LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-26-2005, 12:43 AM   #1
JediKnight2
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Rep: Reputation: 15
Sendmail Log question


I am trying to figure out why the following is logged the way it is...it appears someone is tries to connect to relay and fails, but it logs as local..instead of THEIR IP...

Sep 25 04:04:35 server1 sendmail[18213]: j8P83x3N018213: ruleset=check_mail, arg1=<Lord@multimania.fr>, relay=localhost.localdomain [127.0.0.1], reject=451 4.1.8 Domain of sender address Lord@multimania.fr does not resolve
Sep 25 04:04:35 server1 sendmail[18213]: j8P83x3N018213: from=<Lord@multimania.fr>, size=2767, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

How come Im not getting their IP...Also this is under

Unresolved sender domains:
Lord@multimania.fr: 1856 Time(s)

Last edited by JediKnight2; 09-26-2005 at 09:15 AM.
 
Old 09-26-2005, 06:36 PM   #2
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
The first possibility is that someone tried to send that email from your machine and as sendmail can't resolve it, it can't be send. However if that is the case it isn't well configured as it shouldn't keep trying to send it in so small intervales of time and should discard it eventually.

Other possibility is that someone send you a spoofed smtp replay so that sendmail would get confused and kind of DoS you. You should check your load. It should be a bit high as sendmail must be working pretty hard.

This is a standard sendmail log message:
Nov 4 04:05:48 *** sendmail[4697]: EAA04697:
from=<user@host.com>, size=0, class=0, pri=0, nrcpts=0,
proto=ESMTP, relay=root@attacker.hostname[IPADDRESS]

So your connection either came from your localhost or you are getting spoofed packets.
 
Old 09-27-2005, 10:43 PM   #3
JediKnight2
LQ Newbie
 
Registered: Jul 2004
Posts: 22

Original Poster
Rep: Reputation: 15
Weird...I had localhost.localdomain in "Local Domains"...I took it out..and it stopped...I still have localhost...????
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail log analyzer sakkie Linux - Software 1 08-01-2011 10:33 AM
sendmail log question gauge73 Linux - Networking 3 07-13-2005 06:06 PM
Sendmail log, is it relaying? tangle Linux - Security 2 05-26-2005 08:57 AM
Sendmail: no log!!! J_Szucs Linux - Software 1 02-27-2004 05:27 AM
sendmail.log magyartoth Linux - General 6 02-23-2002 09:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration