brothertom
asked on
xinetd messages in /var/log/messages
We seem to be getting a lot of these entries in /var/log/messages (every few seconds).
Does this look like incoming activity (i.e. machines looking to send smtp to us) or outgoing (maybe some virus spamming outbound)?
Apr 26 12:34:47 mybox xinetd[3475]: START: smtp pid=22547 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22548 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22549 from=x.x.x.x
Apr 26 12:34:50 mybox xinetd[3475]: START: smtp pid=22550 from=x.x.x.x
Apr 26 12:34:52 mybox xinetd[3475]: START: smtp pid=22551 from=x.x.x.x
Apr 26 12:34:53 mybox xinetd[3475]: EXIT: smtp status=0 pid=22500 duration=31(sec)
Apr 26 12:34:56 mybox xinetd[3475]: EXIT: smtp status=0 pid=22502 duration=32(sec)
It looks like these are being generated by a bunch rblsmtpd processes, e.g.
root 22954 3475 0 12:44 ? 00:00:00 /usr/sbin/rblsmtpd -r whois.rfc-ignorant.org -r bl.spamcop.net -r sbl.spamhaus.org -r xbl.spamhaus.org -r psbl.surriel.com /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
Which in turn are children of
root 3475 1 0 2009 ? 00:45:15 xinetd -stayalive -pidfile /var/run/xinetd.pid
Can someone offer an explanation?
Thanks
BT
Does this look like incoming activity (i.e. machines looking to send smtp to us) or outgoing (maybe some virus spamming outbound)?
Apr 26 12:34:47 mybox xinetd[3475]: START: smtp pid=22547 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22548 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22549 from=x.x.x.x
Apr 26 12:34:50 mybox xinetd[3475]: START: smtp pid=22550 from=x.x.x.x
Apr 26 12:34:52 mybox xinetd[3475]: START: smtp pid=22551 from=x.x.x.x
Apr 26 12:34:53 mybox xinetd[3475]: EXIT: smtp status=0 pid=22500 duration=31(sec)
Apr 26 12:34:56 mybox xinetd[3475]: EXIT: smtp status=0 pid=22502 duration=32(sec)
It looks like these are being generated by a bunch rblsmtpd processes, e.g.
root 22954 3475 0 12:44 ? 00:00:00 /usr/sbin/rblsmtpd -r whois.rfc-ignorant.org -r bl.spamcop.net -r sbl.spamhaus.org -r xbl.spamhaus.org -r psbl.surriel.com /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
Which in turn are children of
root 3475 1 0 2009 ? 00:45:15 xinetd -stayalive -pidfile /var/run/xinetd.pid
Can someone offer an explanation?
Thanks
BT
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I believe its part of the anti-spam mechanism. Any thoughts on the direction of STMP traffic shown in the log. I assuming its incoming because there would be no need to log outgoing SMTP
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What I really need to know is this - does this log entry indicate incoming SMTP or outgoing SMTP attempts.
Alsl, I don't understand what xinetd is bringing to the party.