SMTP problem...

T

tdldp

Verified User
Joined
May 9, 2005
Messages
150
Hi

Since this afternoon, i have an smtp alert under nagios monitoring, and some strange logs :

To start with here is the first very strange log :
Code: 
2005-10-13 14:22:49 1EQ26i-0001iX-Dc <= [email][email protected][/email] H=pool-162-83-244-193.ny5030.east.verizon.net [162.83.244.193] P=smtp S=22410 T="Re [13]" from <[email protected]> for [email][email protected][/email]in
2005-10-13 14:22:49 1EQ26j-0001ib-4P <= [email][email protected][/email] U=mail P=spam-scanned S=27062 T="[SPAM] Re [13]" from <[email protected]> for [email][email protected][/email]in
2005-10-13 14:22:49 1EQ26j-0001ib-4P ** [email][email protected][/email]in F=<[email protected]> R=virtual_aliases: 
2005-10-13 14:22:49 1EQ26j-0001ih-H3 <= <> R=1EQ26j-0001ib-4P U=mail P=local S=27854 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2005-10-13 14:22:49 1EQ26j-0001ib-4P Completed
2005-10-13 14:22:49 1EQ26i-0001iX-Dc => c6a8ec6b <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=26933
2005-10-13 14:22:49 1EQ26i-0001iX-Dc Completed
2005-10-13 14:22:50 1EQ26j-0001ih-H3 ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx2.hotmail.com [65.54.190.7]: 550 Requested action not taken: mailbox unavailable
2005-10-13 14:22:50 1EQ26j-0001ih-H3 Frozen (delivery error message)
5 Minutes later, nagios was falling on service smtp, are started alerting.

Yet the weirdest, service is still declared down by nagios with :
Critical - socket was not reached in 10 secs lapstime
and i can send via smtp without any trouble or any delaying...

A bit later in logs, i get the following :
Code: 
2005-10-13 14:51:18 H=209-180-105-66.omah.qwest.net [209.180.105.66] F=<[email protected]> rejected RCPT <[email protected]>: The destination adress is not accepted by our services - Stop spamming us.
2005-10-13 14:51:19 H=209-180-105-66.omah.qwest.net [209.180.105.66] incomplete transaction (connection lost) from <[email protected]>
2005-10-13 14:51:19 unexpected disconnection while reading SMTP command from 209-180-105-66.omah.qwest.net [209.180.105.66]
2005-10-13 14:52:33 1EPJRp-0007O0-NI Unfrozen by errmsg timer
2005-10-13 14:52:47 1EPJRp-0007O0-NI ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host aguascalientes-com.mr.outblaze.com [205.158.62.177]: 550 <>: No thank you rejected: Account Unavailable, Possible Forgery
2005-10-13 14:52:47 1EPJRp-0007O0-NI [email][email protected][/email]: error ignored
2005-10-13 14:52:47 1EPJRp-0007O0-NI Completed
2005-10-13 14:52:47 1EPJRj-0007Np-Tt Unfrozen by errmsg timer
2005-10-13 14:53:00 1EPJRj-0007Np-Tt ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host yyhmail-com.mr.outblaze.com [205.158.62.177]: 550 <>: No thank you rejected: Account Unavailable, Possible Forgery
2005-10-13 14:53:00 1EPJRj-0007Np-Tt [email][email protected][/email]: error ignored
2005-10-13 14:53:00 1EPJRj-0007Np-Tt Completed
2005-10-13 14:53:00 1EPJSA-0007Oe-Pp Unfrozen by errmsg timer
2005-10-13 14:53:14 1EPJSA-0007Oe-Pp ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host tlcfan-com.mr.outblaze.com [208.36.123.75]: 550 <>: No thank you rejected: Account Unavailable, Possible Forgery
2005-10-13 14:53:14 1EPJSA-0007Oe-Pp [email][email protected][/email]: error ignored
2005-10-13 14:53:14 1EPJSA-0007Oe-Pp Completed
2005-10-13 14:53:14 1EPJSL-0007Ov-4c Unfrozen by errmsg timer
2005-10-13 14:53:15 1EPJSL-0007Ov-4c ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail-kr.bigfoot.com [211.115.216.225]: 550 This account is not [email protected]
2005-10-13 14:53:15 1EPJSL-0007Ov-4c [email][email protected][/email]: error ignored
2005-10-13 14:53:15 1EPJSL-0007Ov-4c Completed
2005-10-13 14:53:15 1EPJSa-0007PL-14 Unfrozen by errmsg timer

I don't understand exactly what is said in this log, except, that smtp errors occur, with an unavailable account.... which is unfrozen by the server timer ... ???? Which means somewhere that an smtp process was frozen ????


I have then all following logs i do not understand (sorry my english is not that good, and i'm french ...)
Code: 
2005-10-13 15:02:25 1EPJS5-0007OT-0r Unfrozen by errmsg timer
2005-10-13 15:02:26 1EPJS5-0007OT-0r ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx.nyc.untd.com [64.136.20.83]: 550 [email][email protected][/email] is not a valid user
2005-10-13 15:02:26 1EPJS5-0007OT-0r [email][email protected][/email]: error ignored
2005-10-13 15:02:26 1EPJS5-0007OT-0r Completed
2005-10-13 15:02:26 1EPJRw-0007OE-JV Unfrozen by errmsg timer
2005-10-13 15:02:39 1EPJRw-0007OE-JV ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host zipolite-com.mr.outblaze.com [205.158.62.177]: 550 <>: No thank you rejected: Account Unavailable, Possible Forgery
2005-10-13 15:02:39 1EPJRw-0007OE-JV [email][email protected][/email]: error ignored
2005-10-13 15:02:39 1EPJRw-0007OE-JV Completed
2005-10-13 15:02:39 1EPJRd-0007Nd-7D Unfrozen by errmsg timer
2005-10-13 15:02:53 1EPJRd-0007Nd-7D ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host tegucigalpa-com.mr.outblaze.com [205.158.62.177]: 550 <>: No thank you rejected: Account Unavailable, Possible Forgery
2005-10-13 15:02:53 1EPJRd-0007Nd-7D [email][email protected][/email]: error ignored
2005-10-13 15:02:53 1EPJRd-0007Nd-7D Completed
2005-10-13 15:07:33 1EPJqZ-0007ss-De Unfrozen by errmsg timer
2005-10-13 15:07:34 1EPJqZ-0007ss-De ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host smtp.secureserver.net [64.202.166.12]: 553 sorry, relaying denied from your location [195.XX.XX.XXX] (#5.7.1)
2005-10-13 15:07:34 1EPJqZ-0007ss-De [email][email protected][/email]: error ignored
2005-10-13 15:07:34 1EPJqZ-0007ss-De Completed
2005-10-13 15:25:42 1EPJSa-0007PL-14 mail.mx5.compuserve.com [149.174.40.183]: Connection timed out
2005-10-13 15:26:11 1EPJSa-0007PL-14 ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.mx4.compuserve.com [149.174.40.55]: 550 5.1.1 <[email protected]>... Mailbox not found
2005-10-13 15:26:11 1EPJSa-0007PL-14 [email][email protected][/email]: error ignored
2005-10-13 15:26:11 1EPJSa-0007PL-14 Completed
2005-10-13 15:46:59 1EQ3Q9-0003NA-TL <= [email][email protected][/email] H=s0106000c763eb7be.cc.shawcable.net [70.66.202.193] P=smtp S=16545 T="Re [1]:" from <[email protected]> for [email][email protected][/email]in
2005-10-13 15:47:14 1EQ3QB-0003NP-7W <= [email][email protected][/email] U=mail P=spam-scanned S=19924 T="[SPAM] Re [1]:" from <[email protected]> for [email][email protected][/email]in
2005-10-13 15:47:14 1EQ3QB-0003NP-7W ** [email][email protected][/email]in F=<[email protected]> R=virtual_aliases: 
2005-10-13 15:47:14 1EQ3QQ-0003Nd-Dp <= <> R=1EQ3QB-0003NP-7W U=mail P=local S=20737 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2005-10-13 15:47:14 1EQ3QB-0003NP-7W Completed
2005-10-13 15:47:14 1EQ3Q9-0003NA-TL => lewisramiro <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=19800
2005-10-13 15:47:14 1EQ3Q9-0003NA-TL Completed
2005-10-13 15:47:20 1EQ3QQ-0003Nd-Dp ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx1.hotmail.com [65.54.252.99]: 550 Requested action not taken: mailbox unavailable
2005-10-13 15:47:20 1EQ3QQ-0003Nd-Dp Frozen (delivery error message)
2005-10-13 16:01:49 1EQ3eD-0003hp-Ev ** [email][email protected][/email]in F=<[email protected]> R=virtual_aliases: 
2005-10-13 16:01:49 1EQ3eX-0003hy-Bv <= <> R=1EQ3eD-0003hp-Ev U=mail P=local S=26676 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2005-10-13 16:01:49 1EQ3eD-0003hp-Ev Completed
2005-10-13 16:01:49 1EQ3eC-0003hd-Aq => ransomed <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=25755
2005-10-13 16:01:49 1EQ3eC-0003hd-Aq Completed
2005-10-13 16:01:56 1EQ3eX-0003hy-Bv ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx1.hotmail.com [65.54.166.99]: 550 Requested action not taken: mailbox unavailable
2005-10-13 16:01:56 1EQ3eX-0003hy-Bv Frozen (delivery error message)
2005-10-13 17:02:18 1EPLPO-0002Cm-SN Unfrozen by errmsg timer
2005-10-13 17:02:24 1EPLPO-0002Cm-SN ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host smtp.secureserver.net [64.202.166.12]: 553 sorry, relaying denied from your location [195.XX.XX.XXX] (#5.7.1)
2005-10-13 17:02:24 1EPLPO-0002Cm-SN [email][email protected][/email]: error ignored
2005-10-13 17:02:24 1EPLPO-0002Cm-SN Completed
2005-10-13 17:32:13 1EPLwP-00037s-HR Unfrozen by errmsg timer
2005-10-13 17:32:18 1EPLwP-00037s-HR ** [email][email protected][/email] F=<>: all relevant MX records point to non-existent hosts
2005-10-13 17:32:18 1EPLwP-00037s-HR [email][email protected][/email]: error ignored
2005-10-13 17:32:18 1EPLwP-00037s-HR Completed
2005-10-13 20:02:13 1EPOHk-0005uh-TO Unfrozen by errmsg timer
2005-10-13 20:02:19 1EPOHk-0005uh-TO ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mx2.mail.yahoo.com [4.79.181.13]: 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) [0] - mta155.mail.mud.yahoo.com
2005-10-13 20:02:19 1EPOHk-0005uh-TO [email][email protected][/email]: error ignored
2005-10-13 20:02:19 1EPOHk-0005uh-TO Completed
2005-10-13 21:36:56 1EQ8sp-0001Ov-QA <= [email][email protected][/email] H=h173.140.55.139.ip.alltel.net [139.55.140.173] P=smtp S=22406 T="re[12]:" from <[email protected]> for [email][email protected][/email]in
2005-10-13 21:36:57 1EQ8sq-0001P5-R6 <= [email][email protected][/email] U=mail P=spam-scanned S=26238 T="[SPAM] re[12]:" from <[email protected]> for [email][email protected][/email]in
2005-10-13 21:36:57 1EQ8sq-0001P5-R6 ** [email][email protected][/email]in F=<[email protected]> R=virtual_aliases: 
2005-10-13 21:36:57 1EQ8sr-0001PB-6s <= <> R=1EQ8sq-0001P5-R6 U=mail P=local S=27033 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2005-10-13 21:36:57 1EQ8sq-0001P5-R6 Completed
2005-10-13 21:36:57 1EQ8sp-0001Ov-QA => threnody <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=26110
2005-10-13 21:36:57 1EQ8sp-0001Ov-QA Completed
2005-10-13 21:36:58 1EQ8sr-0001PB-6s ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mx2.mail.yahoo.com [67.28.114.35]: 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) [0] - mta145.mail.dcn.yahoo.com
2005-10-13 21:36:58 1EQ8sr-0001PB-6s Frozen (delivery error message)
2005-10-13 22:26:21 1EQ9ed-0002JA-S5 <= [email][email protected][/email] H=adsl-9-79-238.mia.bellsouth.net [65.9.79.238] P=smtp S=22426 T="re[5]:" from <[email protected]> for [email][email protected][/email]in
2005-10-13 22:26:25 1EQ9ef-0002JM-WF <= [email][email protected][/email] U=mail P=spam-scanned S=26267 T="[SPAM] re[5]:" from <[email protected]> for [email][email protected][/email]in
2005-10-13 22:26:25 1EQ9ef-0002JM-WF ** [email][email protected][/email]in F=<[email protected]> R=virtual_aliases: 
2005-10-13 22:26:25 1EQ9ej-0002JV-9H <= <> R=1EQ9ef-0002JM-WF U=mail P=local S=27082 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2005-10-13 22:26:25 1EQ9ef-0002JM-WF Completed
2005-10-13 22:26:25 1EQ9ed-0002JA-S5 => traditionallyfowls <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=26139
2005-10-13 22:26:25 1EQ9ed-0002JA-S5 Completed
2005-10-13 22:26:34 1EQ9ej-0002JV-9H ** [email][email protected][/email] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mx2.mail.yahoo.com [67.28.114.35]: 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) [0] - mta102.mail.dcn.yahoo.com
2005-10-13 22:26:34 1EQ9ej-0002JV-9H Frozen (delivery error message)

My problem is that nagios is still down after all that, and i'm still attempting to understand what is happening... a precision, client.domain is ALWAYS the same client / Domain that has attacks. Relaying is always attempted on the same server where these logs are taken from...

Ok i'm noob at this, but i can learn, so can somebody, please explain me, what are these sudden error messages i have in logs... Are they a hacking (suceeded or not) attempt ??? Is there a way to stop all this ??? Must i be scared for further problems to occur ???
Other questions are :
- Where can i know what is frozen and what is not in exim ???

Thks for any help provided to understand this situation

tdldp
 
Last edited:
Still having nagios difficulty...

Hi, i am still facing difficulties with nagios alerting me that :

Socket has not responded in 10 seconds...

How can i check the probleme ???

Thks for help

Tdldp
 
You must log in or register to reply here.
Back
Top