Where can I find these mail traffic logs?

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,307
Location
Maastricht
I've found that one of my private accounts was suddenly using huge masses of bandwidth since a couple of days. This should not be the case.

At first I discovered, that by accident, I had enabled the "email to friend" feature for guests on the forum.
However, after disabling this feature for all forum usergroups, a day later, still a mass of messages were send (see the picture).

Now i tried the following logfiles:
/var/log/messages
/var/log/exim/mainlog
/var/log/exim/rejectlog
/var/log/exim/paniclog

And I can't find any 290 or 181 messages send by my domain or username.
So if you take a look at the picture. Where can I find the logs DA is talking about here? This is a screenshot of the datatraffic when you push the "details" button.

datatraffic.jpg
 
Well, that data isnt that important to you, is just a count stored in /etc/virtual/ if i dont remember bad.

The log you need to analyze is /var/log/exim/mainlog and any .0 .1 .2 if exist.

Also, i would suggest if you not already using, to search this forum for exim SpamBlocker 4.1 and use it instead of the basic 2.0 that comes out with directadmin as standard.

Regards
 
Dear Sellerone. I think you misunderstood my question.

This is not spam. It's outgoing mail via a script on my server. So I don't think that the newser spamblocker configuration (which also needs several configuration on the server) will help. We almost don't receive any spam even with the standard 2.0 config. Mostly because we use spamassassin and several RBL lists.

I already checked the /var/log/exim/mainlog and nothing was to be found. I did not need to examine the .1 .2 etc, because they only contained older logs then the dates the traffic went up a lot.
The only thing i found in /var/log/exim/mainlog of that domain, were a couple of messages which the forums sends about a cronjob that had been running. Those mails I have received, so that is good.
There were no other outgoing mails to be found in those logs, that's the reason why I asked if they could be found in another log.
 
Yes i know is not matter of spam but with spamblocker (that doesnt require a lot of work on system) it is usefull.

Btw, you should check this file: /etc/virtual/usage/USERNAME/bytes

Other outgoing email logs honestly i dont think there are...

Regards
 
that doesnt require a lot of work on system
Click to expand...
Well.. you need to create several files and configure the new exim.conf completely as I read in the readme file.

Anyway, the file you point to only says this:
2679=type=email&[email protected]&method=incoming&id=1SUofF-0006Bz-2Z&path=/home/accountname/domains/mydomain.nl/public_html/forum
Click to expand...
 
Well if you look for that there is a command list just ready made by me for the sb4 pre-requisites ;)

Actually, that's strange, should have a line for each email that da is counting.

Should be either a bug or an error somewhere, i'll link this thread to John.

Regards
 
Oh I did not know of the command list you made. Is it working with mod_ruid2 too? Because I also need to add grouprights for apache in exim in order for some mail to work.

Actually, that's strange, should have a line for each email that da is counting.
Click to expand...
Yes that is what I thought too. I see a lot of incoming and outgoing mail there, but for the domain I'm talking about it's just those few cronjob mails, which is correct because the forum is almost not used als you can see in the screenshot in the other months.
I did a search on domain.nl in all files (even the apache logs), so strange that there is such mail traffic of gigabytes, and it's not in the logs and not even the firewall is complaining about it.

Firewall (csf/lfd) is sending me a message whenever a php script is sending over a certain amount of emails.

Thanks for pointing John to it.

Could it be a exim bug which might be abused? I just discovered that we're still running version 4.76 on that server.
 
Well i dont see how mod_ruid2 is implied on that, is an exim.conf like the 2.0 with some improovements, so i think you can add user to the group without that much proeblms.

Ive pointed John to this thread, maybe is just a bug or some count that got not reset somehow.

Yep, should be an exim bug, update it, it work just fine without issue. But, should be courios cause should log the email... unless is a big hole :D

Regards
 
Oke then I will see what John says and in the meantime update my Exim.
Thanks for all your help again so far!
 
Hello,

Regarding the tracking of outbound email, ensure that:

1) You've got /etc/exim.pl VERSION=10. To ensure you have it, type:
Code: 
wget -O /etc/exim.pl http://files.directadmin.com/services/exim.pl
/etc/init.d/exim restart

2) That you've got DA version 1.40.3+. This version adds the feature
User Level -> E-Mail Accounts -> E-Mail Usage

for a given User.

3) If you check:
Code: 
cd /etc/virtual/usage
ls -la
there will usually be one User with higher-than-normal file size.. so you can check #2 for that User.

Don't forget to setup a send limit, eg:
Code: 
echo 200 > /etc/virtual/limit

4) Check your /etc/exim.conf. Look for the line:
Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts
as you want to make sure it does not show
Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : [b]127.0.0.1[/b]

5) As mentioned in the previous guide, try this to see if there are any repeated authentications from the same IP:
Code: 
cd /var/log/exim
grep 'A=login:' mainlog* | less
If not, check the mainlog manually to check a few sample outbound spams to see where it's coming from.

John
 
Thanks John.

I just updated exim.pl according to your explanation and this afternoon I updated my exim version.
It's not a user sending out that mail, probably a script (vbulletin mod) which is hacked. So I think the php mail function is used.
However, I did not see anything in the logs of apache either.

At this moment, it's rather quiet, so it might be fixed now I removed one of the addons.
 
Step 4 minor update:

look in this file:
/etc/exim.variables.conf

at the line
hostlist relay_hosts=net-lsearch;/etc/virtual/pophosts

and make sure it doesn't have 127.0.0.1
 
My post was from almost 5 years ago. ;)

It was the script I removed which caused this problem.

By default the line hostlist reads this these days:
Code: 
hostlist relay_hosts=
there is no net-lsearch etc. mentioned behind it. So this normally should not be an issue.
 
You must log in or register to reply here.
Back
Top