Mail Log Question - Is This Normal

Discussion in 'Installation/Configuration' started by gwiz, Sep 9, 2009.

  1. gwiz

    gwiz New Member

    Is this a normal log file?

    Wondering why pop3d/amopd/postfix keep connecting and disconnecting when I am not initiating the activity & Wondering why I am getting this warning from google:

    smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines.

    Does this mean someone has tapped into my system, and are bouncing spam mail off my server. This is just a partial of my log file, every 5 minutes or so there is activity, and the entire log is way to long to post here

    Is there a setting I need to change, or is this normal activity?



    Sep 9 12:40:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:40:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 12:40:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:40:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 12:40:02 www postfix/smtpd[2837]: connect from localhost[127.0.0.1]
    Sep 9 12:40:02 www postfix/smtpd[2837]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 12:40:02 www postfix/smtpd[2837]: disconnect from localhost[127.0.0.1]
    Sep 9 12:41:27 www postfix/smtpd[2775]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
    Sep 9 12:41:27 www postfix/smtpd[2775]: disconnect from localhost[127.0.0.1]
    Sep 9 12:43:34 www postfix/qmgr[2534]: 5AF5E2C2F2: from=<[email protected]>, size=1283, nrcpt=1 (queue active)
    Sep 9 12:44:05 www postfix/smtp[2876]: 5AF5E2C2F2: host gmail-smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xxx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. 13si2998532pxi.23 (in reply to end of DATA command)
    Sep 9 12:44:36 www postfix/smtp[2876]: 5AF5E2C2F2: to=<[email protected]>, relay=alt1.gmail-smtp-in.l.google.com[209.85.211.100]:25, delay=489, delays=427/0.09/31/31, dsn=2.0.0, status=sent (250 2.0.0 OK 1252521876 40si15158245ywh.73)
    Sep 9 12:44:36 www postfix/qmgr[2534]: 5AF5E2C2F2: removed
    Sep 9 12:45:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:45:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 12:45:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:45:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 12:45:01 www postfix/smtpd[2903]: connect from localhost[127.0.0.1]
    Sep 9 12:45:01 www postfix/smtpd[2903]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 12:45:01 www postfix/smtpd[2903]: disconnect from localhost[127.0.0.1]
    Sep 9 12:50:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:50:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 12:50:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:50:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 12:50:01 www postfix/smtpd[2967]: connect from localhost[127.0.0.1]
    Sep 9 12:50:01 www postfix/smtpd[2967]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 12:50:01 www postfix/smtpd[2967]: disconnect from localhost[127.0.0.1]
    Sep 9 12:55:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:55:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 12:55:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 12:55:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 12:55:01 www postfix/smtpd[3031]: connect from localhost[127.0.0.1]
    Sep 9 12:55:01 www postfix/smtpd[3031]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 12:55:01 www postfix/smtpd[3031]: disconnect from localhost[127.0.0.1]
    Sep 9 13:00:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:00:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 13:00:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:00:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 13:00:01 www postfix/smtpd[3095]: connect from localhost[127.0.0.1]
    Sep 9 13:00:01 www postfix/smtpd[3095]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 13:00:01 www postfix/smtpd[3095]: disconnect from localhost[127.0.0.1]
    Sep 9 13:05:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:05:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 13:05:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:05:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 13:05:01 www postfix/smtpd[3172]: connect from localhost[127.0.0.1]
    Sep 9 13:05:01 www postfix/smtpd[3172]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 13:05:01 www postfix/smtpd[3172]: disconnect from localhost[127.0.0.1]
    Sep 9 13:10:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:10:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 13:10:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:10:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 13:10:02 www postfix/smtpd[3248]: connect from localhost[127.0.0.1]
    Sep 9 13:10:02 www postfix/smtpd[3248]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 13:10:02 www postfix/smtpd[3248]: disconnect from localhost[127.0.0.1]
    Sep 9 13:15:02 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:15:02 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 13:15:02 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:15:02 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 13:15:02 www postfix/smtpd[3312]: connect from localhost[127.0.0.1]
    Sep 9 13:15:02 www postfix/smtpd[3312]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 13:15:02 www postfix/smtpd[3312]: disconnect from localhost[127.0.0.1]
    Sep 9 13:20:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:20:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 13:20:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:20:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 13:20:01 www postfix/smtpd[3379]: connect from localhost[127.0.0.1]
    Sep 9 13:20:01 www postfix/smtpd[3379]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 13:20:01 www postfix/smtpd[3379]: disconnect from localhost[127.0.0.1]
    Sep 9 13:25:01 www pop3d: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:25:01 www pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Sep 9 13:25:01 www imapd: Connection, ip=[::ffff:127.0.0.1]
    Sep 9 13:25:01 www imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Sep 9 13:25:01 www postfix/smtpd[3443]: connect from localhost[127.0.0.1]
    Sep 9 13:25:01 www postfix/smtpd[3443]: lost connection after CONNECT from localhost[127.0.0.1]
    Sep 9 13:25:01 www postfix/smtpd[3443]: disconnect from localhost[127.0.0.1]
     
  2. dclardy

    dclardy Member

    The connections every 5 minutes are the ISPConfig installation checking to make sure that necessary modules are running.

    It sounds like someone else is using your server to relay mail for them. Not sure though. I am sure that someone else will be able to help more with that.
     
  3. primal23

    primal23 New Member

    It does read, to me at least, as a sign of a possible open relay.
     
  4. gwiz

    gwiz New Member

    2 Votes Saying Not Normal?

    If I was to post the whole log -- There at least 30 of these warnings:

    host gmail-smtp-in.l.google.com[209.85.216.57] said: 421-4.7.0 [xx.xxx.xxx.xxx] Our system has detected an unusual amount of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines.

    Funny thing is I just got this ISPConfig running 2 days ago, and have only sent out a couple testers to see if my contact forms are working.

    Sad if someone hacked in already, before I have had a chance to figure ISPConfig out.

    Either get rid of it --Or -- I just wait for the SPAM Police to come and take me away ... lol
     
  5. primal23

    primal23 New Member

    My server had ping open for maybe an hour, and it was enough for us to get hit at least 30 times a day by spambots.
     
  6. gwiz

    gwiz New Member

    Re:

    Well none of my configuration files have been changed from fresh install -- Not that I would know how too change anything without breaking the system -- So unless it comes pre-set with open ports, I don't know.

    My main goal was for my Father-In-Law to be able to access and control his own websites which I host, and to be able to run contact forms - Rather than posting an e-mail address on my sites.

    Not so sure all the aggravation over the last week is worth opening my server up to the world to use at their own free will. I will watch the mail logs for a few days, and see if it mellows out - If not, I will have to try another way I guess.
     
  7. falko

    falko Super Moderator Howtoforge Staff

    This is normal activity from ISPConfig's monitoring module which tries to check if Postfix and Courier are still up and running.
     
  8. dclardy

    dclardy Member

    Just so you know, I am pretty sure that error is due to the fact that you have a blacklisted IP address. I got the same thing on mine when my IP address changed yesterday. The other IP that I had was removed from some of the blacklist of there, and it got through. I am guessing that you are on a dynamic IP from a supplier who has supplied that information to the databases. You could try getting a Static IP, but I am not lucky enough to have a supplier who will give me one.
     

Share This Page