Results 1 to 10 of 10

Thread: [Please Help] Mail Log is very large and found below log message

  1. #1
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    3

    Unhappy [Please Help] Mail Log is very large and found below log message

    Hi all,

    It looks like our server had become an open relay server? There are more than 10 messages per second to our mail server, please help and it's urgent, and maillog file is almost too large to open now..

    And 1 more question, how do you clear the log message within the maillog file?

    Thanks very much for you help in advance.

    Maillog size:
    -rw------- 1 root root 6386851607 Oct 17 19:22 maillog


    Message from Maillog
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[29220]: 0E1819991B13: to=<crazyodb@yahoo.com>, relay=none, delay=2948, delays=2938/10/0/0.01, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.139.175.224] refused to talk to me: 421 4.7.0 [TS01] Messages from 203.185.55.211 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[29220]: 0E1819991B13: to=<crazzkc24@yahoo.com>, relay=none, delay=2948, delays=2938/10/0/0.02, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.139.175.224] refused to talk to me: 421 4.7.0 [TS01] Messages from 203.185.55.211 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/smtp[27218]: connect to homail.com[64.4.6.100]:25: Connection timed out
    -bash: Oct: command not found
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/qmgr[27145]: 3B2569991C68: from=<postmaster@domain.com>, size=2750, nrcpt=49 (queue active)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28139]: A1C0A998139B: to=<bselewis2@bellsouth.net>, relay=none, delay=152586, delays=152575/10/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28139]: A1C0A998139B: to=<bsgoodman04@bellsouth.net>, relay=none, delay=152586, delays=152575/10/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/smtp[27212]: connect to cluster8.us.messagelabs.com[216.82.241.99]:25: Connection refused
    -bash: Oct: command not found
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/qmgr[27145]: 55DAC99918CD: from=<info@mcycd.gov.ae>, size=2497, nrcpt=50 (queue active)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28829]: 7DECC9981840: to=<david03lewis@bellsouth.net>, relay=none, delay=146369, delays=146358/10/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28829]: 7DECC9981840: to=<david_roylston@bellsouth.net>, relay=none, delay=146369, delays=146358/10/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28829]: 7DECC9981840: to=<david_sachs@bellsouth.net>, relay=none, delay=146369, delays=146358/10/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
    -bash: syntax error near unexpected token `('
    [root@ms1 log]# Oct 17 19:20:44 ms1 postfix/smtp[27475]: 90CE99990F5F: to=<3dkstarkey@tampabay.rr.com>, relay=hrndva-smtpin02.mail.
    -bash: 3dkstarkey@tampabay.rr.com: No such file or directory

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by Solt View Post
    It looks like our server had become an open relay server?
    It isn't unless you've made it one, you can search the internet for a site (actually, lots of them) that will test if your server is an open relay.

    The likelihood is that it's possibly a compromised account. Search the forums for the words 'compromised account' and you'll find details on hor to track down the account, you should also implement strong passwords in your server to prevent this in future.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    3

    Default

    Thanks for your reply.

    When I do tail -n 100000 /var/log/maillog | grep "sasl_username="

    Most of them are root


    Oct 18 10:07:05 ms1 postfix/smtpd[5050]: 1F69B999383F: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:05 ms1 postfix/smtpd[23590]: 2899D999384C: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:05 ms1 postfix/smtpd[9992]: 6E6879993867: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:06 ms1 postfix/smtpd[10520]: 090389993873: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:06 ms1 postfix/smtpd[12651]: 52AF49993B02: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:07 ms1 postfix/smtpd[4990]: 2D6E39993B11: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:07 ms1 postfix/smtpd[6993]: 9A4F69993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:08 ms1 postfix/smtpd[12679]: B451D9993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:08 ms1 postfix/smtpd[13426]: CB8F39993B56: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:08 ms1 postfix/smtpd[2795]: CC7BA9993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:09 ms1 postfix/smtpd[12929]: 307329993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:10 ms1 postfix/smtpd[11491]: E32599993B44: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:11 ms1 postfix/smtpd[4104]: 43EC19993B66: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:11 ms1 postfix/smtpd[4061]: 483979993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:11 ms1 postfix/smtpd[13168]: 5358D9993B6A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:11 ms1 postfix/smtpd[1489]: 6928C9993B6B: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:12 ms1 postfix/smtpd[13424]: A36F79993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:13 ms1 postfix/smtpd[11492]: 963919993B73: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:15 ms1 postfix/smtpd[10448]: 2E7589993B78: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:16 ms1 postfix/smtpd[11144]: B20C899934F5: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:16 ms1 postfix/smtpd[3944]: C18DF999375F: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:18 ms1 postfix/smtpd[12930]: 8A72D9993867: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:18 ms1 postfix/smtpd[13427]: C01379993873: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:18 ms1 postfix/smtpd[9993]: D36D39993B02: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:19 ms1 postfix/smtpd[9992]: 19A6D9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:19 ms1 postfix/smtpd[10520]: B2C5C999383F: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:19 ms1 postfix/smtpd[23590]: CBF229993B89: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:20 ms1 postfix/smtpd[12310]: 02E2B9993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:20 ms1 postfix/smtpd[12651]: F310B9993B57: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:21 ms1 postfix/smtpd[5050]: 553989993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:22 ms1 postfix/smtpd[4990]: 8294D9993B62: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:22 ms1 postfix/smtpd[12929]: 85AB39993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:22 ms1 postfix/smtpd[6993]: 8E5579993B8C: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:22 ms1 postfix/smtpd[12679]: D22A19993B6B: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:25 ms1 postfix/smtpd[2795]: 054339993B66: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:25 ms1 postfix/smtpd[13426]: 120089993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:25 ms1 postfix/smtpd[4104]: 1B3229993B8E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:25 ms1 postfix/smtpd[13168]: 271869993B91: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:25 ms1 postfix/smtpd[1489]: 6282E9993B95: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:26 ms1 postfix/smtpd[13424]: 5F3539993B44: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:28 ms1 postfix/smtpd[4061]: 0EEFA9993B73: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:28 ms1 postfix/smtpd[10448]: B735F9993B78: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:30 ms1 postfix/smtpd[11491]: 5B39E9993867: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:32 ms1 postfix/smtpd[11492]: 2E500999383F: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:32 ms1 postfix/smtpd[12930]: 5C8459993873: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:32 ms1 postfix/smtpd[9993]: 72ECA9993B02: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:32 ms1 postfix/smtpd[13427]: 9663F9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:33 ms1 postfix/smtpd[12310]: 6A2809993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:33 ms1 postfix/smtpd[10520]: 910619993B57: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:34 ms1 postfix/smtpd[9992]: AC4B09993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:34 ms1 postfix/smtpd[12651]: EBD7D9993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:36 ms1 postfix/smtpd[5050]: 082599993B66: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:36 ms1 postfix/smtpd[12929]: 218ED9993B8C: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:36 ms1 postfix/smtpd[6993]: 71CED9993CB9: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:38 ms1 postfix/smtpd[2795]: 842AD99935A1: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:38 ms1 postfix/smtpd[4104]: 9930D9993B44: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:38 ms1 postfix/smtpd[1489]: B6E519993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:38 ms1 postfix/smtpd[13168]: B7A2E9993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:38 ms1 postfix/smtpd[3944]: F32FE9993B8E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:39 ms1 postfix/smtpd[13424]: 687D39993B91: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:39 ms1 postfix/smtpd[4990]: F20E49993B95: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:41 ms1 postfix/smtpd[13426]: 31B6F9993CBE: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:41 ms1 postfix/smtpd[11144]: 4E7A99993CC1: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:42 ms1 postfix/smtpd[10448]: 3C4899993CC3: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:44 ms1 postfix/smtpd[16161]: 03A28999375F: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:44 ms1 postfix/smtpd[11492]: 46FDB999383F: client=ipe-26.ipehk.local[10.0.85.216], sasl_method=LOGIN, sasl_username=chloechan
    Oct 18 10:07:44 ms1 postfix/smtpd[23590]: 6B2459993867: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:45 ms1 postfix/smtpd[13427]: C466A9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:45 ms1 postfix/smtpd[12930]: E6E969993B57: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:45 ms1 postfix/smtpd[9993]: E70339993CC5: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:46 ms1 postfix/smtpd[11491]: 3F1149993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:46 ms1 postfix/smtpd[12310]: A2BFF9993B69: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:47 ms1 postfix/smtpd[10520]: 390D09993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:47 ms1 postfix/smtpd[9992]: 3F8C89993CC6: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:48 ms1 postfix/smtpd[12679]: 71C679993B89: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:48 ms1 postfix/smtpd[5050]: 86CE39993CB9: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:49 ms1 postfix/smtpd[12929]: B6D159993CC8: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:49 ms1 postfix/smtpd[6993]: BF8069993CCA: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:50 ms1 postfix/smtpd[11492]: 416EA9993CCB: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:52 ms1 postfix/smtpd[2795]: 14C0999935A1: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:52 ms1 postfix/smtpd[4104]: 704D79993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:52 ms1 postfix/smtpd[4990]: 725B79993B8E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:52 ms1 postfix/smtpd[1489]: 772FA9993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:52 ms1 postfix/smtpd[13168]: 7CA889993B95: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:53 ms1 postfix/smtpd[3944]: 9225D9993B91: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:55 ms1 postfix/smtpd[13424]: C01C09993CC3: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:58 ms1 postfix/smtpd[10448]: 5BED099B000E: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:59 ms1 postfix/smtpd[9993]: 47F60999383F: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:59 ms1 postfix/smtpd[11491]: 68ADD9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:07:59 ms1 postfix/smtpd[10520]: 799169993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:00 ms1 postfix/smtpd[12930]: 199159993B57: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:00 ms1 postfix/smtpd[16161]: 5896E99B0012: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:00 ms1 postfix/smtpd[13427]: B78AA99B0014: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:02 ms1 postfix/smtpd[4061]: 11CFB99B001B: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:02 ms1 postfix/smtpd[5050]: 292D699B0022: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:02 ms1 postfix/smtpd[12651]: 66D0A9993887: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:03 ms1 postfix/smtpd[12679]: 648C99993B89: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:03 ms1 postfix/smtpd[12310]: C96C39993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:05 ms1 postfix/smtpd[11144]: 0603099935A1: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:05 ms1 postfix/smtpd[11492]: 9D5829993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:05 ms1 postfix/smtpd[9992]: D00F39993B6E: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
    Oct 18 10:08:06 ms1 postfix/smtpd[13426]: 046F69993B91: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by Solt View Post
    Most of them are root
    Do you actually have an account name "root" on your mail server? If you have then deactivate it. Have you checked to see which users are sending large numbers of mail (see the daily mail report)? Deactivate them and change the passwords and implement strong password security measures (in the Admin UI) for all users. Check your zimbra server (including other machines that login to your mail server) for any installed rootkit .
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    3

    Default

    Thanks again, there is no root@mydomain but there is an alias setting to forward root@mydomain to my email address.

    And from top senders from mail report, these email accounts are not belong to my domain and is there any settings I can stop them(block/blacklist?) to use my mail server for sending emails? Thanks again.

    top 50 Senders by message count
    -------------------------------
    27060 gov.lamidosanusi@cbn.org
    10000 info@mcycd.gov.ae
    6864 postmaster@domain.com
    4691 admin@portal.co.uk
    1815 fax@sunbeltwestriverside.com
    1675 mail@isass.net

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by Solt View Post
    And from top senders from mail report, these email accounts are not belong to my domain and is there any settings I can stop them(block/blacklist?) to use my mail server for sending emails?
    They are not sending email from your server, they are sending mail to your server. You still haven't mentioned what the results of your open relay test are, did you actually try one?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    3

    Default

    Yup, tested with Check an Open Relay and here is the result.

    220 mydomain.com ESMTP Postfix
    HELO ortest.checkor.com
    250 mydomain.com
    RSET
    250 2.0.0 Ok
    MAIL FROM: test@checkor.com
    250 2.1.0 Ok
    RCPT TO: test1@checkor.com
    554 5.7.1 : Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM:
    501 5.5.4 Syntax: MAIL FROM:

    RCPT TO: test1@checkor.com
    503 5.5.1 Error: need MAIL command

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@mydomain.com
    250 2.1.0 Ok
    RCPT TO: test1@checkor.com
    554 5.7.1 : Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@mydomain.com
    250 2.1.0 Ok
    RCPT TO: test1@checkor.com
    554 5.7.1 : Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@mydomain.com
    250 2.1.0 Ok
    RCPT TO: test1@mydomain.com
    554 5.7.1 : Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@mydomain.com
    250 2.1.0 Ok
    RCPT TO: "test1@test.com"@mydomain.com
    554 5.7.1 : Relay access denied

    RSET
    250 2.0.0 Ok
    MAIL FROM: spam@mydomain.com
    250 2.1.0 Ok
    RCPT TO: @mydomain.com:spamtest@checkor.com
    554 5.7.1 : Relay access denied

  8. #8
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    3

    Default

    Also tested with Open Relay Test, the result is positive.

    "All tested completed! No relays accepted by remote host!"

  9. #9
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    698
    Rep Power
    6

    Default

    Quote Originally Posted by Solt View Post
    Thanks again, there is no root@mydomain but there is an alias setting to forward root@mydomain to my email address.
    If you mean you created an alias pointing root@ to your email address, then these could be hackers logging into your account.

    zimbra will allow you to use any alias of your account as the login to your account.

    Change your password - or remove the Alias.

  10. #10
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    3

    Default

    Thanks alot, I have changed my password and seems the issue was fixed.

    Btw, I am a Man United Fans

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: 01-12-2008, 09:55 PM
  2. Replies: 5
    Last Post: 03-01-2007, 03:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •