Logs and how to read them

Peter Boy pboy at barkhof.uni-bremen.de
Wed Apr 21 20:27:16 UTC 2004


Am Mi, den 21.04.2004 schrieb Mike Rambour um 22:07:
>     I am a very newbie here and my ISP is saying they received a complaint 
> about SPAM being sent from my machine, they claim its my IP that sent it 
> (fixed IP, not DHCP).

You should ask them for the log entries they used to determine your
machine as the culprit.

>    I have checked and I have relaying turned off and only 6 valid users on 
> the machine, I forced a password change for all accounts.  I also used 
> Abuse.Nets relay test to make sure I was not allowing relays. I have no 
> idea how that SPAM got out.  Since this machine is a firewall for our 
> office,  I tested all internal machines for virus/worms/etc with the latest 
> tools.

I suppose these machines are windows. You should check their mail
program configuration. What smtp host do they use for sending mail? In
addition you should reconfigure one client to directly use a smtp host
outside your office network (assuming they are configured to use the
smtpd on your firewall box). Your firewall configuration should block
this type of communication. Otherwise a client can send mail which will
not show up in your log file.

>    But lines like these 2 below did NOT have matching lines, does this mean 
> they got sent ? relayed thru my machine somehow ?  I could not find a fail 
> or sent line for many lines like the ones below.
> 
> Apr 21 12:25:00 mail sendmail[1067]: MAA01067: 
> from=<postmaster at hoteiscontinental.com.br>, size=1657, class=0, pri=0
> , nrcpts=0, proto=ESMTP, relay=[200.213.72.130]
> Apr 21 12:29:03 mail sendmail[1214]: MAA01214: from=<>, size=0, class=0, 
> pri=0, nrcpts=0, proto=SMTP, relay=fw1-81-80-126-2.bplc.fr [81.80.126.2]

You should perform a
  grep MAA01067   /var/log/maillog
rsp a
  grep MAA01214   /var/log/maillog
and you should see the complete communication

>    Where do I learn to read the various logs on Fedora/Linux ?  If I missed 
> a google what should have I googled for ?

Really, I would like to know, too  :-)


Btw.: After you have resolved the issue you should consider to switch to
postfix as your MTA. It's easier to configure and to maintain, the log
entries are more self explaining, and much more.



Peter








More information about the users mailing list