Log Samples from Exim --------------------- I've included the ossec bad responses: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ *error 450 (ossec should probably ignore) -- this particular line is blowback from spam delivery attempt elsewhere with one of our addresses spoofed as "From", and occurs many times in the log files* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[14700]: 2006-11-21 15:01:33 1Glsgv-0002wv-00 SMTP error from remote mailer after RCPT TO:: host gmail-smtp-in.l.google.com [1.1.1.1]: 450-4.2.1 The Gmail user you are trying to contact is receiving\n450-4.2.1 mail at a rate that prevents additional messages from\n450-4.2.1 being delivered. Please resend your message at a later\n450-4.2.1 time; if the user is able to receive mail at that time,\n450 4.2.1 your message will be delivered. 23si8340522nzn *error 550 (ossec should ignore after the first time)* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[14706]: 2006-11-21 15:01:39 1Gmary-0002iA-00 ** xxxxxxxx@some-domain.com R=dnslookup T=remote_smtp: SMTP error from remote mailer after RCPT TO:: host mx.some-domain.com [1.1.1.1]: 550 Mailbox unavailable *frozen (probably okay to ignore)* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[15745]: 2006-11-21 15:17:10 1Gmc37-00045w-00 Frozen (delivery error message) *local delivery error (unknown user most likely, probably okay to ignore) although parsing out the email address and IP could provide a trigger for an active response (e.g. a honeypot email address that triggers the sending IP address to be blocked for 24 hours)* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[15740]: 2006-11-21 15:16:57 1Gmc36-00045o-00 ** xxxxxxxxxxx@some-domain.com R=local_user_cyrus T=local_delivery_cyrus: Child process of local_delivery_cyrus transport returned 65 (could mean error in input data) from command: /usr/cyrus/bin/deliver *this error 450 should be a 550 -- ossec could ignore (it's a temporary error message for a permanent error, but not much we can do about it)* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[16042]: 2006-11-21 15:24:02 1Gm2od-0001ay-00 xxxxxxxxxxx@some-domain.com R=dnslookup T=remote_smtp defer (0): SMTP error from remote mailer after RCPT TO:: host mail.some-domain.com [66.93.22.101]: 450 : User unknown in local recipient table *Connection refused; not much we can do about this error either* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[14164]: 2006-11-21 14:55:07 1GlKR9-0003x0-00 xxxxxxx@some-domain.com R=dnslookup T=remote_smtp defer (111): Connection refused *error 501 -- most likely the recipient's DNS is misconfigured; but this is most likely blowback from spam, so it's not terribly important* .. code-block:: console Received From: (mailserver) 192.168.1.21->/var/log/mail.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): exim[13428]: 2006-11-21 14:39:59 1GmbTK-0003UZ-00 ** xxxxxxxx@somedomain.com R=dnslookup T=remote_smtp: SMTP error from remote mailer after RCPT TO:: host mail.somedomain.com [1.1.3.1]: 501 This system is not configured to relay mail (r) to for 2.2.1.5