Check mail server logs?
 

I have full root access to a linux server and I need to check the mail logs, but I have no idea how. Here is what I was told of why the server is having issues (what I need to check):

I need to find what those emails are (the content of the email etc). Any suggestions?

Find the mail logs! The exact location will depend on which mail program you use. On my server, which uses qmail, they're under /var/log/qmail.

Hmm, well there's no qmail dir so we must not use qmail. How would I check what the server uses?

Try running 'ps aux' and see if you can spot any mail related processes in there. That might give some clues.

Looks like it's exim.
Looking over this: http://www.exim.org/exim-html-3.20/d...l/spec_51.html

But it doesn't seem to tell me where the logs may be.

Anyone? I don't see anywhere in the config file that says where the logs are.

If your server is used to send 6 emails per second to just one another domain then your server is hijacked with 99.99% certainity and used for spamming. Keeping this server online is a crime. Disconnect your server from internet asap and address the issue.

Erm, I don't know how to address the issue nor find out if that's actually the case.

Sorry but you do not have my sympathy. If you do not know how to drive a car you cannot go to a public highway but you can still drive in your backyard. If you do not know how to manage a server keep it running for yourself and do not connect it to the internet where it poses public danger. Period.

And who says I'm the one who runs this server? I'm trying to help narrow down what this mail is.

Thanks for the help.

First - whoever runs this server has to understand his/her responsibilities.
Second - if your server is hijacked then the attacker is probably using his own SMTP service which does not leave any logs.

The company pays for the host and the server is located in FL (we are in NY), run by a local tech team. We are a web host company. Whose responsibility is it? I don't have permission to take the server offline.

Right, IF the server. I don't know if it is yet.

Check /var/log, all logs are in there. I had an Exim server once but I do not remember exact filenames any more. You also may want to check if there is a rootkit installed. http://www.chkrootkit.org/

Those are what I found in /var/log.

In the mainlog, I don't see any logs that are a lot (like 6 a second)...

Yes, chkrootkit is installed. I don't see any problems, everything was "nothing found" or "not infected".

Ask those people who complained to send you some of these 6-per-second mails with full headers. BTW, chkrootkit is helpful but it won't find all threats. Check if there is still high traffic on port 25.