# Help interpret sendmail log problem



## drhowarddrfine (Nov 22, 2014)

Can someone help me interpret this /var/log/maillog from mail/sendmail? These started just the other day but, today, I have a ton of them and they've been running all day long. I block the country DE so I'm confused as to why this is coming through my system. However, it looks to me like it is actually GMail that is relaying it to "patrick@xxx", my user. But where is the "Our system has detected..." message coming from and who is it being sent to?

From Googling, it seems Google is the one doing that but I'm just all turned around as to what is going on here and, maybe, how do I stop it? (I'm traveling so didn't catch this all day)


```
Nov 21 01:38:46 www sm-mta[94869]: sAL7cfjk094869: from=<patrickdbdb@kabel-deutschland.de>, size=3378, class=0, nrcpts=1, msgid=<49497072846EC2AB7CEFBE7E7741B76719309B3B951BE377-30548e46cddb93718eeefc001232a515@email.kabel-deuts, proto=ESMTP, daemon=IPv4, relay=ipb2190c69.dynamic.kabel-deutschland.de [178.25.12.105]

Nov 21 01:38:46 www sm-mta[94871]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128

Nov 21 01:38:47 www sm-mta[94871]: STARTTLS=client, relay=alt1.gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128

Nov 21 01:38:50 www sm-mta[94871]: STARTTLS=client, relay=alt2.gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128

Nov 21 01:38:54 www sm-mta[94871]: STARTTLS=client, relay=alt3.gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128

Nov 21 01:38:55 www sm-mta[94871]: STARTTLS=client, relay=alt4.gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128

Nov 21 01:38:56 www sm-mta[94871]: sAL7cfjk094869: to=<patrick@xxxxxx.org>, delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=33378, relay=alt4.gmail-smtp-in.l.google.com. [64.233.166.26], dsn=4.0.0, stat=Deferred: 421-4.7.0 [107.xxx.xx.xx      15] Our system has detected an unusual rate of
```


----------



## drhowarddrfine (Nov 22, 2014)

Now we're getting this one one of our other users:


```
Nov 21 20:29:57 www sm-mta[97222]: sALJDMJI096466: to=<casting@xxxxxx.org>, delay=07:16:29, xdelay=00:00:09, mailer=esmtp, pri=1382189, relay=alt4.gmail-smtp-in.l.google.com. [64.233.166.26], dsn=4.0.0, stat=Deferred: 421-4.7.0 [107.xxx.xx.xxx      15] Our system has detected an unusual rate of
```

But I think I'm detecting a pattern. What our mail server does is just forward the user mail onto the user's personal GMail account. Is it possible that GMail is detecting it as spam and bouncing it back to our server? Or is the sender user GMail to send to us in the first place? I'm baffled that blocking DE, the country code, is not stopping this.

And right after this we get:


```
Nov 21 20:50:56 www sm-mta[97287]: sALIxmIq096447: to=<patrick0@complete-development.com>, delay=07:50:57, xdelay=00:00:00, mailer=esmtp, pri=1474890, relay=complete-development.com. [66.117.14.32], dsn=4.0.0, stat=Deferred: 451-The server has reached its limit for processing requests from your host.

Nov 21 20:50:56 www sm-mta[97287]: sALEnfcm095878: to=<patrick@xxxxxx.org>, delay=12:01:08, xdelay=00:00:00, mailer=esmtp, pri=2373583, relay=alt4.gmail-smtp-in.l.google.com., dsn=4.0.0, stat=Deferred

Nov 21 20:54:41 www sm-mta[97287]: sALBu2LO095593: to=<patrickdbdb@kabel-deutschland.de>, delay=14:58:25, xdelay=00:03:45, mailer=esmtp, pri=2734705, relay=mail2.kabel-deutschland.de. [83.169.191.242], dsn=4.0.0, stat=Deferred: Operation timed out with mail2.kabel-deutschland.de.
```


----------



## drhowarddrfine (Nov 22, 2014)

Well, now I know 83.169.185.44 is on the Spamhaus PBL. So my question is, how am I getting involved in all this. Perhaps it's a multiple mailing and we're on their list along with the other guy and getting his reject messages? Inquiring minds want to know!

EDIT: /var/spool/mqueue/ was loaded with a number of spam things. Deleted all of them.

EDIT2: I've forgotten the exact details but deleting those files in var/spool/mqueue has stopped the problem. The emails were being sent every half hour which, if I recall correctly, is the time for retries to send failed mail. I'll have to re-read about that but I still don't get the back-and-forth with some of that.


----------



## kjpetrie (Jan 15, 2015)

I'm getting similar messages and also looking for help. However, I think TLSv1/SSLv3 is an old flawed encryption algorithm containing an exploitable hole which has been dropped in security upgrades. However, the hackers (or more accurately their hacking programs) will still be testing for it for a long time, as they're looking for unpatched servers which are still vulnerable.

This is also sometimes followed by a truncated bounce message from one of my users' mailbox, so I think it's a hacking/spam attempt which has failed to break into the server and then sent a test message which has been rejected downstream.

What worries me a little more is the following:

```
Jan 15 00:22:07 instabook sm-mta[43193]: STARTTLS=client, relay=lesmills-com.mai
l.protection.outlook.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA,
bits=256/256
Jan 15 00:22:09 instabook sm-mta[43193]: t0EKq6Oa042469: to=<lmuk.accounts@lesmills.com>, delay=03:29:59, xdelay=00:00:03, mailer=esmtp, pri=719859, relay=lesmills-com.mail....ction.outlook.com. [213.199.154.87], dsn=4.0.0, stat=Deferred: 450 4.7.0 Organization queue quota exceeded.
Jan 15 00:22:11 instabook sm-mta[43193]: t0EGq65P041754: to=<lmuk.accounts@lesmills.com>, delay=07:29:46, xdelay=00:00:02, mailer=esmtp, pri=1439859, relay=lesmills-com.mail....ction.outlook.com. [213.199.154.87], dsn=4.0.0, stat=Deferred: 450 4.7.0 General queue quota exceeded. QQ3
```

My server is only supposed to send outgoing mail from itself or incoming mail to designated users. lesmills.com is not one of those, so I'm rather concerned that I'm getting a bounce message which implies relaying has been attempted.

EDIT: Ah, now I understand. lesmills.com has been trying to send spam to my user, which has been bounced by his mail provider (Google). My server is then trying to send a DSN to the sender, whose mailbox is full.


----------



## drhowarddrfine (Jan 15, 2015)

Yep. Somewhere else on this forum I gave a similar answer a while back.


----------

