Logs and how to read them
mikey at b2systems.com
Wed Apr 21 20:07:26 UTC 2004
I am a very newbie here and my ISP is saying they received a complaint
about SPAM being sent from my machine, they claim its my IP that sent it
(fixed IP, not DHCP).
I have checked and I have relaying turned off and only 6 valid users on
the machine, I forced a password change for all accounts. I also used
Abuse.Nets relay test to make sure I was not allowing relays. I have no
idea how that SPAM got out. Since this machine is a firewall for our
office, I tested all internal machines for virus/worms/etc with the latest
So, in the process I looked at all my logs in /var/log I specifically
grep'd for the email address that the spam was sent as and to and found no
references to it in my logs implying it was not my machine. But I found
other things that I dont know how to read.
I googled and found no place for a "how-to read logs and what they
mean". In /var/log/messages, I googled for "lame servers" and found that
is ok along with a few other items.
in maillog however, I see very few "Relaying denied" messages (I expected
more of them) and a lot of "lost input" messages that from googling appears
to be a spammer that got blocked and ok (is that true?). In every case
where a "lost input" was I could find 2 lines, one for the "from" and one
for lost input with the matching "sendmail[xxxx]" number.
But lines like these 2 below did NOT have matching lines, does this mean
they got sent ? relayed thru my machine somehow ? I could not find a fail
or sent line for many lines like the ones below.
Apr 21 12:25:00 mail sendmail: MAA01067:
from=<postmaster at hoteiscontinental.com.br>, size=1657, class=0, pri=0
, nrcpts=0, proto=ESMTP, relay=[18.104.22.168]
Apr 21 12:29:03 mail sendmail: MAA01214: from=<>, size=0, class=0,
pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [22.214.171.124]
Where do I learn to read the various logs on Fedora/Linux ? If I missed
a google what should have I googled for ?
More information about the users