[BlueOnyx:21428] Re: localhost sending 14K emails in a month?

Michael Stauber mstauber at blueonyx.it
Thu Sep 28 00:57:05 -05 2017 

Hi Lewis,

> According to Usage Information, Email, Senders localhost on one of my
> 5209R servers has sent 13,990 emails this month. Mostly during one week
> and one other day.
> 
> Is there any reasonable explanation for this behavior?
> 
> What to do?

No, this sure isn't normal and warrants further investigation. First see
what else the GUI says. For that check "Server Management" / "Usage
Information" / "Email" and under "Email Traffic as reported by
Milter-GeoIP" click on the "All Users" tab.

Clicks on this tab sometimes are a bit unresponsive. Give it a bit,
click on it again and eventually it should show. Then sort that by
"Email out" and it should tell you how much each user account sent in
regards to outbound emails.

This might help to identify the account that cause it. If you're
unlucky, it says "root". Now under "root" it will also register delivery
failure notices to local or remote users.

However, with the username it told you, you can take it to the logfiles.
If it was "root", you could use this for example:

cat /var/log/maillog|grep root|grep stat=Sent

That will show you all messages in /var/log/maillog that user "root"
sent. One example from my logs:

Sep 27 06:04:46 kosh sendmail[3353]: v8RB4X6n003345: to=xxx at xxx.net,
ctladdr=<root at kosh.smd.net> (0/0), delay=00:00:13, xdelay=00:00:12,
mailer=esmtp, pri=61310, relay=mail.solarspeed.net. [208.77.221.199],
dsn=2.0.0, stat=Sent (v8RB4YeE001888 Message accepted for delivery)

You can then grep for the message ID, which is "v8RB4X6n003345" in this
example to get a better picture of that single transaction:

Example:

[root at kosh ~]# cat /var/log/maillog|grep v8RB4X6n003345
Sep 27 06:04:33 kosh milter-greylist: v8RB4X6n003345: skipping greylist
because address 127.0.0.1 is whitelisted, (from=<root at kosh.smd.net>,
rcpt=<root at kosh.smd.net>, addr=localhost.localdomain[127.0.0.1]) ACL 100

Sep 27 06:04:33 kosh sendmail[3345]: v8RB4X6n003345:
from=<root at kosh.smd.net>, size=822, class=0, nrcpts=1,
msgid=<201709271100.v8RB0CRr003192 at kosh.smd.net>, proto=ESMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Sep 27 06:04:34 kosh sendmail[3353]: v8RB4X6n003345: to=\\admin,
ctladdr=<root at kosh.smd.net> (0/0), delay=00:00:01, xdelay=00:00:01,
mailer=local, pri=61310, dsn=2.0.0, stat=Sent

Sep 27 06:04:46 kosh sendmail[3353]: v8RB4X6n003345: to=xxx at xxx.net,
ctladdr=<root at kosh.smd.net> (0/0), delay=00:00:13, xdelay=00:00:12,
mailer=esmtp, pri=61310, relay=mail.solarspeed.net. [208.77.221.199],
dsn=2.0.0, stat=Sent (v8RB4YeE001888 Message accepted for delivery)

That tells us: It was a 822 byte email from "root" to "admin", which
also got forwarded tp xxx at xxx.net, because the "admin" on that box has
forwarding enabled.

See what you can dig up this way and if you need any help with this,
please file a support ticket via the GUI and tick the checkbox for
"allow access".

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list