Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Ted on October 11, 2006, 04:45:53 AM
-
Over the last couple of days my SME server had become slower and slower. This afternoon it got to the point where it took a couple of minutes to log in via webmail and later when I was home I could not even log into the "server-manager". So I went downstairs loged in directly (also slow) and rebooted the server.
When it came up it was much faster, I logged into server-manager and looked at the log/mail log files, and found this
::::::::::::::
Mail Log File Analysis
Report generated: Tue 10 Oct 2006 07:01:15 PM PDT
Senders
One line per sender. Information on each line:
* mess is the number of messages sent by this sender.
* bytes is the number of bytes sent by this sender.
* sbytes is the number of bytes successfully received from this sender.
* rbytes is the number of bytes from this sender, weighted by recipient.
* recips is the number of recipients (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this sender.
mess bytes sbytes rbytes recips tries xdelay sender
1 4423 4423 4423 1 1 0.142793 0/<root@shadowsfall.org>
2 1450 1450 1450 2 2 0.194147 0/<anonymous@shadowsfall.org>
1 10992 10992 10992 1 1 0.017016 101/<mjyyynkhiue@xcurrent.com>
1 11004 11004 11004 1 1 0.016049 101/<uodqazywszj@sunsetsound.com>
1 1345 1345 1345 1 1 0.766783 101/<extramom@goldgrate.com>
1 1353 1353 1353 1 1 0.249582 101/<sjwright@gilesdesign.com>
1 1406 1406 1406 1 1 0.207618 101/<staikos@grist.org>
1 1413 1413 1413 1 1 0.129886 101/<csnet@green-enterprizes.com>
1 1434 1434 1434 1 1 0.115871 101/<macpherson@goldenfork.com>
1 1435 1435 1435 1 1 0.315396 101/<bunk@gr.issworld.com>
1 1440 1440 1440 1 1 0.381869 101/<fenner@gkfd.com>
1 1443 1443 1443 1 1 0.563207 101/<publicworks@grapejamboree.com>
1 1454 1454 1454 1 1 0.319413 101/<antman@golf-dynamics.com>
1 1455 1455 1455 1 1 0.217710 101/<pfremy@grandmarais.com>
1 1466 1466 1466 1 1 0.101189 101/<nandersl@gourmetcoffeehouse.com>
1 1472 1472 1472 1 1 0.020979 101/<gellyfish@glij.com>
1 1497 1497 1497 1 1 0.233790 101/<reichert@gl00on.net>
1 1566 1566 1566 1 1 0.036083 101/<xalba@ggelectric.net>
1 16403 16403 16403 1 1 0.016090 101/<aaejtdn@imfsm.com>
1 1812 1812 1812 1 1 0.016000 101/<zeebear@kurogi.com>
1 18366 18366 18366 1 1 0.014903 101/<ecrrg@activeworlds.com>
1 18616 18616 18616 1 1 0.033267 101/<xksslrjkiec@theamconveyors.com>
1 19628 19628 19628 1 1 0.040063 101/<clish@bryantravel.com>
1 2376 2376 2376 1 1 0.014048 101/<fswzdvx@softwaredata.com>
1 28848 28848 28848 1 1 0.015106 101/<annag@asiansonly.net>
1 4665 4665 4665 1 1 0.014252 101/<root@shadowsfall.org>
1 5386 5386 5386 1 1 0.258656 101/<aldebaron@aldebaron.com>
2 10136 10136 10136 2 2 0.068192 101/<croftrob@msn.com>
2 10328 10328 10328 2 2 0.053009 101/<coplaf@nethall.com.br>
2 10548 10548 10548 2 2 0.050797 101/<decibelcu@decibelcu.com>
2 10586 10586 10586 2 2 0.984403 101/<adamquest@adamquest.com>
2 10616 10616 10616 2 2 0.043657 101/<kits@1-866-logkits.com>
2 10658 10658 10658 2 2 0.869203 101/<agilolfia@agilolfia.com>
2 10696 10696 10696 2 2 0.082820 101/<agapedata@agapedata.com>
2 10698 10698 10698 2 2 0.591815 101/<gab@00tech.com>
2 10704 10704 10704 2 2 0.616128 101/<zulutango@zulutango.com>
2 10726 10726 10726 2 2 0.067566 101/<agwolfson@agwolfson.com>
2 10736 10736 10736 2 2 0.906156 101/<obponline@obponline.com>
2 10798 10798 10798 2 2 0.124419 101/<alliowens@alliowens.com>
2 10854 10854 10854 2 2 0.086125 101/<ebmaster@10-75.com>
2 10872 10872 10872 2 2 0.086491 101/<gckenvlaw@gckenvlaw.com>
2 10878 10878 10878 2 2 0.597594 101/<jewellabs@jewellabs.com>
2 10924 10924 10924 2 2 0.100689 101/<admin@007designs.com>
2 10926 10926 10926 2 2 0.051853 101/<ffa@10-million-hits.com>
2 10958 10958 10958 2 2 0.034891 101/<dozer@0010110.com>
2 11044 11044 11044 2 2 0.059485 101/<amypearse@mac.com>
2 11132 11132 11132 2 2 0.151553 101/<genovese@00map.com>
2 11176 11176 11176 2 2 0.104793 101/<comments@1-stop-guide.com>
2 11188 11188 11188 2 2 0.047473 101/<crouch@legoland.eng.sun.com>
2 11222 11222 11222 2 2 0.077942 101/<bbresson@1000trails.com>
2 11320 11320 11320 2 2 0.149806 101/<acmemiami@acmemiami.com>
2 11332 11332 11332 2 2 0.680429 101/<globalcor@globalcor.com>
2 11372 11372 11372 2 2 1.395418 101/<gopenshaw@gopenshaw.com>
2 11390 11390 11390 2 2 0.039381 101/<cruther@goldenware.com>
2 11466 11466 11466 2 2 0.523527 101/<pinchaser@pinchaser.com>
2 11578 11578 11578 2 2 0.104643 101/<accentpwp@accentpwp.com>
2 11664 11664 11664 2 2 0.117433 101/<guest@00agents.com>
2 11736 11736 11736 2 2 0.040137 101/<agbeltinc@agbeltinc.com>
2 11956 11956 11956 2 2 0.036038 101/<ahcihomes@ahcihomes.com>
2 12000 12000 12000 2 2 0.036243 101/<bbaginski@0-0.com>
2 12186 12186 12186 2 2 0.090029 101/<angelaford@mac.com>
2 12314 12314 12314 2 2 0.111637 101/<conniefranklin@mindspring.com>
2 12344 12344 12344 2 2 0.039180 101/<bobmor@earthlink.net>
2 14462 14462 14462 2 2 0.055748 101/<bobcatdy@earthlink.net>
2 6726 6726 6726 2 2 0.046240 101/<correct@1-800-cruise.com>
2 7380 7380 7380 2 2 0.041734 101/<jvancecpa@1-stopnet.com>
8 4906 4906 4906 8 8 0.170310 101/<anonymous@shadowsfall.org>
:::::::::::End Cut
Aside from shadowsfall.org (the last one) I don't recignize any of these. If I read this right all of these "people" sent e-mails from my server?
Help.
Ted
-
Ted,
All of those addresses attempted to send email from your server. Where they successful. I don't think so.... not unless it's misconfigured. Potentially, users outside the LAN can send messages, but they would need to use SMTP AUTH to do it.... meaning they need a username and password.
Of course, it's possible that you have a machine inside your network running trojan software and sending email from it's priviledged location (the LAN).
I would take a close look at the logs and see if the message are actually getting out or if they are dying before the can get sent.
If they are beating up your machine with just 'requests' to send and not actual successful sends, then you should see how many messages they are sending concurrently. We could probalby control this. Also...are all of these coming from a handful of IP addresses. You could likely block those addresses.