Re: [exim] Lots of incomplete transactions

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPatrick - South Valley Internet at <-
MPatrick - South Valley Internet at ->
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Lots of incomplete transactions
Patrick - South Valley Internet wrote:

> Hello all,
>
> We are running DirectAdmin on one of our machines here, and we're having
> issues with some mail not being delivered. I was just notified of this
> today, and decided to tail the logs for 'incomplete transaction', and
> came up with a bunch of them. I am mainly concerned with the following
> two errors:
>
> 2006-10-23 12:31:46 H=(ecsz5es46gil0q) [216.171.132.22] incomplete
> transaction (RSET) from <gary.roberts@???> for dvk@???
> 2006-10-23 16:15:59 H=(ecsz5es46gil0q) [216.171.132.22] incomplete
> transaction (RSET) from <gary.roberts@???> for dvk@???
>

Host for 216.171.132.22 resolves to transedge-132-22.transedge.com.

Incoming mail for royalcircuits.com is handled on a different host, not
necessarily involved in outboud.

No idea what HELO was used.

Presuming no obfuscation, that looks suspiciously like an acl checking for
forward/reverse lookup and/or HELO, not find what it wants, and the sending
server going away mad when it is so informed.

log_selector = +all - at least temporarily - might show you a good deal more.

>
> Here are some from the log that don't have anything inside the 'from <>':
>
> 2006-10-23 16:08:51 H=ns5.hostinghk.com [210.184.113.5] incomplete
> transaction (QUIT) from <>
> 2006-10-23 16:09:14 H=smtp.zie.pg.gda.pl [153.19.33.3] incomplete
> transaction (RSET) from <>
> 2006-10-23 16:09:20 H=elyria-ppp-32.eriecoast.com (friend)
> [67.129.203.51] incomplete transaction (connection lost) from
> <alexander@???>
> 2006-10-23 16:09:41 H=janus.mcg.co.jp [61.199.158.67] incomplete
> transaction (QUIT) from <>
> 2006-10-23 16:10:07 H=apac.rqa-inc.com (MAIL.RQA-INC.COM)
> [207.227.21.174] incomplete transaction (RSET) from <>
> 2006-10-23 16:10:28 H=mail.prettlus.com
> (CENTAUR.GREENVILLE.PRETTLUS.COM) [208.49.62.162] incomplete transaction
> (RSET) from <>
> 2006-10-23 16:10:36 H=mail.gptek.co.za (gateway.gptek.co.za)
> [196.38.234.234] incomplete transaction (RSET) from <>
>

Several of those are in (at least our) blacklists.

The empty-sender indicates these may be bogus 'bounce' messages attempting
splatter-distribution.

Exim is probably configured correctly to NOT play that game.

Check, for example the timestamps between the 'smtp connection from.' or TCP/IP
connection..' and time for these disconnects on the same callers.

There may be delays being imposed to encourage them to begone.

>
> Please forgive me, as my knowledge of Exim is little. I normally work
> with Postfix servers. If there is anything I need to provide you folks
> with in order to help fix the problem, please let me know and I will get
> you that information.
>
> Thanks to all in advance.
>
> Patrick
>

Enhancing your logging for a time should help. Aside from turning up verbosity,
as above, you can also add 'logwrite' and 'log_message' lines in speciifc acl's
that you wish to keep an eye on.

- Then turn it back down to a low-roar once you have a comfort level established.

HTH,

Bill




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Lots of incomplete transactions[exim] Patch for eximstats->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)