sendmail log question

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	sendmail configuration on redhat
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	Promise 378 controller
•	kernel 2 6 and /dev/sound/mixer not found
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	Lotus Notes under Wine
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	Command stream end of file while reading
•	rpm database corrupt
•	qla2300 modules

sendmail log question

sendmail log question

2003-06-27 - By Gordon Bowersox

Back

Reply: 1 2

Found some odd log file entries while combating SOBIG.e

This first entry shows one instance of receiving the virus. It has
both sendmail accepting the message and sendmail delivering the message.
I also pasted the header of the message. Pretty normal.

---

Jun 25 18:05:42 mail sendmail[4918]: h5PM5dC04918: from=<20gail.kulbeth@(protected)
.com>,
size=111813, class=0, nrcpts=1, msgid=<200306252205.h5PM5dC04918@(protected)
.com>,
proto=ESMTP, daemon=MTA, relay=hv.domain.com [10.10.50.25]

Jun 25 18:05:42 mail sendmail[4942]: h5PM5dC04918: to=<luser@(protected)>,
delay=00:00:03, xdelay=00:00:00, mailer=local, pri=141498, dsn=2.0.0, stat=Sent

Return-Path: <20gail.kulbeth@(protected)>
Received: from 94X8JT (hv.domain.com [10.10.50.25])
by mail.domain.com (8.11.6/8.11.6) with ESMTP id h5PM5dC04918
for <luser@(protected)>; Wed, 25 Jun 2003 18:05:39 -0400
Message-Id: <200306252205.h5PM5dC04918@(protected)>
From: <20gail.kulbeth@(protected)>
To: <luser@(protected)>
Subject: Re: Movie
Date: Wed, 25 Jun 2003 17:05:34 --0500
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_018486FB"

-- ----

These entries do not have a log file entry for sendmail accepting the
message for delivery. Only sendmail delivering the message. I included
1 header

-- ----
Jun 25 17:18:05 mail sendmail[2397]: h5PLI2C02352:
to=<luser@(protected)>, delay=00:00:03, xdelay=00:00:01, mailer=local,
pri=141498, dsn=2.0.0, stat=Sent

Jun 25 16:51:54 mail sendmail[15546]: h5PKpoC15537:
to=<luser@(protected)>, delay=00:00:04, xdelay=00:00:01, mailer=local,
pri=141498, dsn=2.0.0, stat=Sent

Return-Path: <taylorwright8@(protected)>
Received: from MNELSON_LT (hv.domain.com [10.10.50.25])
by mail.domain.com (8.11.6/8.11.6) with ESMTP id h5PKpoC15537
for <luser@(protected)>; Wed, 25 Jun 2003 16:51:50 -0400
Message-Id: <200306252051.h5PKpoC15537@(protected)>
From: <taylorwright8@(protected)>
To: <luser@(protected)>
Subject: Re: Movie
Date: Wed, 25 Jun 2003 16:51:50 --0400
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_009B6ABD"

Jun 25 16:44:30 mail sendmail[9640]: h5PKiOC09573:
to=<luser@(protected)>, delay=00:00:04, xdelay=00:00:02, mailer=local,
pri=141498, dsn=2.0.0, stat=Sent

I tried grep the log file for the smtp id's in all instances. I sent
mail from yahoo, my client, pine on the mail server and a machine that
lived on the same subnet. All have two entries in the log file. Has
anyone else seen the single entry in their logs? I also grep'ed -20 and
looked at the lines nearby. The 10.10.50.25 is the firewall and shows
if nothing else they came from the outside.

Thanks,
Gordon Bowersox

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>

<pre>Found some odd log file entries while combating SOBIG.e

This first entry shows one instance of receiving the virus.  It has
both sendmail accepting the message and sendmail delivering the message.
I also pasted the header of the message. Pretty normal.

---

Jun 25 18:05:42 mail sendmail[4918]: h5PM5dC04918: from=<20gail.kulbeth
@(protected)>,
size=111813, class=0, nrcpts=1, msgid=<200306252205.h5PM5dC04918@(protected)
.com>,
proto=ESMTP, daemon=MTA, relay=hv.domain.com [10.10.50.25]

Jun 25 18:05:42 mail sendmail[4942]: h5PM5dC04918: to=<luser@(protected)>,
delay=00:00:03, xdelay=00:00:00, mailer=local, pri=141498, dsn=2.0.0, stat=Sent
</pre>
Return-Path: <20gail.kulbeth@(protected)>
 Received: from 94X8JT (hv.domain.com [10.10.50.25])
         by mail.domain.com (8.11.6/8.11
.6)
with ESMTP id h5PM5dC04918
         for <luser@(protected)>;
Wed, 25 Jun 2003 18:05:39 -0400
 Message-Id: <200306252205.h5PM5dC04918@(protected)>
 From: <20gail.kulbeth@(protected)>
 To: <luser@(protected)>
 Subject: Re: Movie
 Date: Wed, 25 Jun 2003 17:05:34 --0500
 Importance: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MSMail-Priority: Normal
 X-Priority: 3 (Normal)
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
         boundary="CSmtpMsgPart123X456
_000_018486FB"
-- ----
These entries do not have a log file entry for sendmail accepting the
message for delivery.  Only sendmail delivering the message. 
I included 1 header
-- ----
 Jun 25 17:18:05 mail sendmail[2397]: h5PLI2C02352: to=<luser@(protected)>,
delay=00:00:03, xdelay=00:00:01, mailer=local, pri=141498, dsn=2.0.0, stat=Sent
Jun 25 16:51:54 mail sendmail[15546]: h5PKpoC15537: to=<luser@(protected)>,
delay=00:00:04, xdelay=00:00:01, mailer=local, pri=141498, dsn=2.0.0, stat=Sent
Return-Path: <taylorwright8@(protected)>
 Received: from MNELSON_LT (hv.domain.com [10.10.50.25])
         by mail.domain.com (8.11.6/8.11
.6)
with ESMTP id h5PKpoC15537
         for <luser@(protected)>;
Wed, 25 Jun 2003 16:51:50 -0400
 Message-Id: <200306252051.h5PKpoC15537@(protected)>
 From: <taylorwright8@(protected)>
 To: <luser@(protected)>
 Subject: Re: Movie
 Date: Wed, 25 Jun 2003 16:51:50 --0400
 Importance: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MSMail-Priority: Normal
 X-Priority: 3 (Normal)
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
         boundary="CSmtpMsgPart123X456
_000_009B6ABD"
Jun 25 16:44:30 mail sendmail[9640]: h5PKiOC09573: to=<luser@(protected)>,
delay=00:00:04, xdelay=00:00:02, mailer=local, pri=141498, dsn=2.0.0, stat=Sent
I tried grep the log file for the smtp id's in all instances. 
I sent mail from yahoo, my client, pine on the mail server and a machine
that lived on the same subnet.  All have two entries in the log file. 
Has anyone else seen the single entry in their logs?  I also
grep'ed -20 and looked at the lines nearby.  The 10.10.50.25 is the
firewall and shows if nothing else they came from the outside.
Thanks,
 Gordon Bowersox</html>