Topic: Repeated Messages and SME Server Internet Flood

[bradone1]

Hey everyone, I am a windows network admin and I have a new customer that I have aquired from another support group, I have found that the mail server is acting up, its a SME Server 6.0.1-01.
When I yank the network cable off of the network things speed up and are back to normal (ping to yahoo at 49ms and when online its 1500 - 2100ms to yahoo), I have ran the messages log and found this:

Oct 29 02:25:01 mailserver last message repeated 8 times
Oct 29 02:30:01 mailserver last message repeated 8 times
Oct 29 02:35:01 mailserver last message repeated 8 times
Oct 29 02:37:22 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=82.255.100.162 DST=70.155.21.27 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=49535 DF PROTO=TCP SPT=1038 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 02:40:00 mailserver last message repeated 8 times
Oct 29 02:41:48 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=65502 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 02:45:00 mailserver last message repeated 8 times
Oct 29 02:50:00 mailserver last message repeated 8 times
Oct 29 02:50:01 mailserver last message repeated 7 times
Oct 29 02:50:51 mailserver ntpd[1934]: time reset 0.283485 s
Oct 29 02:50:51 mailserver ntpd[1934]: synchronisation lost
Oct 29 02:55:01 mailserver ucd-snmp[2581]: Connection from 127.0.0.1
Oct 29 03:00:00 mailserver last message repeated 8 times
Oct 29 03:05:01 mailserver last message repeated 8 times
Oct 29 03:08:23 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=152.202.166.45 DST=70.155.21.27 LEN=523 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=31262 DPT=1028 LEN=503
Oct 29 03:08:23 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=118.214.222.32 DST=70.155.21.27 LEN=523 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=31260 DPT=1026 LEN=503
Oct 29 03:10:00 mailserver last message repeated 8 times
Oct 29 03:11:43 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=211 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 03:15:01 mailserver last message repeated 8 times
Oct 29 03:20:00 mailserver last message repeated 8 times
Oct 29 03:25:00 mailserver last message repeated 8 times
Oct 29 03:30:01 mailserver last message repeated 8 times
Oct 29 03:31:34 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=221.12.161.99 DST=70.155.21.27 LEN=497 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=33244 DPT=4081 LEN=477
Oct 29 03:35:01 mailserver last message repeated 8 times
Oct 29 03:40:01 mailserver last message repeated 8 times
Oct 29 03:41:39 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=459 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 03:45:00 mailserver last message repeated 8 times
Oct 29 03:50:01 mailserver last message repeated 8 times
Oct 29 03:55:01 mailserver last message repeated 8 times
Oct 29 04:00:01 mailserver last message repeated 8 times
Oct 29 04:05:01 mailserver last message repeated 8 times
Oct 29 04:10:01 mailserver last message repeated 8 times
Oct 29 04:11:35 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=708 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 04:15:00 mailserver last message repeated 8 times
Oct 29 04:20:00 mailserver last message repeated 8 times
Oct 29 04:25:01 mailserver last message repeated 8 times
Oct 29 04:25:01 mailserver last message repeated 7 times
Oct 29 04:25:21 mailserver ntpd[1934]: synchronisation lost
Oct 29 04:30:00 mailserver ucd-snmp[2581]: Connection from 127.0.0.1
Oct 29 04:35:00 mailserver last message repeated 8 times
Oct 29 04:35:01 mailserver last message repeated 7 times
Oct 29 04:38:18 mailserver ntpd[1934]: time reset 0.788536 s
Oct 29 04:38:18 mailserver ntpd[1934]: synchronisation lost
Oct 29 04:40:00 mailserver ucd-snmp[2581]: Connection from 127.0.0.1
Oct 29 04:41:31 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=959 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 04:41:51 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=68.164.18.68 DST=70.155.21.27 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=47417 DF PROTO=TCP SPT=3464 DPT=2100 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 04:41:53 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=68.164.18.68 DST=70.155.21.27 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=48289 DF PROTO=TCP SPT=3464 DPT=2100 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 04:45:00 mailserver last message repeated 8 times
Oct 29 04:50:01 mailserver last message repeated 8 times
Oct 29 04:55:01 mailserver last message repeated 8 times
Oct 29 05:00:00 mailserver last message repeated 8 times
Oct 29 05:05:01 mailserver last message repeated 8 times
Oct 29 05:10:01 mailserver last message repeated 8 times
Oct 29 05:11:26 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=1203 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 05:15:01 mailserver last message repeated 8 times
Oct 29 05:20:01 mailserver last message repeated 8 times
Oct 29 05:22:06 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=66.28.202.153 DST=70.155.21.27 LEN=518 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=33108 DPT=1026 LEN=498
Oct 29 05:22:06 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=66.28.202.153 DST=70.155.21.27 LEN=518 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=33108 DPT=1027 LEN=498
Oct 29 05:25:01 mailserver last message repeated 8 times
Oct 29 05:30:01 mailserver last message repeated 8 times
Oct 29 05:35:00 mailserver last message repeated 8 times
Oct 29 05:40:00 mailserver last message repeated 8 times
Oct 29 05:41:22 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=1457 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 05:44:38 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=61.235.154.108 DST=70.155.21.27 LEN=500 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=36848 DPT=1028 LEN=480
Oct 29 05:44:38 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=61.235.154.108 DST=70.155.21.27 LEN=500 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=36848 DPT=1030 LEN=480
Oct 29 05:40:01 mailserver last message repeated 7 times
Oct 29 05:44:54 mailserver ntpd[1934]: synchronisation lost
Oct 29 05:45:01 mailserver ucd-snmp[2581]: Connection from 127.0.0.1
Oct 29 05:50:01 mailserver last message repeated 8 times
Oct 29 05:52:16 mailserver kernel: denylog:IN=eth1 OUT= MAC=00


I have seen one google post about disk space, but I dont know if its relavant, I do see the deny on the ethernet connection, but I am not experienced enough to know what may be the problem. I would appreciate any help, I really want to keep this new customer, I have a feeling that if I cant fix this, they have no reason to stay with me.

Thanks in advance, you can also email me, just remove the (nospam) in the email address.

thanks
Brad

brad@(nospam)bradsmail.com
(remove (nospam) from the email address.

[CharlieBrady]

Hey everyone, I am a windows network admin and I have a new customer that I have aquired from another support group, I have found that the mail server is acting up, its a SME Server 6.0.1-01.
When I yank the network cable off of the network things speed up and are back to normal (ping to yahoo at 49ms and when online its 1500 - 2100ms to yahoo),

You will need to find out where all your bandwidth is going. The messages you have quoted don't provide any clues.

Oct 29 02:35:01 mailserver last message repeated 8 times
Oct 29 02:37:22 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=82.255.100.162 DST=70.155.21.27 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=49535 DF PROTO=TCP SPT=1038 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0

http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.b@mm.html
http://www.linklogger.com/TCP10000.htm

Probably a probe looking for a vulnerabile Veritas Backup Exec, or W32.Dumaru.B@mm worm.

Oct 29 02:40:00 mailserver last message repeated 8 times
Oct 29 02:41:48 mailserver kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:c5:fe:60:2c:08:00 SRC=70.155.21.25 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=65502 PROTO=UDP SPT=67 DPT=68 LEN=556
Oct 29 02:45:00 mailserver last message repeated 8 times

That probably means that there is a DHCP client attached to the same network as your eth1 interface.

Oct 29 02:50:00 mailserver last message repeated 8 times

I guess there is no DHCP server on that network, since the client keeps broadcasting.

Oct 29 02:55:01 mailserver ucd-snmp[2581]: Connection from 127.0.0.1

You have some non-standard software running, perhaps a system monitoring add-on.

Oct 29 03:08:23 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=152.202.166.45 DST=70.155.21.27 LEN=523 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=31262 DPT=1028 LEN=503
...
Oct 29 03:08:23 mailserver kernel: denylog:IN=eth1 OUT= MAC=00:d0:b7:6b:78:51:00:00:c5:fe:60:2c:08:00 SRC=118.214.222.32 DST=70.155.21.27 LEN=523 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=31260 DPT=1026 LEN=503

Probably Windows messenger popup spam.

http://www.mynetwatchman.com/kb/security/articles/popupspam/

We know it didn't do your system any harm - it was dropped by the firewall.

You can research each of these issues yourself - just put "UDP" or "TCP" and the number following "DPT=" into google.

But these are just packets your firewall dropped, and they did your system no harm. Your problem lies elsewhere. Probably it's a large outgoing mail stream - possibly due to a virus on e of the systems on the LAN. Check the mail logs.

[bradone1]

thanks so much for getting back to me, I have got some mail logs and it looks like its sending spam, but just like the other ones I am not sure how to read them, here are a few but they go on forever, maybe a machine (workstation) is infected or has spyware:

Oct 29 01:25:56 mailserver spamd[2615]: spamd: connection from localhost [127.0.0.1] at port 52722
Oct 29 01:25:56 mailserver spamd[2615]: spamd: setuid to qmailq succeeded
Oct 29 01:25:56 mailserver spamd[2615]: spamd: processing message <60bd01c5dbf6$1299bc30$e62c4fca@shanika> for qmailq:404
Oct 29 01:25:56 mailserver spamd[2615]: spamd: clean message (2.9/7.0) for qmailq:404 in 0.2 seconds, 2336 bytes.
Oct 29 01:25:56 mailserver spamd[2615]: spamd: result: .  2 - FUZZY_PRESCRIPT,UNPARSEABLE_RELAY scantime=0.2,size=2336,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52722,mid=<60bd01c5dbf6$1299bc30$e62c4fca@shanika>,autolearn=no
Oct 29 01:25:56 mailserver spamd[2111]: prefork: child states: II
Oct 29 01:30:00 mailserver spamd[2615]: spamd: connection from localhost [127.0.0.1] at port 52724
Oct 29 01:30:00 mailserver spamd[2615]: spamd: setuid to qmailq succeeded
Oct 29 01:30:00 mailserver spamd[2615]: spamd: processing message <Pine.LNX.4.30.6204061749510.15353-100000@dialsprint.net> for qmailq:404
Oct 29 01:30:00 mailserver spamd[2615]: spamd: identified spam (7.0/7.0) for qmailq:404 in 0.3 seconds, 1334 bytes.
Oct 29 01:30:00 mailserver spamd[2615]: spamd: result: Y  7 - FUZZY_OBLIGATION,RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO,UNPARSEABLE_RELAY scantime=0.3,size=1334,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52724,mid=<Pine.LNX.4.30.6204061749510.15353-100000@dialsprint.net>,autolearn=no
Oct 29 01:30:01 mailserver spamd[2111]: prefork: child states: BI
Oct 29 01:30:02 mailserver spamd[2111]: spamd: handled cleanup of child pid 2615 due to SIGCHLD
Oct 29 01:30:03 mailserver spamd[2111]: prefork: select returned error on server filehandle: Interrupted system call
Oct 29 01:30:03 mailserver spamd[2111]: spamd: server successfully spawned child process, pid 1665
Oct 29 01:30:03 mailserver spamd[2111]: prefork: child states: II
Oct 29 01:51:54 mailserver spamd[1665]: spamd: connection from localhost [127.0.0.1] at port 52732
Oct 29 01:51:54 mailserver spamd[1665]: spamd: setuid to qmailq succeeded
Oct 29 01:51:54 mailserver spamd[1665]: spamd: processing message <25758579.1130565180798.JavaMail.root@customer.ediets.com> for qmailq:404
Oct 29 01:51:55 mailserver spamd[1665]: spamd: clean message (1.3/7.0) for qmailq:404 in 1.4 seconds, 57590 bytes.
Oct 29 01:51:55 mailserver spamd[1665]: spamd: result: .  1 - AWL,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RUDE_HTML scantime=1.4,size=57590,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52732,mid=<25758579.1130565180798.JavaMail.root@customer.ediets.com>,autolearn=no
Oct 29 01:51:55 mailserver spamd[2111]: prefork: child states: II
Oct 29 01:55:25 mailserver spamd[1665]: spamd: connection from localhost [127.0.0.1] at port 52734
Oct 29 01:55:25 mailserver spamd[1665]: spamd: setuid to qmailq succeeded
Oct 29 01:55:25 mailserver spamd[1665]: spamd: processing message <w1381y9VU3V090V30UX92KBL89923501R736090@63.80.50.55> for qmailq:404
Oct 29 01:55:25 mailserver spamd[1665]: spamd: identified spam (23.8/7.0) for qmailq:404 in 0.5 seconds, 1249 bytes.
Oct 29 01:55:25 mailserver spamd[1665]: spamd: result: Y 23 - FROM_LOCAL_NOVOWEL,HEADER_SPAM,INFO_TLD,MIME_BAD_ISO_CHARSET,MIME_BOUND_DD_DIGITS,RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO,SUBJECT_FUZZY_MEDS,UNPARSEABLE_RELAY,URI_NO_WWW_INFO_CGI scantime=0.5,size=1249,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52734,mid=<w1381y9VU3V090V30UX92KBL89923501R736090@63.80.50.55>,autolearn=spam
Oct 29 01:55:25 mailserver spamd[2111]: prefork: child states: II
Oct 29 02:22:08 mailserver spamd[1665]: spamd: connection from localhost [127.0.0.1] at port 52743
Oct 29 02:22:08 mailserver spamd[1665]: spamd: setuid to qmailq succeeded
Oct 29 02:22:08 mailserver spamd[1665]: spamd: processing message <31020369953326.LA12473@contrast.eu.org> for qmailq:404
Oct 29 02:22:08 mailserver spamd[1665]: spamd: clean message (4.5/7.0) for qmailq:404 in 0.2 seconds, 1134 bytes.
Oct 29 02:22:08 mailserver spamd[1665]: spamd: result: .  4 - RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO,UNPARSEABLE_RELAY scantime=0.2,size=1134,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52743,mid=<31020369953326.LA12473@contrast.eu.org>,autolearn=no
Oct 29 02:22:08 mailserver spamd[2111]: prefork: child states: II
Oct 29 02:25:22 mailserver spamd[1665]: spamd: connection from localhost [127.0.0.1] at port 52746
Oct 29 02:25:22 mailserver spamd[1665]: spamd: setuid to qmailq succeeded
Oct 29 02:25:22 mailserver spamd[1665]: spamd: processing message <0105811087540.01145@jfuertes.maz.es> for qmailq:404
Oct 29 02:25:23 mailserver spamd[1665]: spamd: clean message (0.0/7.0) for qmailq:404 in 0.8 seconds, 1716 bytes.
Oct 29 02:25:23 mailserver spamd[1665]: spamd: result: .  0 - UNPARSEABLE_RELAY scantime=0.8,size=1716,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52746,mid=<0105811087540.01145@jfuertes.maz.es>,autolearn=ham
Oct 29 02:25:23 mailserver spamd[2111]: prefork: child states: II
Oct 29 02:42:19 mailserver spamd[1665]: spamd: connection from localhost [127.0.0.1] at port 52749
Oct 29 02:42:19 mailserver spamd[1665]: spamd: setuid to qmailq succeeded
Oct 29 02:42:19 mailserver spamd[1665]: spamd: processing message <YlhOcGJXOXVRR2h6YkdGM1ptbHliUzVqYjIwPQo=@onlogixx.com> for qmailq:404
Oct 29 02:42:19 mailserver spamd[1665]: spamd: clean message (4.1/7.0) for qmailq:404 in 0.4 seconds, 8780 bytes.
Oct 29 02:42:19 mailserver spamd[1665]: spamd: result: .  4 - DATE_IN_PAST_24_48,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,HTML_TINY_FONT,INVALID_DATE,MIME_HTML_ONLY,UNPARSEABLE_RELAY scantime=0.4,size=8780,user=qmailq,uid=404,required_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=52749,mid=<YlhOcGJXOXVRR2h6YkdGM1ptbHliUzVqYjIwPQo=@onlogixx.com>,autolearn=no
Oct 29 02:42:20 mailserver spamd[2111]: prefork: child states: II
Oct 29 04:08:35 mailserver spamd[1665]: spamd: connection from localhost [127.0.0.1] at port 52908
Oct 29 04:08:35 mailserver spamd[1665]: spamd: setuid to qmailq succeeded
Oct 29 04:08:35 mailserver spamd[1665]: spamd: processing message <YlhOcGJXOXVRR2h6YkdGM1ptbHliUzVqYjIwPQo=@onlogixx.com> for qmailq:404
Oct 29 04:08:36 mailserver spamd[1665]: spamd: clean message (4.0/7.0) for qmailq:404 in 0.3 seconds, 6525 bytes.

[mapangojoe]

I do not claim to know anything about SME, but that never stopped me from opening my mouth!

At the console of the server hit ctrl+F2 to take you to the second terminal login prompt.  logon as root with your admin password.  Type top, and press enter.  Top will tell you what program (s) are eating teh most time and memory.

Also, from your logs, it looks like your running an spam filter for your inbound Email.  I had an SME server that  had just a small amount of RAM.  It also had spam filtering and AV scanning setup.  If more than one Email came in at as time the thing was swamped, and slowed way down.  It seems it could av scan and spam evaluate one mail at a time, but not much more.  I bumped the machine from 256 to 512MB of RAM and it has been fine since.  

I could be completely wrong, caviet emptor!!!!

CC