Why, why, why do I get ALL of this mail?

[glennzo]

On my server. There are literally hundred(s) of mails for root every day. The trouble is I'm not sure what is sending them. I've configured, on this server, the following:

Code:

denyhosts
fail2ban
rkhunter
logwatch

(Maybe some overkill there)

If I remember correctly, I've set them all to e-mail root when there are issues. This seems to have "backfired" to some degree what with the overabundance of mail. The other day there were over 1200 mails for root! Anyhow, I'm attaching the latest one. Apologies in advance for the length of the mail. I'll shorten it if necessary.

Quote:

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by server.hsd1.ma.comcast.net. (8.14.5/8.14.5) id q4I99s2t001261;
Fri, 18 May 2012 05:12:07 -0400
Date: Fri, 18 May 2012 05:12:07 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <201205180912.q4I99s2t001261@server.hsd1.ma.comcas t.net.>
To: <root@server.hsd1.ma.comcast.net>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net."
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)

This is a MIME-encapsulated message

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Fri, 18 May 2012 00:50:49 -0400
from localhost [127.0.0.1]

----- Transcript of session follows -----
<root@server.hsd1.ma.comcast.net>... Deferred: Connection timed out with server.hsd1.ma.comcast.net.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.
Content-Type: message/delivery-status

Reporting-MTA: dns; server.hsd1.ma.comcast.net.
Arrival-Date: Fri, 18 May 2012 00:50:49 -0400

Final-Recipient: RFC822; root@server.hsd1.ma.comcast.net
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; server.hsd1.ma.comcast.net
Last-Attempt-Date: Fri, 18 May 2012 05:12:07 -0400
Will-Retry-Until: Wed, 23 May 2012 00:50:49 -0400

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.
Content-Type: message/rfc822

Return-Path: <root@server.hsd1.ma.comcast.net>
Received: from server.hsd1.ma.comcast.net. (localhost [127.0.0.1])
by server.hsd1.ma.comcast.net. (8.14.5/8.14.5) with ESMTP id q4I4onhT024217
for <root@server.hsd1.ma.comcast.net>; Fri, 18 May 2012 00:50:49 -0400
Received: (from root@localhost)
by server.hsd1.ma.comcast.net. (8.14.5/8.14.5/Submit) id q4I4o4AN013257;
Fri, 18 May 2012 00:50:04 -0400
Date: Fri, 18 May 2012 00:50:04 -0400
Message-Id: <201205180450.q4I4o4AN013257@server.hsd1.ma.comcas t.net.>
From: root@server.hsd1.ma.comcast.net (Cron Daemon)
To: root@server.hsd1.ma.comcast.net
Subject: Cron <root@server> rkhunter --propupd
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

[ Rootkit Hunter version 1.3.8 ]
File updated: searched for 165 files, found 133

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.--

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by server.hsd1.ma.comcast.net. (8.14.5/8.14.5) id q4I99s2t001261;
Fri, 18 May 2012 05:12:07 -0400
Date: Fri, 18 May 2012 05:12:07 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <201205180912.q4I99s2t001261@server.hsd1.ma.comcas t.net.>
To: <root@server.hsd1.ma.comcast.net>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net."
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)

This is a MIME-encapsulated message

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Fri, 18 May 2012 00:50:49 -0400
from localhost [127.0.0.1]

----- Transcript of session follows -----
<root@server.hsd1.ma.comcast.net>... Deferred: Connection timed out with server.hsd1.ma.comcast.net.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.
Content-Type: message/delivery-status

Reporting-MTA: dns; server.hsd1.ma.comcast.net.
Arrival-Date: Fri, 18 May 2012 00:50:49 -0400

Final-Recipient: RFC822; root@server.hsd1.ma.comcast.net
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; server.hsd1.ma.comcast.net
Last-Attempt-Date: Fri, 18 May 2012 05:12:07 -0400
Will-Retry-Until: Wed, 23 May 2012 00:50:49 -0400

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.
Content-Type: message/rfc822

Return-Path: <root@server.hsd1.ma.comcast.net>
Received: from server.hsd1.ma.comcast.net. (localhost [127.0.0.1])
by server.hsd1.ma.comcast.net. (8.14.5/8.14.5) with ESMTP id q4I4onhT024217
for <root@server.hsd1.ma.comcast.net>; Fri, 18 May 2012 00:50:49 -0400
Received: (from root@localhost)
by server.hsd1.ma.comcast.net. (8.14.5/8.14.5/Submit) id q4I4o4AN013257;
Fri, 18 May 2012 00:50:04 -0400
Date: Fri, 18 May 2012 00:50:04 -0400
Message-Id: <201205180450.q4I4o4AN013257@server.hsd1.ma.comcas t.net.>
From: root@server.hsd1.ma.comcast.net (Cron Daemon)
To: root@server.hsd1.ma.comcast.net
Subject: Cron <root@server> rkhunter --propupd
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

[ Rootkit Hunter version 1.3.8 ]
File updated: searched for 165 files, found 133

--q4I99s2t001261.1337332327/server.hsd1.ma.comcast.net.--

I'm not really making heads or tails out of this. It's not clear to me what is sending the mail. Is it sendmail just telling me that it couldn't send mail and will keep trying for 5 days? One of the e-mail addresses may be mis-configured?

Any insight greatly appreciated.

In addition, while looking at logcheck logs I see what may be relevant information:

Quote:

--------------------- sendmail Begin ------------------------



SEVERE ERRORS
-------------

System Error Messages:
savemail: cannot save rejected email anywhere: 214 Time(s)
Permission denied: 1 Time(s)
savemail: cannot save rejected email anywhere: 1123 Time(s)

Lost Queue Files:
./qfq3K6L5L9003386: savemail panic
./qfq3I6K4RT002973: savemail panic
./qfq3L6155F000999: savemail panic
./qfq3M223Fp018124: savemail panic
./qfq3KAt1Xm027300: savemail panic
./qfq3O6I5Yl021205: savemail panic

[jpollard]

It may be a bad alias entry.


This appears to have been initiated by a cron job (which will send one message for every run...) Then you get the error (being sent to root on the local host, which appears to be translated to root@server.hsd1.ma.comcast.net). If this server has a bad alias entry, then it will attempt to relay.. but if malformed it may not be able to send (or has been denied connection to) a server.

And the mail system will resend the message after each attempt at a connection (which bounces).

The server that is denying a connection is server.hsd1.ma.comcast.net. It is apparently blocking a sendmail connection (either because port 25 is not open, or a firewall rule, or a hosts.deny/allow restriction, but it will be on server.hd1...).

Now, because it appears to be the same as the local host (not absolutely sure on that) this could be happening because sendmail cannot identify itself as "server.hsd1.ma.comcast.net". This can occur if the FQDN is missing from the local host table. This can be overridden in the sendmail.cf file. This is the part:

Quote:

# my official domain name
# ... define this only if sendmail cannot automatically determine your domain
#Dj$w.Foo.COM

Sendmail attempts to define the host name by combining names with the domain name... but sometimes it doesn't work. Usually it is because the FQDN is missing from the local host table, sometime because the hostname is not the same as the network name (there is no required correlation).

I'm sure stevea will note any errors I have made... He usually does.

[glennzo]

Got some time now, albeit not much time, so I think I'll take a look at some of the mail configurations and see what I can do. Appreciate the response. Thank you.

I deleted all the mail that there was yesterday. Today there are another 500+