No subject

Simon Brereton simon.brereton at buongiorno.com
Wed Nov 9 16:24:09 CET 2011


Hi

Can someone tell me what's going on here :)

Nov  8 16:09:37 mail postfix/smtpd[30205]: connect from unknown[94.20.38.50]
Nov  8 16:09:41 mail postfix/smtpd[30205]: C985FC8C005: client=unknown[94.20.38.50]
Nov  8 16:09:50 mail postfix/cleanup[30235]: C985FC8C005: message-id=<000e01cc51a0$5768b980$3226145e at eftps.com>
Nov  8 16:10:07 mail postfix/qmgr[30195]: C985FC8C005: from=<message.daemon at eftps.com>, size=30170, nrcpt=1 (queue active)
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) ESMTP::10024 /var/lib/amavis/tmp/amavis-20111108T130836-28776: <message.daemon at eftps.com> -> <joseph.sun at mydomain.net> SIZE=30170 Received: from mail.myserverdomain.net ([127.0.0.1]) by amavisd.myserverdomain.net (mail.myserverdomain.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <joseph.sun at mydomain.net>; Tue,  8 Nov 2011 16:10:07 +0000 (UTC)
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) Checking: QWIgMcifqXRS [94.20.38.50] <message.daemon at eftps.com> -> <joseph.sun at mydomain.net>
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) p003 1 Content-Type: multipart/mixed
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) p001 1/1 Content-Type: text/plain, size: 574 B, name:
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) p002 1/2 Content-Type: text/plain, size: 20750 B, name: report.18653.pdf
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) p.path BANNED:1 joseph.sun at mydomain.net: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=text/plain,T=zip,N=report.18653.pdf | P=p004,L=1/2/1,T=exe,T=exe-ms,N=report.18653.pdf.exe", matching_key="(?i-xsm:\\.[^./]*\\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\\.?$)"
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) local delivery: <message.daemon at eftps.com> -> banned-quarantine, mbx=/var/spool/mail/quarantine/banned-QWIgMcifqXRS
Nov  8 16:10:07 mail postfix/smtpd[30243]: connect from localhost[127.0.0.1]
Nov  8 16:10:07 mail postfix/smtpd[30243]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command: <postmaster@!change-mydomain-variable!.example.com>
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) smtp resp to RCPT (pip) (<postmaster@!change-mydomain-variable!.example.com>): 501 5.1.3 Bad recipient address syntax
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) Negative SMTP resp. to DATA: 554 5.5.1 Error: no valid recipients
Nov  8 16:10:07 mail postfix/smtpd[30243]: disconnect from localhost[127.0.0.1]
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) (!)SEND via SMTP: <postmaster at mail.myserverdomain.net> -> <postmaster@!change-mydomain-variable!.example.com>,ENVID=AM..20111108T161007Z at mail.myserverdomain.net 501 5.1.3 Failed, id=28776-15, from MTA([127.0.0.1]:10025): 501 5.1.3 Bad recipient address syntax
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) (!)FAILED to notify admin: 501 5.1.3 Failed, id=28776-15, from MTA([127.0.0.1]:10025): 501 5.1.3 Bad recipient address syntax
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) Blocked BANNED (.exe,.exe-ms,report.18653.pdf.exe), [94.20.38.50] [12.36.213.133] <message.daemon at eftps.com> -> <joseph.sun at mydomain.net>, quarantine: banned-QWIgMcifqXRS, Message-ID: <000e01cc51a0$5768b980$3226145e at eftps.com>, mail_id: QWIgMcifqXRS, Hits: -, size: 30169, 232 ms
Nov  8 16:10:07 mail postfix/smtp[30237]: C985FC8C005: to=<joseph.sun at mydomain.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=27, delays=27/0/0/0.23, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=28776-15 - BANNED: .exe,.exe-ms,report.18653.pdf.exe)
Nov  8 16:10:07 mail postfix/qmgr[30195]: C985FC8C005: removed
Nov  8 16:10:07 mail amavisd-new[28776]: (28776-15) TIMING [total 234 ms] - SMTP greeting: 1 (0%)0, SMTP EHLO: 0 (0%)1, SMTP pre-MAIL: 0 (0%)1, SMTP pre-DATA-flush: 1 (0%)1, SMTP DATA: 39 (17%)18, check_init: 0 (0%)18, digest_hdr: 1 (0%)18, digest_body_dkim: 0 (0%)18, gen_mail_id: 1 (0%)19, mime_decode: 7 (3%)22, get-file-type2: 12 (5%)27, decompose_part: 21 (9%)36, get-file-type1: 11 (5%)40, decompose_part: 30 (13%)53, parts_decode: 0 (0%)53, check_header: 1 (0%)53, AV-scan-1: 43 (18%)72, update_cache: 1 (0%)72, decide_mail_destiny: 1 (0%)73, notif-quar: 1 (0%)73, stat-mbx: 1 (1%)74, open-mbx: 0 (0%)74, write-header: 0 (0%)74, save-to-local-mailbox: 0 (0%)74, fwd-connect: 52 (22%)96, fwd-mail-pip: 1 (0%)97, fwd-rcpt-pip: 0 (0%)97, fwd-data-chkpnt: 0 (0%)97, fwd-end-chkpnt: 1 (0%)97, prepare-dsn: 1 (0%)97, main_log_entry: 4 (2%)99, update_snmp: 2 (1%)100, SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-2-files: 0 (0%)100, rundown: 0 (0%)100
Nov  8 16:10:08 mail postfix/smtpd[30205]: disconnect from unknown[94.20.38.50]


What I understand is:

- The sending host connected and postfix accepted the mail
- postfix passed the message to amavis
- who found a banned file
- and tried to notify someone.

But it's not clear to me who it tried to notify.  I don't want it trying to notify the sender because this (was in this case and almost always) is a virus.  I don't really want it notifying me (postmaster at myserverdomain.net) because that's where the mail was quarantined anyway.

Who is it trying to notify and why?  And how do I turn it off?

Thanks.

Simon





More information about the amavis-users mailing list