Re: [exim] Doubts wrt maillog

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Doubts wrt maillog
Hi,

soumya tr <soumya.324@???> (Fr 12 Jul 2013 01:15:02 CEST):
> Hi,
>
> I see the below given messaged in exim main_log:
>
> ---------------
> 2013-07-11 22:59:51 SMTP connection identification H=localhost A=127.0.0.1
> P=50967 U=root ID= S=root B=identify_local_connection
> 2013-07-11 22:59:51 H=localhost [127.0.0.1]:50967 Warning: Sender rate
> 8855.9 / 1h
> 2013-07-11 22:59:51 1UxPq3-000ho1-AX <= abc@???
> <capi@???>H=localhost [127.0.0.1]:51040 P=esmtp S=2488 T="YOU ARE
> NEEDED AS A
> REPRESENTATIVE!!!" for megan888@???
> ---------------
>
> The email address abc@??? <capi@???> isnt present in the server.
> I am unable to find how the mails are generated :( . Please assist.
>
> A large number of such mails are getting generated, and thus large number
> of connections to 127.0.0.1:25 from 127.0.0.1:XXXX, thereby increasing the
> load.


Are you running any other services on your server? If the log isn't
faked, it looks as if "root" is sending mails via SMTP from your own
host. Probably your box is hacked. Some application running with root
permissions seems to generate the messages. Could be anything.

Firt I'd stop outgoing connections, to avoid blacklisting of your
machine. (If the sender isn't an individual, it might be enough to
stop the Exim daemon and inhibit the start of any queue runner, if
you've mails in your queue still.

--
Heiko