[SATLUG] sendmail logging

[Brad Knowles]

On 9/2/07, Leif Johnson wrote:

>  Can someone tell me if those are just bounces or does this indicate that
>  my mailserver is being used as a relay of some sort?

The size is zero, and the number of recipients is zero, so you're 
fine -- someone tried to send you something (presumably to use you as 
a relay), but they dropped the connection in the middle.

Sendmail goes out of its way to try to log as much information as it 
can as early as possible, so sometimes you get information logged 
about partial delivery attempts (like this), which don't result in 
any actual message deliveries.


In fact, it's probably actually my fault that you're seeing these 
messages.  I asked Eric Allman to change the way that sendmail logs 
everything, so as to log all information it could as early as 
possible in the SMTP dialog process.

This was because when I was working at AOL we were having a hard time 
tracking people who were trying to abuse our servers to sniff out 
which addresses were valid and which ones weren't, and we didn't find 
out about these abusers until they had already gotten all the 
information they needed and then dropped the connection.

With this change, we could see information getting put into the logs 
in virtual "real time" as the abusers were still connected and trying 
to gather more data, and then we could cut them off very quickly.  We 
also kept our own internal black lists of abusive addresses, so as 
soon as one of their IP addresses was blocked on one of our servers, 
it got added to the list and would be blocked (or dropped) on all the 
others.

The additional logging information can be a bit complex to 
understand, but all in all it was a huge win for us at AOL.

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>