Topic: Excessive outgoing e-mail

[Archer]

I'm running SME 5.6 as a Gateway Server with E-mail, and have increasingly found that the external network performance is degrading. I beleive it has something to do with the massive amounts of e-mail that the system is sending out.
Tracing through the mail logs and matching UID's between the logs and the accounts file indicates that "alais=system", "qmail=system" and "qmails=system" have sent large volumes of mail from the system. I find this hard to beleive especially since the system was rebuilt from scratch in mid feburary. Anyone have an idea as to what's going on here?
Any help will be much Appreciated.

Archer

[barryf]

Is your system set to bounce e-mail to unknown users?  there is a lot of virus activity at the moment with made up recipient names.  This could be the problem.

Barry

[Archer]

Hi Barry,
The server is set up to bounce recipients that are not listed in the rcpthosts file. So it won't essentially "Relay" messages.
What it is sending out seems to originate from the server itself and not a client on the local network (I could be wrong)... at least thats what I assume from the UID's that are getting listed in the logs.

Archer

[Archer]

Does anyone know if it is possible to determine where on the local network outgoing mail originated from? ie. which client system sent it?

I still suspect that the mail is originating on the server itself but need to rule out the client systems before I do something like rebuilding the server again.

Archer

[raem]

Possibly a virus infection on a workstation ??

Read the header information on the messages to see the source, it should show the IP of the workstation it's coimg from.

You may want to instal the latest pagefault.org implementation of Clamavis-ng which allows you to enable outgoing message virus scanning (as well as incoming).

Regs
Ray

[Archer]

Thanks Ray, I'll look into Clamavis-ng stuff, it sounds like a good idea to me.

Now, this might be dumb question but, how do I look at the header of the messages? The sympotms were seeing are simply network slowdowns and large volumes of outgoing mail in the log file. Is this outgoing mail stored somewhere on the server where I can go and look at it to check the headers?
I guess I should clarify that none of the outgoing messages are being delivered to our own mailboxes (that I have been told about... I think I'll investigate that and see if it's really true).

Archer

[raem]

> Now, this might be dumb question but, how do I look at the header of the messages?

The header is in the received message, in OE open message click on File/Properties/Details


I think if you look in /var/log/smtpfront-qmail/current
you will see the message source information
eg
2004-04-20 11:02:38.096939500 tcpserver: ok 5558 0:192.232.5.1:25 pc-00099.mydomain.com.au:192.232.5.99::1164
2004-04-20 11:02:57.213239500 smtpfront-qmail[5558]: MAIL FROM: <jacko@mydomain.com.au>
2004-04-20 11:02:57.214120500 smtpfront-qmail[5558]: RCPT TO: <freddo@wherever.com.au>

Find out which PC has the IP of 192.232.5.99 and you have your source (or culprit).


or, if you get & instal qmHandle rpm, it adds a panel to server manager & you can view all the queue'd messages. Look in the contribs.org contribs downloads section for e-smith-qmHandle-1.0.0-7.noarch.rpm.

You are bound to find some details in there
eg
Received: from station15 (pc-00099.mydomain.com.au [192.232.5.99])
  by server3.mydomain.com.au ([192.232.5.1])
  with SMTP via TCP; 15 Apr 2004 00:57:41 -0000


I would also be scanning your workstations immediately with an up to date scanner.
AVG has a free version and works good from www.grisoft.com

Regs
Ray

[Jakeo]

Also consider reading these posts

http://forums.contribs.org/index.php?topic=22005.0

[marty_]

Hello,

I have similar problems with a newly installed SME server, newest version. The problems appear similar to yours, and they appeared the very same day we replaced our old mail server with an SME server, so I don't think a rogue client is to blame, wish it was so simple. This is causing me some grief, so if anybody has found out why this is happening and what to do about it, I would sure like to know. I have smtp-front spamassassin and clam antivirus installed.

Thanks