Greetings,

Can anyone help me interpret these warning messages output by logcheck? This is just a sampling:

Jul 7 12:02:52 srv01 xinetd[3220]: START: smtp pid=7377 from=64.136.104.37
Jul 7 12:03:25 srv01 xinetd[3220]: START: smtp pid=7382 from=65.65.194.248
Jul 7 12:03:30 srv01 xinetd[3220]: START: smtp pid=7414 from=211.201.102.130
Jul 7 12:03:41 srv01 xinetd[3220]: START: smtp pid=7421 from=200.165.192.23
Jul 7 12:03:57 srv01 xinetd[3220]: START: smtp pid=7424 from=218.72.110.247

Is this an indication of my box being used as a relay to send spam? I was running Plesk 6 until yesterday (when I upgraded to Plesk 7). I think I saw someone a reference to a problem with older qmail helping spammers "learn" how to get pop3 logins.

How can I monitor which users and/or domains from my box are generated the SMTP traffic?

Thanks for your help!

When another email server wants to deliver mail to you, they open an SMTP connection. Basically, server to server emails are through SMTP. They are nothing to worry about.

My guess is, in your logs, you are seeing these connections. I have similar output in my LogWatch messages.

Goto http://ordb.org and test your server for an open relay, although I doubt it is open.


Regarding how spammers "learn" the pop3 passwords, this is possible, but I haven't heard of spammers doing it widespread. When your users login to their POP account, their username and password is transmitted plain-text over the internet. Use Secure POP/SMTP (which is already built into Plesk) to prevent this, and encourage your users to also.

Hope this helps!

(Someone please correct me if I am totally wrong anywhere!)


Vince Mele
SD3 Corporation
http://www.sd3.com