qmail问题请教 很多qmail-remote null.com null@null.com 进程

dracoz

进程里有很多
qmail-remote null.com  null@null.com
log里有很多类似
May 18 04:02:23 server qmail: 1053201743.132590 delivery 6426: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.
1)/
May 18 04:02:23 server qmail: 1053201743.132672 status: local 0/10 remote 7/20
May 18 04:02:23 server qmail: 1053201743.132987 starting delivery 6432: msg 2222016 to remote null@null.com
May 18 04:02:23 server qmail: 1053201743.133024 status: local 0/10 remote 8/20
May 18 04:02:23 server qmail: 1053201743.133282 delivery 6427: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.
1)/
May 18 04:02:23 server qmail: 1053201743.133316 status: local 0/10 remote 7/20
May 18 04:02:23 server qmail: 1053201743.134343 delivery 6428: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.
1)/
May 18 04:02:23 server qmail: 1053201743.134409 status: local 0/10 remote 6/20
May 18 04:02:23 server qmail: 1053201743.134715 delivery 6429: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.
1)/
May 18 04:02:23 server qmail: 1053201743.134752 status: local 0/10 remote 5/20
May 18 04:02:24 server qmail: 1053201744.448945 delivery 6430: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.
1)/
May 18 04:02:24 server qmail: 1053201744.449042 status: local 0/10 remote 4/20
May 18 04:02:26 server qmail: 1053201746.446454 starting delivery 6433: msg 2222139 to remote null@null.com
May 18 04:02:26 server qmail: 1053201746.446547 status: local 0/10 remote 5/20
May 18 04:02:28 server qmail: 1053201748.446448 starting delivery 6434: msg 2222018 to remote null@null.com
May 18 04:02:28 server qmail: 1053201748.446535 status: local 0/10 remote 6/20
May 18 04:02:28 server qmail: 1053201748.446581 starting delivery 6435: msg 2222020 to remote null@null.com
May 18 04:02:28 server qmail: 1053201748.446610 status: local 0/10 remote 7/20
May 18 04:02:28 server qmail: 1053201748.446775 starting delivery 6436: msg 2222143 to remote null@null.com
May 18 04:02:28 server qmail: 1053201748.446806 status: local 0/10 remote 8/20
May 18 04:02:29 server qmail: 1053201749.106375 delivery 6432: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.
1)/的信息，
用qmail-qread查看有很多的
19 May 2003 02:11:00 GMT  #2450465  1774  <>;
        remote  null@null.com
19 May 2003 02:13:34 GMT  #2450488  2065  <>;
        remote  null@null.com
19 May 2003 02:16:54 GMT  #2450856  2063  <>;
        remote  null@null.com
19 May 2003 02:20:20 GMT  #2450879  1874  <>;
        remote  null@null.com
19 May 2003 02:27:48 GMT  #2451845  1940  <>;
        remote  null@null.com
19 May 2003 02:32:48 GMT  #2451891  1781  <>;
        remote  null@null.com
用netstat -na可以看到有很多连接smtp端口的连接，但是本身我们的邮件服务器用得很少
请指点。
我应该怎么做，我的是做过smtp认证的，log里也显示没有发出去吧？

gadfly

看看你的auth是不是有效，改成错误的密码，或者不验证看看能不能发信

dracoz

不能啊，我在outlook中把密码修成错误的密码就不能发邮件了，
如果我不加 发送服务器需要身份验证 也发不出去
会提示错误
  553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
认证应该没有问题吧  ~~~

gadfly

那你看看这些信件的from。

可以看看faq中，怎么在队列中查找信件

dracoz

我现在在防火墙上把对smtp的访问进行了一些限制，
用netstat 看不到非法ip对25端口的连接了。
但是进程里还是会出现那些进程，log文件也还是在写。

现在我用find /var/qmail/queue/$i -type f -exec rm {} \;  
把队列里的信都删除了，用qmail-qread看到没有信了。
log也暂时好象没有增加

gadfly

这样删除可能会有问题。

有一些是qmail需要用到的普通文件。

还有一种可能是，发送者可能知道了某个用户的密码，然后用来发送垃圾

dracoz

我把防火墙打开后，现在log里写进去的是
May 19 12:57:22 server splogger: 1053320242.329280 tcpserver: status: 12/100
May 19 12:57:22 server splogger: 1053320242.329549 tcpserver: pid 16813 from 202.108.44.246
May 19 12:57:22 server splogger: 1053320242.329689 tcpserver: ok 16813 domail.com:myip:25 :202.108.44.246::21635
May 19 12:57:22 server splogger: 1053320242.338068 tcpserver: end 16813 status 256
May 19 12:57:22 server splogger: 1053320242.338129 tcpserver: status: 11/100
May 19 12:57:25 server splogger: 1053320245.085588 tcpserver: status: 12/100
May 19 12:57:25 server splogger: 1053320245.086017 tcpserver: pid 16815 from 202.96.105.226
May 19 12:57:25 server splogger: 1053320245.086159 tcpserver: ok 16815 domail.com:myip:25 :202.96.105.226::41449
May 19 12:57:25 server splogger: 1053320245.501835 tcpserver: end 16815 status 0
May 19 12:57:25 server splogger: 1053320245.501894 tcpserver: status: 11/100
May 19 12:57:34 server splogger: 1053320254.262409 tcpserver: status: 12/100
May 19 12:57:34 server splogger: 1053320254.262726 tcpserver: pid 16817 from 202.108.44.246
May 19 12:57:34 server splogger: 1053320254.262884 tcpserver: ok 16817 domail.com:myip:25 :202.108.44.246::21905
May 19 12:57:34 server splogger: 1053320254.271488 tcpserver: end 16817 status 256
May 19 12:57:34 server splogger: 1053320254.271548 tcpserver: status: 11/100
May 19 12:57:38 server splogger: 1053320258.206297 tcpserver: status: 12/100
May 19 12:57:38 server splogger: 1053320258.206580 tcpserver: pid 16819 from 211.157.1.146
May 19 12:57:38 server splogger: 1053320258.206626 tcpserver: ok 16819 domail.com:myip:25 :211.157.1.146::3204
May 19 12:57:38 server splogger: 1053320258.399502 tcpserver: end 16819 status 0
May 19 12:57:38 server splogger: 1053320258.399564 tcpserver: status: 11/100
May 19 12:57:39 server splogger: 1053320259.626606 tcpserver: status: 12/100
May 19 12:57:39 server splogger: 1053320259.626876 tcpserver: pid 16821 from 202.108.44.229
May 19 12:57:39 server splogger: 1053320259.627024 tcpserver: ok 16821 domail.com:myip:25 :202.108.44.229::3919
May 19 12:57:39 server splogger: 1053320259.636801 tcpserver: end 16821 status 256
May 19 12:57:39 server splogger: 1053320259.636864 tcpserver: status: 11/100

一打开就有n多的非法ip的smtp连接
怎么查看是利用那个用户的密码呢，

gadfly

建议看看这个帖子
http://chinaunix.net/forum/viewtopic.php?t=43821&highlight=黑

dracoz

谢谢！