Mail Queue Full of Sender:root@hostname Recipient:root@hostname emails

E

ErBergez

Verified User
Joined
Dec 20, 2009
Messages
11
Location
Los Angeles, CA
Hi Forum -

I just completed a new build of DirectAdmin and installed ConfigServer Firewall&Security for the 1st time but I'm experiencing a new problem I have not had in the past but don't know if it's related to ConfigServer or something I missed in the setup of DirectAdmin.

I have 15 pages of emails in the Mail Queue Administrator all with the Sender:root@hostname and the Recipient:root@hostname.

These emails appear to be Systems related emails pertaining to the logs and in particular to my clients iPhone accessing the email server. (I confirmed that IP's are her iPhone.)

Here is a sample of the email headers: (They are all about the same)

1ONVIN-0007XE-GJ-H
root 0 0
<[email protected]>
1276366743 0
-ident root
-received_protocol local
-body_linecount 46
-allow_unqualified_recipient
-allow_unqualified_sender
XX
1
[email protected]

185P Received: from root by cp.bcnonline.com with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1ONVIN-0007XE-GJ
for [email protected]; Sat, 12 Jun 2010 11:19:03 -0700
011* From: root
009* To: root
026T To: [email protected]
079 Subject: lfd on cp.bcnonline.com: Suspicious process running under user tijinc
031F From: <[email protected]>
049I Message-Id: <[email protected]>
038 Date: Sat, 12 Jun 2010 11:19:03 -0700​

Here's what the Email Body Chunk says:

1ONVIN-0007XE-GJ-D
Time: Sat Jun 12 11:19:03 2010 -0700
PID: 28821
Account: tijinc
Uptime: 118 seconds


Executable:

/usr/libexec/dovecot/pop3


Command Line (often faked in exploits):

pop3 [[email protected] 166.205.137.148]


Network connections by the process (if any):

tcp: 64.27.0.152:110 -> 166.205.137.148:44176
tcp: 64.27.0.152:110 -> 166.205.137.148:44176


Files open by the process (if any):

eventpoll:[264977]
/home/tijinc/imap/theindustryjournal.com/naida.albright/Maildir/dovecot.index.log
/home/tijinc/imap/theindustryjournal.com/naida.albright/Maildir/dovecot-uidlist


Memory maps by the process (if any):

00110000-00119000 r-xp 00000000 03:05 2301725 /lib/libnss_files-2.5.so
00119000-0011a000 r-xp 00008000 03:05 2301725 /lib/libnss_files-2.5.so
0011a000-0011b000 rwxp 00009000 03:05 2301725 /lib/libnss_files-2.5.so
00414000-0042e000 r-xp 00000000 03:05 2301753 /lib/ld-2.5.so
0042e000-0042f000 r-xp 00019000 03:05 2301753 /lib/ld-2.5.so
0042f000-00430000 rwxp 0001a000 03:05 2301753 /lib/ld-2.5.so
00437000-00576000 r-xp 00000000 03:05 2301754 /lib/libc-2.5.so
00576000-00577000 --xp 0013f000 03:05 2301754 /lib/libc-2.5.so
00577000-00579000 r-xp 0013f000 03:05 2301754 /lib/libc-2.5.so
00579000-0057a000 rwxp 00141000 03:05 2301754 /lib/libc-2.5.so
0057a000-0057d000 rwxp 0057a000 00:00 0
0057f000-00581000 r-xp 00000000 03:05 2304048 /lib/libdl-2.5.so
00581000-00582000 r-xp 00001000 03:05 2304048 /lib/libdl-2.5.so
00582000-00583000 rwxp 00002000 03:05 2304048 /lib/libdl-2.5.so
00585000-00599000 r-xp 00000000 03:05 2304049 /lib/libpthread-2.5.so
00599000-0059a000 r-xp 00013000 03:05 2304049 /lib/libpthread-2.5.so
0059a000-0059b000 rwxp 00014000 03:05 2304049 /lib/libpthread-2.5.so
0059b000-0059d000 rwxp 0059b000 00:00 0
005c8000-005cf000 r-xp 00000000 03:05 2304050 /lib/librt-2.5.so
005cf000-005d0000 r-xp 00006000 03:05 2304050 /lib/librt-2.5.so
005d0000-005d1000 rwxp 00007000 03:05 2304050 /lib/librt-2.5.so
006e8000-007dd000 r-xp 00000000 03:03 2572722 /usr/local/lib/libiconv.so.2.5.0
007dd000-007de000 rwxp 000f5000 03:03 2572722 /usr/local/lib/libiconv.so.2.5.0
00f5c000-00f5d000 r-xp 00f5c000 00:00 0 [vdso]
08048000-08110000 r-xp 00000000 03:03 3775183 /usr/libexec/dovecot/pop3
08110000-08112000 rw-p 000c8000 03:03 3775183 /usr/libexec/dovecot/pop3
08112000-08113000 rw-p 08112000 00:00 0
093b3000-093fd000 rw-p 093b3000 00:00 0 [heap]
b7f08000-b7f0b000 rw-p b7f08000 00:00 0
bf967000-bf97c000 rw-p bffea000 00:00 0 [stack]​

Here is what the Log says:

2010-06-12 11:19:03 Received from [email protected] U=root P=local S=2990 T="lfd on cp.bcnonline.com: Suspicious process running under user tijinc"
2010-06-12 11:19:03 [email protected] R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list​

Questions:

  • Are these messages important or can they be dropped?
  • How do I forward server messages such as these to a real email address?
  • Can this be controlled inside DirectAdmin or is this a config file setting?


Thank you for your assistance,


Eric Bergez
BCN, Inc.
http://www.bcnonline.com
 
Resolved!

Hey Forum -

I found the answer in the ConfigServer Firewall & Security Forum.

It appears that this problem is related to the config file for the CSF plugin in DirectAdmin.

As my particular problem is related to iPhones talking to the email service, I can fix the problem by increasing the timing the PT_LIMIT or whitliest/ignore the function in the csf.pignore file.

Regards,

Eric
BCN, Inc.
 
nano -w /etc/csf/csf.conf
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = "[email protected]"
Click to expand...
You should change this to a working emailaddress, then restart CSF and LFD and the problem should be fixed.
 
This is already the 3rd post about this problem on this forum. Please keep your questions in 1 post and do not double- and especially not triple post. I just wrote you the solution in one of your other posts about this.
 
You must log in or register to reply here.
Back
Top