Topic: Mail/Log file question

[Ted]

Over the last couple of days my SME server had become slower and slower.  This afternoon it got to the point where it took a couple of minutes to log in via webmail and later when I was home I could not even log into the "server-manager".  So I went downstairs loged in directly (also slow) and rebooted the server.

When it came up it was much faster, I logged into server-manager and looked at the log/mail log files, and found this

::::::::::::::
Mail Log File Analysis
Report generated: Tue 10 Oct 2006 07:01:15 PM PDT

Senders

One line per sender. Information on each line:
* mess is the number of messages sent by this sender.
* bytes is the number of bytes sent by this sender.
* sbytes is the number of bytes successfully received from this sender.
* rbytes is the number of bytes from this sender, weighted by recipient.
* recips is the number of recipients (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this sender.

mess     bytes    sbytes    rbytes  recips  tries       xdelay  sender
   1      4423      4423      4423       1      1     0.142793  0/<root@shadowsfall.org>
   2      1450      1450      1450       2      2     0.194147  0/<anonymous@shadowsfall.org>
   1     10992     10992     10992       1      1     0.017016  101/<mjyyynkhiue@xcurrent.com>
   1     11004     11004     11004       1      1     0.016049  101/<uodqazywszj@sunsetsound.com>
   1      1345      1345      1345       1      1     0.766783  101/<extramom@goldgrate.com>
   1      1353      1353      1353       1      1     0.249582  101/<sjwright@gilesdesign.com>
   1      1406      1406      1406       1      1     0.207618  101/<staikos@grist.org>
   1      1413      1413      1413       1      1     0.129886  101/<csnet@green-enterprizes.com>
   1      1434      1434      1434       1      1     0.115871  101/<macpherson@goldenfork.com>
   1      1435      1435      1435       1      1     0.315396  101/<bunk@gr.issworld.com>
   1      1440      1440      1440       1      1     0.381869  101/<fenner@gkfd.com>
   1      1443      1443      1443       1      1     0.563207  101/<publicworks@grapejamboree.com>
   1      1454      1454      1454       1      1     0.319413  101/<antman@golf-dynamics.com>
   1      1455      1455      1455       1      1     0.217710  101/<pfremy@grandmarais.com>
   1      1466      1466      1466       1      1     0.101189  101/<nandersl@gourmetcoffeehouse.com>
   1      1472      1472      1472       1      1     0.020979  101/<gellyfish@glij.com>
   1      1497      1497      1497       1      1     0.233790  101/<reichert@gl00on.net>
   1      1566      1566      1566       1      1     0.036083  101/<xalba@ggelectric.net>
   1     16403     16403     16403       1      1     0.016090  101/<aaejtdn@imfsm.com>
   1      1812      1812      1812       1      1     0.016000  101/<zeebear@kurogi.com>
   1     18366     18366     18366       1      1     0.014903  101/<ecrrg@activeworlds.com>
   1     18616     18616     18616       1      1     0.033267  101/<xksslrjkiec@theamconveyors.com>
   1     19628     19628     19628       1      1     0.040063  101/<clish@bryantravel.com>
   1      2376      2376      2376       1      1     0.014048  101/<fswzdvx@softwaredata.com>
   1     28848     28848     28848       1      1     0.015106  101/<annag@asiansonly.net>
   1      4665      4665      4665       1      1     0.014252  101/<root@shadowsfall.org>
   1      5386      5386      5386       1      1     0.258656  101/<aldebaron@aldebaron.com>
   2     10136     10136     10136       2      2     0.068192  101/<croftrob@msn.com>
   2     10328     10328     10328       2      2     0.053009  101/<coplaf@nethall.com.br>
   2     10548     10548     10548       2      2     0.050797  101/<decibelcu@decibelcu.com>
   2     10586     10586     10586       2      2     0.984403  101/<adamquest@adamquest.com>
   2     10616     10616     10616       2      2     0.043657  101/<kits@1-866-logkits.com>
   2     10658     10658     10658       2      2     0.869203  101/<agilolfia@agilolfia.com>
   2     10696     10696     10696       2      2     0.082820  101/<agapedata@agapedata.com>
   2     10698     10698     10698       2      2     0.591815  101/<gab@00tech.com>
   2     10704     10704     10704       2      2     0.616128  101/<zulutango@zulutango.com>
   2     10726     10726     10726       2      2     0.067566  101/<agwolfson@agwolfson.com>
   2     10736     10736     10736       2      2     0.906156  101/<obponline@obponline.com>
   2     10798     10798     10798       2      2     0.124419  101/<alliowens@alliowens.com>
   2     10854     10854     10854       2      2     0.086125  101/<ebmaster@10-75.com>
   2     10872     10872     10872       2      2     0.086491  101/<gckenvlaw@gckenvlaw.com>
   2     10878     10878     10878       2      2     0.597594  101/<jewellabs@jewellabs.com>
   2     10924     10924     10924       2      2     0.100689  101/<admin@007designs.com>
   2     10926     10926     10926       2      2     0.051853  101/<ffa@10-million-hits.com>
   2     10958     10958     10958       2      2     0.034891  101/<dozer@0010110.com>
   2     11044     11044     11044       2      2     0.059485  101/<amypearse@mac.com>
   2     11132     11132     11132       2      2     0.151553  101/<genovese@00map.com>
   2     11176     11176     11176       2      2     0.104793  101/<comments@1-stop-guide.com>
   2     11188     11188     11188       2      2     0.047473  101/<crouch@legoland.eng.sun.com>
   2     11222     11222     11222       2      2     0.077942  101/<bbresson@1000trails.com>
   2     11320     11320     11320       2      2     0.149806  101/<acmemiami@acmemiami.com>
   2     11332     11332     11332       2      2     0.680429  101/<globalcor@globalcor.com>
   2     11372     11372     11372       2      2     1.395418  101/<gopenshaw@gopenshaw.com>
   2     11390     11390     11390       2      2     0.039381  101/<cruther@goldenware.com>
   2     11466     11466     11466       2      2     0.523527  101/<pinchaser@pinchaser.com>
   2     11578     11578     11578       2      2     0.104643  101/<accentpwp@accentpwp.com>
   2     11664     11664     11664       2      2     0.117433  101/<guest@00agents.com>
   2     11736     11736     11736       2      2     0.040137  101/<agbeltinc@agbeltinc.com>
   2     11956     11956     11956       2      2     0.036038  101/<ahcihomes@ahcihomes.com>
   2     12000     12000     12000       2      2     0.036243  101/<bbaginski@0-0.com>
   2     12186     12186     12186       2      2     0.090029  101/<angelaford@mac.com>
   2     12314     12314     12314       2      2     0.111637  101/<conniefranklin@mindspring.com>
   2     12344     12344     12344       2      2     0.039180  101/<bobmor@earthlink.net>
   2     14462     14462     14462       2      2     0.055748  101/<bobcatdy@earthlink.net>
   2      6726      6726      6726       2      2     0.046240  101/<correct@1-800-cruise.com>
   2      7380      7380      7380       2      2     0.041734  101/<jvancecpa@1-stopnet.com>
   8      4906      4906      4906       8      8     0.170310  101/<anonymous@shadowsfall.org>

:::::::::::End Cut

Aside from shadowsfall.org (the last one) I don't recignize any of these.  If I read this right all of these "people" sent e-mails from my server?

Help.  

Ted

[jfarschman]

Ted,

  All of those addresses attempted to send email from your server.  Where they successful.  I don't think so.... not unless it's misconfigured.  Potentially, users outside the LAN can send messages, but they would need to use SMTP AUTH to do it.... meaning they need a username and password.

  Of course, it's possible that you have a machine inside your network running trojan software and sending email from it's priviledged location (the LAN).

  I would take a close look at the logs and see if the message are actually getting out or if they are dying before the can get sent.

  If they are beating up your machine with just 'requests' to send and not actual successful sends, then you should see how many messages they are sending concurrently.  We could probalby control this.  Also...are all of these coming from a handful of IP addresses.  You could likely block those addresses.