CarenZ
By:
CarenZ

Mail.log and Syslog kill my server

December 16, 2015 900 views
DigitalOcean Email LAMP Stack Apache Security WordPress Networking Logging DNS Ubuntu

hi,

For several days my server was always down.
This is because the log files, "mail.log" and "syslog" increase in size very fast (2-3 Gb every 3-4 hours) so saturating the memory and causing the server to crash.

By analyzing these files, there are some strange requests, place a few examples:

file mail.log:

Dec 15 09:51:42 vrwebsolutions5 sm-mta[1253]: My unqualified host name (vrwebsolutions5) unknown; sleeping for retry
Dec 15 09:51:44 vrwebsolutions5 sm-msp-queue[1525]: My unqualified host name (vrwebsolutions5) unknown; sleeping for retry
Dec 15 09:52:42 vrwebsolutions5 sm-mta[1253]: unable to qualify my own domain name (vrwebsolutions5) -- using short name
Dec 15 09:52:42 vrwebsolutions5 sm-mta[1253]: gethostbyaddr(104.131.183.178) failed: 1
Dec 15 09:52:42 vrwebsolutions5 sm-mta[1253]: gethostbyaddr(10.132.24.137) failed: 1
Dec 15 09:52:42 vrwebsolutions5 sm-mta[1902]: starting daemon (8.14.4): SMTP+queueing@00:10:00
Dec 15 09:52:42 vrwebsolutions5 sm-mta[1903]: grew WorkList for /var/spool/mqueue to 2000
Dec 15 09:52:43 vrwebsolutions5 sm-mta[1903]: grew WorkList for /var/spool/mqueue to 3000
Dec 15 09:52:43 vrwebsolutions5 sm-mta[1903]: grew WorkList for /var/spool/mqueue to 4000

Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCG28Yp003167: to=<maxine_newton@digitalbellies.com>, delay=3+09:21:15, xdelay=00:00:00, mailer=esmtp, pri=33330000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCGIGuf004500: to=vlminoside@aol.com, delay=3+09:05:07, xdelay=00:00:00, mailer=esmtp, pri=33331338, relay=mailin-02.mx.aol.com., dsn=4.0.0, stat=Deferred
Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCGFqRc004316: to=paphill308@aol.com, delay=3+09:07:31, xdelay=00:00:00, mailer=esmtp, pri=33331351, relay=mailin-01.mx.aol.com., dsn=4.0.0, stat=Deferred
Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCGGmV5004383: to=yjyuwjh@aol.com, delay=3+09:06:35, xdelay=00:00:00, mailer=esmtp, pri=33331362, relay=mailin-01.mx.aol.com., dsn=4.0.0, stat=Deferred
Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCGCdY6004066: to=doobie1007@aol.com, delay=3+09:10:44, xdelay=00:00:00, mailer=esmtp, pri=33331362, relay=mailin-01.mx.aol.com., dsn=4.0.0, stat=Deferred
Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCGFKip004263: to=susemichel@aol.com, delay=3+09:08:03, xdelay=00:00:00, mailer=esmtp, pri=33331364, relay=mailin-03.mx.aol.com., dsn=4.0.0, stat=Deferred
Dec 15 20:23:23 vrwebsolutions5 sm-mta[22089]: tBCGI5mT004480: to=harpc@aol.com, delay=3+09:05:18, xdelay=00:00:00, mailer=esmtp, pri=33331371, relay=mailin-01.mx.aol.com., dsn=4.0.0, stat=Deferred
Dec 15 20:23:23 vrwebsolutions5 sm-mta[23631]: tBG1KrAm023476: to=wmjacob2001@yahoo.com, delay=00:02:30, xdelay=00:00:01, mailer=esmtp, pri=211354, relay=mta5.am0.yahoodns.net. [98.136.217.203], dsn=4.0.0, stat=Deferred: 421 4.7.1 [TS03] All messages from 104.131.183.178 will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html

file syslog

Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCNCKDE005460: to=<lynne_sherman@digitalbellies.com>, delay=3+02:12:56, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCN7X7T005097: to=<helen_nichols@digitalbellies.com>, delay=3+02:17:43, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCNG4tf005756: to=<kerry_west@digitalbellies.com>, delay=3+02:09:12, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCKmGUZ025857: to=<harriet_wise@digitalbellies.com>, delay=3+02:24:18, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCMwuKH004464: to=<agnes_howard@digitalbellies.com>, delay=3+02:26:20, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCN1rXX004686: to=<kay_sandoval@digitalbellies.com>, delay=3+02:23:23, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCN6IbS005004: to=<lynne_sherman@digitalbellies.com>, delay=3+02:18:58, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCN0uSC004618: to=<bernadette_schultz@digitalbellies.com>, delay=3+02:24:20, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCN5pl7004971: to=<della_schwartz@digitalbellies.com>, delay=3+02:19:25, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.
Dec 15 20:25:16 vrwebsolutions5 sm-mta[19655]: tBCN0sjP004613: to=<luz_porter@digitalbellies.com>, delay=3+02:24:22, xdelay=00:00:00, mailer=esmtp, pri=30540000, relay=digitalbellies.com., dsn=4.0.0, stat=Deferred: Connection refused by digitalbellies.com.

what happened? where are all these requests? malware?
What can I do to restore / prevent this?
Thank you all,
CarenZ

Be the first one to answer this question.