I am suspecting something is sending a plenty of mails from my server without my knowledge. I'd like to check whether my machine turned into a spamming server. What is the easiest way to do this?
Related to this, I'd also like to check the CONTENTS of emails sent from my server. Is there such a log and can I turn it on? /var/log/mail.log does not return the content of the emails, and it looks like this:
Oct 23 21:03:26 Ubuntu-1204-precise-64-minimal sendmail[29973]: s9NJ31pS029973: to=root, delay=00:00:19, xdelay=00:00:07, mailer=relay, pri=31367, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s9NJ37kn029974 Message accepted for delivery)
Oct 23 21:03:38 Ubuntu-1204-precise-64-minimal sm-mta[29977]: s9NJ37kn029974: to=<root@Ubuntu-1204-precise-64-minimal>, delay=00:00:19, xdelay=00:00:07, mailer=local, pri=32861, dsn=2.0.0, stat=Sent
Oct 23 21:06:03 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: from=root, size=343, class=0, nrcpts=1, msgid=<201410231906.s9NJ61xZ030011@Ubuntu-1204-precise-64-minimal>, relay=root@localhost
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rW030014: ruleset=check_rcpt, arg1=<root@Ubuntu-1204-precise-64-minimal>, relay=localhost.localdomain [127.0.0.1], reject=553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender address root@Ubuntu-1204-precise-64-minimal does not exist
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: to=root, ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:00, mailer=relay, pri=30343, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.8, stat=User unknown
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rW030014: from=<root@Ubuntu-1204-precise-64-minimal>, size=343, class=0, nrcpts=0, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: s9NJ61xa030011: DSN: User unknown
Oct 23 21:06:12 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rY030014: from=<>, size=2623, class=0, nrcpts=1, msgid=<201410231906.s9NJ61xa030011@Ubuntu-1204-precise-64-minimal>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Oct 23 21:06:13 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xa030011: to=root, delay=00:00:08, xdelay=00:00:02, mailer=relay, pri=31367, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s9NJ65rY030014 Message accepted for delivery)
Oct 23 21:06:17 Ubuntu-1204-precise-64-minimal sm-mta[30024]: s9NJ65rY030014: to=<root@Ubuntu-1204-precise-64-minimal>, delay=00:00:06, xdelay=00:00:01, mailer=local, pri=32861, dsn=2.0.0, stat=Sent
You have new mail in /var/mail/root
As you can see, some strange messages occur from time to time.
Edit: I got 200 000 unread emails. Here is the newest email I received:
Return-Path: <MAILER-DAEMON>
Received: from Ubuntu-1204-precise-64-minimal (localhost.localdomain [127.0.0.1]
)
by fares (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s9NAp3iX021790
for <root@Ubuntu-1204-precise-64-minimal>; Thu, 23 Oct 2014 12:51:03 +02
00
Received: from localhost (localhost)
by Ubuntu-1204-precise-64-minimal (8.14.4/8.14.4/Submit) id s9NAp1Xu0217
89;
Thu, 23 Oct 2014 12:51:03 +0200
Date: Thu, 23 Oct 2014 12:51:03 +0200
From: Mail Delivery Subsystem <MAILER-DAEMON@static.***.clients.***>
Message-Id: <201410231051.s9NAp1Xu021789@Ubuntu-1204-precise-64-minimal>
To: root@Ubuntu-1204-precise-64-minimal
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Status: O
X-UID: 210004
This is a MIME-encapsulated message
--s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal
The original message was received at Thu, 23 Oct 2014 12:51:01 +0200
from root@localhost
----- The following addresses had permanent fatal errors -----
root
(reason: 553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender
address root@Ubuntu-1204-precise-64-minimal does not exist)
(expanded from: root)
----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender address
root@Ubuntu-1204-precise-64-minimal does not exist
550 5.1.1 root... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
--s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal
Content-Type: message/delivery-status
If you would like to check if your mail server is an open relay, which can be used to send SPAM, you can use this
http://mxtoolbox.com/diagnostic.aspx
This is just local mail, probably from one of your running services or cron jobs. It's addressed to root, but the mail server can't figure out that it's intended to be local mail, because the hostname
Ubuntu-1204-precise-64-minimalcan't be resolved to an address.To fix this, rename the host to a hostname which resolves to the server's IP address, or add the IP address and hostname to
/etc/hosts.