Understanding Mail Log

nand · Mar 16, 2011

Hi to all!

I'm using Parallells Plesk 9.0.1 under CentOS with Postfix.

In my Plesk Admin Web Panel (mail queue page), I see some spam mails with origin and destination addressess without relation of any of my domains. Let's focus on a particular...

mail-queue-defered.gif Order_975917. "Support" <[email protected]> [email protected] Mar 16, 2011 09:51 AM 00:17:29 102,66 KB

If I click for look the mail details...

Received: from mymail.box.plesk (localhost.localdomain [127.0.0.1])
by mymailbox.plesk (Postfix) with ESMTP id 8A487A0A9625;
Wed, 16 Mar 2011 09:49:10 +0100 (CET)
Received: from rm-1106-02.serve.com (unknown [65.23.154.131])
by mymailbox.plesk (Postfix) with ESMTP;
Wed, 16 Mar 2011 08:49:10 +0000 (UTC)
Received: from [192.168.0.100] (EHLO Win7) by rm-1106-02.serve.com id 3wCvJBuWIGch (mp002) with SMTP; Wed, 16 Mar 2011 04:51:56 -0400
From: "Support" <[email protected]>
To: <[email protected]>
Subject: Order_975917.
Date: Wed, 16 Mar 2011 04:51:56 -0400
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------0B34032603FD536"

Now I grep for a "from ip address" in mail.log...

# grep 65.23.154.131 maillog/maillog
Mar 16 04:39:03 s15402231 postfix/smtpd[30009]: connect from unknown[65.23.154.131]
Mar 16 03:39:04 s15402231 postfix/smtpd[30009]: NOQUEUE: client=unknown[65.23.154.131], sasl_method=login, [email protected]
Mar 16 04:39:04 s15402231 postfix/smtpd[30017]: E05E8A0C769D: client=unknown[65.23.154.131]
Mar 16 03:39:10 s15402231 postfix/smtpd[30009]: disconnect from unknown[65.23.154.131]
Mar 16 04:42:56 s15402231 postfix/anvil[30011]: statistics: max connection rate 1/60s for (smtp:65.23.154.131) at Mar 16 04:39:03
Mar 16 04:42:56 s15402231 postfix/anvil[30011]: statistics: max connection count 1 for (smtp:65.23.154.131) at Mar 16 04:39:03
Mar 16 04:59:41 s15402231 postfix/smtpd[30249]: connect from unknown[65.23.154.131]
Mar 16 03:59:43 s15402231 postfix/smtpd[30249]: NOQUEUE: client=unknown[65.23.154.131], sasl_method=login, [email protected]
Mar 16 04:59:43 s15402231 postfix/smtpd[30252]: 2F9B1A0CBBBA: client=unknown[65.23.154.131]
Mar 16 03:59:50 s15402231 postfix/smtpd[30249]: disconnect from unknown[65.23.154.131]
Mar 16 05:05:14 s15402231 postfix/smtpd[30287]: connect from unknown[65.23.154.131]
Mar 16 04:05:15 s15402231 postfix/smtpd[30287]: NOQUEUE: client=unknown[65.23.154.131], sasl_method=login, [email protected]
Mar 16 05:05:15 s15402231 postfix/smtpd[30295]: DAD8DA0CBBBA: client=unknown[65.23.154.131]
Mar 16 04:05:24 s15402231 postfix/smtpd[30287]: disconnect from unknown[65.23.154.131]
Mar 16 05:08:44 s15402231 postfix/anvil[30289]: statistics: max connection rate 1/60s for (smtp:65.23.154.131) at Mar 16 05:05:14
Mar 16 05:08:44 s15402231 postfix/anvil[30289]: statistics: max connection count 1 for (smtp:65.23.154.131) at Mar 16 05:05:14
Mar 16 05:15:26 s15402231 postfix/smtpd[30353]: connect from unknown[65.23.154.131]

Ok it seems alloweddomain.com (a domain allowed and hosted in my server) it's generating spam. Probably this of my customers got a trojan or other type of virus in it client.

I'm ok? If yes, can I stop it?

Thank's in advance

Understanding Mail Log

nand

Guest

Similar threads