Hi all,
I have been wrestling with my servers trying to cut down on the amount of spam we are sending.
Can someone translate these log lines:
2008-03-16 18:36:06 1Jb1SX-000Eu2-Ll <= <> R=1Jb1SV-000Etp-55 U=mailnull P=local S=1185
...
2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll ** binod@??? R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<binod@???>: host borland-mxa.mail.eds.net [192.85.154.83]: 550 5.1.2 <binod@???>... Rejected: 69.90.69.141 Backscatter
2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll binod@???: error ignored
2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll Completed
it looks to me as if the original message was rejected because the remote mail host seen my server as a spammer.
What I need to know, is how did the original message (log line 1) get into my server at all? How can I beef up the loggin to tell me if it was a localy generated message, or if Ihave a hacked account. (password 'guessed').?
-GrantFrom graeme@??? Mon Mar 17 13:48:34 2008
Envelope-to: exim-users@???
Received: from boom.graemef.net ([82.113.142.73]:42176)
by tahini.csx.cam.ac.uk with esmtp (Exim 4.69)
(envelope-from <graeme@???>) id 1JbFhW-0000bf-GS
for exim-users@???; Mon, 17 Mar 2008 13:48:34 +0000
Received: from squonk.lut.ac.uk ([131.231.87.200])
by boom.graemef.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68)
(envelope-from <graeme@???>) id 1JbFhP-000273-H2
for exim-users@???; Mon, 17 Mar 2008 13:48:30 +0000
From: Graeme Fowler <graeme@???>
To: exim-users@???
In-Reply-To: <009601c88834$c09a8c50$6501a8c0@GRANT>
References: <009601c88834$c09a8c50$6501a8c0@GRANT>
Content-Type: text/plain
Date: Mon, 17 Mar 2008 13:48:22 +0000
Message-Id: <1205761702.17037.86.camel@???>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-1.fc8)
Content-Transfer-Encoding: 7bit
X-graemef.net-scankey: boom.graemef.net 1JbFhP-000273-H2
8c44017623ebfada2da2644f09f293ea
X-Spam-Score: -2.1 (--)
X-Spam-Status: No, scoreÒ.1 required~0 tests÷L.376, BAYES_00Ñ.5,
EXIM_LOGÑ autolearnm version^1.8
Subject: Re: [exim] Better Tracking
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.7
Precedence: list
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
<mailto:exim-users-request@exim.org?subject¾subscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subjectlp>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
<mailto:exim-users-request@exim.org?subject¥bscribe>
X-List-Received-Date: Mon, 17 Mar 2008 13:48:34 -0000
On Mon, 2008-03-17 at 09:42 -0400, Grant Peel wrote:
> What I need to know, is how did the original message (log line 1) get into my server at all? How can I beef up the loggin to tell me if it was a localy generated message, or if Ihave a hacked account. (password 'guessed').?
The original message was generated systematically - it's a bounce.
> 2008-03-16 18:36:06 1Jb1SX-000Eu2-Ll <<> RZb1SV-000Etp-55
UÚilnull P/cal S?85
The "R@part shows the Exim message ID which caused the bounce. Grep
that out of your logs to see what caused it.
I'll punt one probably cause: you're not doing SMTP time rejection, but
are accepting and bouncing for invalid recipients.
Graeme
