1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

How to tell from maillog who's sending what?

Discussion in 'Plesk for Linux - 8.x and Older' started by JerkyChew, Dec 10, 2005.

  1. JerkyChew

    JerkyChew Guest

    I'm looking at my maillog, and watching somebody on our system sending a ton of messages to AOL.com. This behavior has put us on AOL's spam blacklist. A quick sample of the maillog is below:

    Dec 10 15:14:09 servername qmail: 1134245649.549857 starting delivery 193728: msg 1881555 to remotexxxx@aol.com
    Dec 10 15:14:09 servername qmail: 1134245649.551835 status: local 0/10 remote 9/20
    Dec 10 15:14:09 servername qmail: 1134245649.556563 starting delivery 193729: msg 1881555 to remote xxxx@aol.com
    Dec 10 15:14:09 servername qmail: 1134245649.556624 status: local 0/10 remote 10/20
    Dec 10 15:14:09 servername qmail: 1134245649.557293 starting delivery 193730: msg 1881555 to remote xxxx@aol.com
    Dec 10 15:14:09 servername qmail: 1134245649.558344 status: local 0/10 remote 11/20
    Dec 10 15:14:09 servername qmail: 1134245649.560139 starting delivery 193731: msg 1881555 to remote xxxx@aol.com


    What can I look at to see who's causing these outbound emails?
  2. wmchurch

    wmchurch Guest

    Grep the maillog for the message id like so:

    grep 1881555 /usr/local/psa/var/log/maillog
    should show you everything pertaining to that mesage, sometimes that number could match other things so make sure it's a message id and not a file size, or other id. That should get it...

    That being said, not a big fan of qmails log file.

  3. Griffith

    Griffith Guest

    I would guess this is a spammer using one of your clients contact forms.. we had that problem.. he tried to send like 15k emails to *@aol.com. You could also use qmHandle and see if some of them are queued.. and find the message.. and maybe you will be able to see where it was sent from.
  4. ShadowMan@

    ShadowMan@ Guest

    We have seen a number of client PC's infected with worms which spam out to AOL recently.

    For much better logging, you may want to consider installing qmail-scanner package, which will coordinate AV and SA scanning of all email in/out of server.