Topic: qmail / mail reports a little understanding please?

[steve288]

I have version 6.0 of SME. I tell you that not because this is necessarily a 6.0 questions (this is after all the general newsgroup) but just so you know what I'm working with.

I really don't understand many of the mail logs. I hope that some might help me to understand what the reports are telling me.
When I look at the mail reports I see odd things. Perhaps they are completely normal, I know mail programs do things that are far beyond what you might expect, and we don't have any problems. Our organization has about 50 users.


Take for example the list of outgoing mail and recipients

It lists like this...

26 Oct 2008 13:43:51 GMT  #164178  1516   
   remote   303389498@removingthepast.net
31 Oct 2008 12:51:26 GMT  #164155  15663  <>
   remote   support@awesomedailydeal.com
28 Oct 2008 15:13:03 GMT  #164431  1567   
   remote   noreply@rideatnight.info
31 Oct 2008 00:38:59 GMT  #164110  94873  <>
   remote   stqvcc@messengerssupply.com
31 Oct 2008 11:34:10 GMT  #164133  7648  <>
   remote   AgelessSkinCare@starkea.com
31 Oct 2008 12:58:07 GMT  #164156  1527   
   remote   support@awesomedailydeal.com
28 Oct 2008 17:19:09 GMT  #164225  1560   
   remote   noreply@wi-ficoffeeshop.com
27 Oct 2008 14:16:06 GMT  #164386  1589   
   remote   noreply@thegigbooker.com
29 Oct 2008 13:54:08 GMT  #164409  1542   
   remote   303389498@establishedpeople.net
31 Oct 2008 00:55:23 GMT  #164111  147485  <>
   remote   DeliveryConfirmation@eastwesttechgroup.com
31 Oct 2008 12:12:34 GMT  #164134  4743  <>
   remote   303389498@nevertriedit.com
31 Oct 2008 12:57:50 GMT  #164157  15663  <>
   remote   support@awesomedailydeal.com
26 Oct 2008 21:45:28 GMT  #164180  1554   

Some of these addresses seem a bit odd. I find it hard to believe that anyone is emailing to awesomedailydeal.com or establishedpeople.net. So what is this telling me, what is remote mail anyway? I have tried to search the net but cant find any info on what this remote means ??


Then there is "Reasons for deferral" list

1      31.89  207.155.254.15 does not like recipient./Remote host said: 450 <seamstressesdfz@myevas.com>: Recipient address rejected: Valid DNS required on connecting IP (74.13.219.91) [17GC6CSBAH00]/Giving up on 207.155.254.15./
    1      42.89  207.155.254.8 does not like recipient./Remote host said: 450 <dwvismanm@visman.com>: Recipient address rejected: Valid DNS required on connecting IP (74.13.219.91) [17FGKTS2E200]/Giving up on 207.155.254.8./
    1     103.19  207.155.254.8 does not like recipient./Remote host said: 450 <root@bellandleggiollp.com>: Recipient address rejected: Valid DNS required on connecting IP (74.13.219.91) [17G6I1PLAG00]/Giving up on 207.155.254.8./
    1      42.64  207.155.254.9 does not like recipient./Remote host said: 450 <strjohdg@bodyrubinc.com>: Recipient address rejected: Valid DNS required on connecting IP (74.13.219.91) [17G41QQA5Q00]/Giving up on 207.155.254.9./
    1       2.88  207.156.43.81 does not like recipient./Remote host said: 450 cuda nsu <empress@floridabuilding.org>: Recipient address rejected: User unknown in local recipient table/Giving up on 207.156.43.81./

Again they seem a bit odd eg root@bell... Im fairly certain no one is emailing to root and other addresses.



Also
Recipient Hosts

 7820      1      1      4.63  037.silvermailings.com
     8139      1      1      1.63  038.silvermailings.com
     7306      2      2      1.32  03.asp020.com
        0      1      1      0.00  0402460492.com
     8256      1      1      0.71  040.silvermailings.com
     4752      2      2      8.18  044.qcx.net
     7315      1      1      0.83  044.silvermailings.com
        0      2     10      0.00  0451.com
        0      0     43      0.00  04561.com
     5323      2      2      3.37  046.qcx.net
     7313      1      1      1.13  046.silvermailings.com
     8222      1      1      1.95  04.asp020.com
     6890      2      2      1.22  051.mx03.net
     8335      1      1      1.08  052.silvermailings.com
        0      0      2      0.00  0541.com
     4784      2      2      2.12  054.qcx.net
     8265      1      1      1.11  056.silvermailings.com
     8712      1      1      0.72  059.silvermailings.com
     8255      1      1      1.42  061.silvermailings.com
     7316      1      1      0.83  063.silvermailings.com
    15625      2      2      1.72  064.silvermailings.com
    19197      3      3     10.34  06.asp060.com
     7197      1      1      0.00  06.you2q.com

All seems a bit odd all the silvermailings.com

I don't believe we are being used to send out spam. When I look at the log I don't see 100's of 1000's of messages. perhaps 100's some seem valid some not valid. Is it something about mail that I don't understand.

While my system is version 6.0 it doesn't bog down and we don't get any indication that there are any problems. Its just these messages are odd. As well as some 100 to 400 messages in the mail queue. Right now it says

messages in queue: 164
messages in queue but not yet preprocessed: 0

Which seems to mean that everything is going out. Yesterday I used qmHandle to delete about 300. That were noreplys and some spam.


Can anyone give me some educated answers to my inquiry to understand waht these logs mean and perhaps what mail is doing?

Regards

[CharlieBrady]

I have version 6.0 of SME.

Well you shouldn't.

[CharlieBrady]

31 Oct 2008 12:51:26 GMT  #164155  15663  <>
   remote   support@awesomedailydeal.com

That is a bounce message.

[steve288]

Are you saying that the messages that seem questionable are bounced messages.

I asume there are various kinds of bounced messages, but the only type I can think of are messages that I or a user here sends out and then it cant find the intended recipent and it bounces back to the original sender. I suppose it could be someone out in the world using our domain as a fake return address and when it cant find the intended recipent it bounces back to us. Do you mean either of these or something else can you clarify?

Regards

[steve288]

And is that what all remote messages are ??

[CharlieBrady]

I'm sorry, but I stopped supporting SME 6 years ago, as did everyone else.

[warren]

Looks like spam messages originating from infected pc's on your LAN;
Shutdown your server or disconnect all pc's from it and run AV software on all the pc's, then
as you have scanned and cleaned each, allow it back onto the lan, check your mail queue / logs.

but as Charlie says, please upgrade to the latest version:

see the following also re upgrading :
http://wiki.contribs.org/UpgradeDisk

http://forums.contribs.org/index.php?topic=30745.0

[akhilmathema]

They seemed to be a bounce back messages to the remote sender trying to send mails to invalid users in your domains. They are mostly SPAM trying to get through. In SME 6.0 systems, there are two things that can minimize the problem.
1) Forward those emails either to admin or other email accounts so that the bounced back SPAMS won't be forwarded to legitimate mail servers. Unless done, this can even probably lead your IP to be blacklisted.
# /sbin/e-smith/config set EmailUnknownUser admin2
# /sbin/e-smith/config setprop qmail DoubleBounceTo admin2
# /sbin/e-smith/signal-event email-update

2) Activate rblsmtpd by editing your /var/service/smtpfront-qmail/run
exec 2>&1
exec /usr/bin/env - \
     /usr/local/bin/envuidgid qmaild \
     /usr/local/bin/tcpserver\
        -U \
        -R \
        -x /etc/tcprules/tcp.smtp.cdb \
        -l 0 \
        0 smtp \
        /usr/local/bin/rblsmtpd -b -r sbl-xbl.spamhaus.org -r cbl.abuseat.org \
        /usr/local/bin/envdir ./env \
        /usr/bin/smtpfront-qmail

# svc -t /service/smtpfront-qmail

[steve288]

akhilmathema thanks for your helpfull comments and answering my question. I will look into what you have mentioned.

Regards

[janet]

steve288

In case you get uppity, this is answering your question, it's just not the answer you are expecting or wanting.

Why are you worried about a few bounce messages when you should be worried about connecting an insecure sme v6.x server to the Internet ?

Do us all a favour and remove your insecure server from the Net. Please upgrade it to sme 7.3, as that version has much improved email handling & so much more etc etc etc.
You may be surprised to see that the default sme7.3 resolves many of your bounce issues.

It's a free download and will still run on all but the oldest equipment you may be using for sme6.x.

I have sme7.3 running on a P333 box with 256Mb RAM. Server manager functions are slow, but web access is acceptable. I'm not promoting that as recommended practise, just saying that sme7.x will run on older hardware, especially where only light duty is being done.

[steve288]

Mary,

Im not sure I know what you mean ?? The person gave me a some good insights?

Sorry am I missing something

[janet]

steve288

Please upgrade your insecure sme6.x server to sme 7.3. You will then have much improved email handling and a secure server that has regular updates released for it.
If your sme 6 server gets hacked (which is a distinct possibility), then other Internet email & web server administrators suffer to some small degree ie your server generates additional spam & viruses & acts as an open relay server to attack others from.

Please upgrade asap rather than patching your sme6 to work a bit better in one aspect.