01 www postfix/smtpd[3443]: disconnect from localhost[127.0.0.1]
Reply With Quote
Sponsored Links
  #2  
Old 9th September 2009, 22:12
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default

The connections every 5 minutes are the ISPConfig installation checking to make sure that necessary modules are running.

It sounds like someone else is using your server to relay mail for them. Not sure though. I am sure that someone else will be able to help more with that.
Reply With Quote
  #3  
Old 9th September 2009, 23:02
primal23 primal23 is offline
Member
 
Join Date: Aug 2009
Posts: 78
Thanks: 13
Thanked 1 Time in 1 Post
Default

It does read, to me at least, as a sign of a possible open relay.
Reply With Quote
The Following User Says Thank You to primal23 For This Useful Post:
Williamsl (8th July 2014)
  #4  
Old 9th September 2009, 23:15
gwiz gwiz is offline
Junior Member
 
Join Date: Sep 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default 2 Votes Saying Not Normal?

Quote:
Originally Posted by dclardy View Post

It sounds like someone else is using your server to relay mail for them. Not sure though. I am sure that someone else will be able to help more with that.
If I was to post the whole log -- There at least 30 of these warnings:

host gmail-smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xxx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines.

Funny thing is I just got this ISPConfig running 2 days ago, and have only sent out a couple testers to see if my contact forms are working.

Sad if someone hacked in already, before I have had a chance to figure ISPConfig out.

Either get rid of it --Or -- I just wait for the SPAM Police to come and take me away ... lol
Reply With Quote
  #5  
Old 9th September 2009, 23:33
primal23 primal23 is offline
Member
 
Join Date: Aug 2009
Posts: 78
Thanks: 13
Thanked 1 Time in 1 Post
Default

My server had ping open for maybe an hour, and it was enough for us to get hit at least 30 times a day by spambots.
Reply With Quote
  #6  
Old 9th September 2009, 23:46
gwiz gwiz is offline
Junior Member
 
Join Date: Sep 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re:

Quote:
Originally Posted by primal23 View Post
My server had ping open for maybe an hour, and it was enough for us to get hit at least 30 times a day by spambots.
Well none of my configuration files have been changed from fresh install -- Not that I would know how too change anything without breaking the system -- So unless it comes pre-set with open ports, I don't know.

My main goal was for my Father-In-Law to be able to access and control his own websites which I host, and to be able to run contact forms - Rather than posting an e-mail address on my sites.

Not so sure all the aggravation over the last week is worth opening my server up to the world to use at their own free will. I will watch the mail logs for a few days, and see if it mellows out - If not, I will have to try another way I guess.
Reply With Quote
  #7  
Old 10th September 2009, 18:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

This is normal activity from ISPConfig's monitoring module which tries to check if Postfix and Courier are still up and running.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 12th September 2009, 03:09
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
 
Default

Just so you know, I am pretty sure that error is due to the fact that you have a blacklisted IP address. I got the same thing on mine when my IP address changed yesterday. The other IP that I had was removed from some of the blacklist of there, and it got through. I am guessing that you are on a dynamic IP from a supplier who has supplied that information to the databases. You could try getting a Static IP, but I am not lucky enough to have a supplier who will give me one.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail server using Postfix, Dovecot, Mysql... Postfix virtual maps doesn't work?? tarasbuljba HOWTO-Related Questions 33 28th May 2010 14:33
Postfix problem and few questions Gimly Installation/Configuration 12 7th July 2009 16:27
postfix, pop3 uvbnserved Server Operation 22 24th May 2009 21:00
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 11:14
Mail System Error - Returned Mail tristanlee85 General 16 16th March 2008 09:40


All times are GMT +2. The time now is 12:56.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.