Topic: Spam-problem - Help in understand qpsmtpd logs

[holck]

Looking through the qpsmtpd logs I have noticed the following pattern:

Code: [Select]


...
@4000000046b0c0a81d7d185c 27492 dispatching EHLO 18925178019.user.veloxzone.com.br
@4000000046b0c0a81daeceec 27492 running plugin (ehlo): check_spamhelo
@4000000046b0c0a81dcc78ac 27492 trying to get config for badhelo
@4000000046b0c0a81df97c1c 27492 Plugin check_spamhelo, hook ehlo returned DECLINED,
@4000000046b0c0a81e1e904c 27492 trying to get config for tls_before_auth
@4000000046b0c0a81e3dd04c 27492 trying to get config for me
@4000000046b0c0a81e65269c 27492 trying to get config for databytes
@4000000046b0c0a81e8b34cc 27492 trying to get config for databytes
@4000000046b0c0a81ea5eca4 27492 250-di-vers.dyndns.org Hi 18925178019.user.veloxzone.com.br [189.25.178.19]
@4000000046b0c0a81ebe23dc 27492 250-PIPELINING
@4000000046b0c0a81ed614c4 27492 250-8BITMIME
@4000000046b0c0a81eedf60c 27492 250 SIZE 15000000
@4000000046b0c0a913bd8cfc 27492 dispatching MAIL FROM:<linkotymetxx@kotyxx.de>
@4000000046b0c0a913bdb024 27492 full from_parameter: FROM:<linkotymetxx@kotyxx.de>
@4000000046b0c0ab083cb22c 11379 cleaning up after 27492

What happens here? What puzzles (and maybe also worries me) is that qpsmptp-logterse doesn't log anything. So is this (spam) mail just silently rejected?

[mmccarn]

What SME version are you running?  logterse should be active with version 7.2.

In any SME 7.x the amount of detail you get otherwise is affected by config qpsmtpd LogLevel x

Replace x with a number as follows:

• You need to set LogLevel to 8 to get the spamassassin & DENY information in your qpsmtpd logs if logterse is not working.
• the default in a new SME 7.2 install is 6
• set at 4 I am still getting full logging detail from logterse.

[holck]

Thank you for your answer - I do indeed have version 7.2 and logterse running.

What puzzled me is that in the example I showed, logterse doesn't produce a summary to the qpsmtpd/current log file. And the log file says nothing about what happened to this particular email.

My guess at the moment is that the mail was just silently ignored, probably because another spam mail from the same IP-address was rejected (due to Spamhaus black listing) just 10 seconds earlier.

Recently my server has been really bombarded with spam mail. One botnet PC from France tried 1590 times during something like 10 hours ...

[compdoc]

That actually looks like a normal transaction, though it seems to be missing some entries. I think you might need to look at the logs further.

200+ numbers means sender or recipient OK as well as other things happening OK:

250-domain.com
250-PIPELINING
220 servername.domain.com ESMTP

and 354 means spooling to disk.

500+ numbers mean the mail is rejected. For example these are rejections for 3 seperate emails:

552 spam score exceeded threshold
550 http://www.spamhaus.org/query/bl?ip=203.197.248.161
550 relaying denied

Also check the spamd logs.