Hello All !
I'm posting hoping you can help me with my qmail server. It runs on Debian with Plesk 8.6 on top of it, and it is used by a small number of persons (less than 10 accounts) sending a normal amount of e-mail for a human being (I mean no lists, no commercial spam, just person to person e-mails).
I've setup logwatch (
http://www.logwatch.org/ ) on my server to keep an eye on it, and also checked that there's no relay open with
http://www.spamhelp.org/shopenrelay/ , so that part is ok.
But logwatch tells me there's a lot of mail going out : a typical day would be like this: (that's from yesterday's qmail logs)
Code:
Remote Server Responses:
Deferral(400) - 47 Time(s)
Deferral(421) - 103 Time(s)
Deferral(443) - 4625 Time(s)
Deferral(450) - 740 Time(s)
Deferral(451) - 362 Time(s)
Deferral(452) - 36 Time(s)
Deferral(453) - 14 Time(s)
Deferral(454) - 8 Time(s)
Deferral(550) - 5 Time(s)
Failure(450) - 7 Time(s)
Failure(451) - 6 Time(s)
Failure(501) - 8 Time(s)
Failure(503) - 3 Time(s)
Failure(504) - 40 Time(s)
Failure(511) - 7545 Time(s)
Failure(530) - 2 Time(s)
Failure(550) - 1451 Time(s)
Failure(551) - 6 Time(s)
Failure(552) - 4 Time(s)
Failure(553) - 78 Time(s)
Failure(554) - 288 Time(s)
Failure(555) - 4 Time(s)
Failure(556) - 2 Time(s)
Failure(571) - 10 Time(s)
Success(250) - 7167 Time(s)
Percentage(s):
Deferral - 26.33 %
Failure - 41.90 %
Success - 31.77 %
-> 7167 successul remote connections... Sounds a lot to me. I don't know if I have to add the 7545 (code 511) + 1451 (code 550) failures to get an idea of how many mails were outbound.
On the receiving end, that server got around 6800 e-mails (83% of spam in it) yesterday, filtered by spamassassin.
And another bit of information: logwatchs lists all the remote addresses qmail has sent mail to. Here's the first few lines of the list, with the number of mails sent (I replaced the @ sign by _AT_ in the addresses below):
Code:
Emails to Remote Server (Threshold of 2):
2521494_AT_leathercraft.de - 2 Time(s)
31786984_AT_bounce.sendnes.fr - 2 Time(s)
31846958_AT_bounce.sendnes.fr - 2 Time(s)
39758176_AT_bounce.sendnes.fr - 2 Time(s)
39832431_AT_bounce.sendnes.fr - 2 Time(s)
39871459_AT_bounce.sendnes.fr - 2 Time(s)
3dm.kliem_AT_bm-system.de - 2 Time(s)
3dmanuel.galocha_AT_juntadeandalucia.es - 2 Time(s)
7a2jmz_AT_hotmail.com - 2 Time(s)
818911201.20910970062934_AT_na.cokecce.com - 2 Time(s)
_nzhelika_AT_a_AT_panasonicplus.ru - 7 Time(s)
_nzhelika_AT_a_AT_photoliner.ru - 5 Time(s)
_vdeeva_AT_a_AT_pfiq.ru - 5 Time(s)
a.doat_AT_formatys.fr - 2 Time(s)
a.fazeli_AT_sheffield.ac.uk - 2 Time(s)
abandono43_AT_obcruise.com - 2 Time(s)
abjurationsx43_AT_dapcstudy.com - 2 Time(s)
abodes45_AT_beazleysharpe.com - 2 Time(s)
abominatingm310_AT_inventorone.com - 2 Time(s)
abrogationsf92_AT_pc138.nissho-ele.co.jp - 2 Time(s)
abstentionw1_AT_wwwhvd.com - 2 Time(s)
acai_AT_bitisgroup.vn - 38 Time(s)
acai_AT_imafex.sk - 13 Time(s)
acai_AT_swbell.net - 2 Time(s)
acai_AT_topoli.net - 35 Time(s)
accessibilityz02_AT_eurobike-expo.com - 2 Time(s)
acclimatesrh5_AT_rumseyandramsey.com - 2 Time(s)
achromaticz849_AT_wisdirect.com - 2 Time(s)
acquitingu_AT_222-spybot.com - 5 Time(s)
...
All of those addresses are unknown to us, and we have no reason to mail them...
Why is qmail sending these guys e-mails ? Are they answers (bounces, error codes or whatever) generated because of the spam coming in ?
What can I check further to be sure these mails *aren't* spam relayed from my server ?
Thanks for your help,
Paul-Henri
