• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1160
  • Last Modified:

xinetd messages in /var/log/messages

We seem to be getting a lot of these entries in /var/log/messages (every few seconds).

Does this look like incoming activity (i.e. machines looking to send smtp to us) or outgoing (maybe some virus spamming outbound)?

Apr 26 12:34:47 mybox xinetd[3475]: START: smtp pid=22547 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22548 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22549 from=x.x.x.x
Apr 26 12:34:50 mybox xinetd[3475]: START: smtp pid=22550 from=x.x.x.x
Apr 26 12:34:52 mybox xinetd[3475]: START: smtp pid=22551 from=x.x.x.x
Apr 26 12:34:53 mybox xinetd[3475]: EXIT: smtp status=0 pid=22500 duration=31(sec)
Apr 26 12:34:56 mybox xinetd[3475]: EXIT: smtp status=0 pid=22502 duration=32(sec)

It looks like these are being generated by a bunch rblsmtpd processes, e.g.

root     22954  3475  0 12:44 ?        00:00:00 /usr/sbin/rblsmtpd -r whois.rfc-ignorant.org -r bl.spamcop.net -r sbl.spamhaus.org -r xbl.spamhaus.org -r psbl.surriel.com /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Which in turn are children of
root      3475     1  0  2009 ?        00:45:15 xinetd -stayalive -pidfile /var/run/xinetd.pid

Can someone offer an explanation?

  • 2
  • 2
3 Solutions
looks pretty normal to me.  Are all the IP (x.x.x.x) the same?  
Could be the big bad Internet trying to relay or legitimate inbound traffic.

brothertomAuthor Commented:
No, the x.x.x.x are different.
What I really need to know is this - does this log entry indicate incoming SMTP or outgoing SMTP attempts.
Alsl, I don't understand what xinetd is bringing to the party.

It seems to be coming from rblsmtp so may be worth checking the software, it seems like some sort of blacklisting tool but I've not used it myself.
brothertomAuthor Commented:
I believe its part of the anti-spam mechanism.   Any thoughts on the direction of STMP traffic shown in the log.  I assuming its incoming because there would be no need to log outgoing SMTP
have you done whois/nslookups on the smtp ip addresses?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now