Check mail server logs?

Zeno McDohl · 12-23-2006, 04:49 PM

I have full root access to a linux server and I need to check the mail logs, but I have no idea how. Here is what I was told of why the server is having issues (what I need to check):

Quote:

It appears that our mail servers are currently blocking your server because of the large number of messages you are sending to them. I checked the log and I am showing that there are currently sending around 6 emails per second to this

I need to find what those emails are (the content of the email etc). Any suggestions?

Gethyn · 12-23-2006, 04:55 PM

Find the mail logs! The exact location will depend on which mail program you use. On my server, which uses qmail, they're under /var/log/qmail.

Zeno McDohl · 12-23-2006, 04:58 PM

Hmm, well there's no qmail dir so we must not use qmail. How would I check what the server uses?

Gethyn · 12-23-2006, 05:19 PM

Try running 'ps aux' and see if you can spot any mail related processes in there. That might give some clues.

Zeno McDohl · 12-23-2006, 05:58 PM

Looks like it's exim.
Looking over this: http://www.exim.org/exim-html-3.20/d...l/spec_51.html

But it doesn't seem to tell me where the logs may be.

Zeno McDohl · 12-24-2006, 12:49 PM

Anyone? I don't see anywhere in the config file that says where the logs are.

Emerson · 12-24-2006, 01:26 PM

If your server is used to send 6 emails per second to just one another domain then your server is hijacked with 99.99% certainity and used for spamming. Keeping this server online is a crime. Disconnect your server from internet asap and address the issue.

Zeno McDohl · 12-24-2006, 02:02 PM

Erm, I don't know how to address the issue nor find out if that's actually the case.

Emerson · 12-24-2006, 02:16 PM

Sorry but you do not have my sympathy. If you do not know how to drive a car you cannot go to a public highway but you can still drive in your backyard. If you do not know how to manage a server keep it running for yourself and do not connect it to the internet where it poses public danger. Period.

Zeno McDohl · 12-24-2006, 02:25 PM

And who says I'm the one who runs this server? I'm trying to help narrow down what this mail is.

Thanks for the help.

Emerson · 12-24-2006, 02:30 PM

First - whoever runs this server has to understand his/her responsibilities.
Second - if your server is hijacked then the attacker is probably using his own SMTP service which does not leave any logs.

Zeno McDohl · 12-24-2006, 02:35 PM

The company pays for the host and the server is located in FL (we are in NY), run by a local tech team. We are a web host company. Whose responsibility is it? I don't have permission to take the server offline.

Right, IF the server. I don't know if it is yet.

Emerson · 12-24-2006, 02:43 PM

Check /var/log, all logs are in there. I had an Exim server once but I do not remember exact filenames any more. You also may want to check if there is a rootkit installed. http://www.chkrootkit.org/

Zeno McDohl · 12-24-2006, 03:02 PM

Quote:

./exim_rejectlog.1
./exim_rejectlog
./exim_mainlog.5.gz
./exim_mainlog.1
./exim_paniclog.5.gz
./exim_paniclog.1
./exim_rejectlog.5.gz
./exim_mainlog
./exim_paniclog

Those are what I found in /var/log.

In the mainlog, I don't see any logs that are a lot (like 6 a second)...

Yes, chkrootkit is installed. I don't see any problems, everything was "nothing found" or "not infected".

Emerson · 12-24-2006, 03:16 PM

Ask those people who complained to send you some of these 6-per-second mails with full headers. BTW, chkrootkit is helpful but it won't find all threats. Check if there is still high traffic on port 25.