[Logwatch] Interpreting logwatch messages

Hugo van der Kooij hvdkooij at vanderkooij.org
Fri Dec 10 15:29:38 MST 2004


On Fri, 10 Dec 2004, Henry Hartley wrote:

> My current interest is in the sendmail section of the reports.  I have a
> long list of "Unknown local users" entries.  Is there anything I can do
> about those or are they just a fact of life?  I mean, I can collect IP
> addresses and block them but that seems like a big task and one that could
> get out of hand pretty quickly.

There is a list of 30some known accounts being used by a number of virus
incarnations. I dropped a list in my blacklist so they get listed as
regular rejects.

> Also, there is a section called "Top relays".  Now, I *thought* I had
> relaying set up right (that is, restricted correctly) but this makes me
> wonder.  The first four seem reasonable but after that, there are lots of
> unknown locations (I've only listed the first two):
>
> Top relays (recipients/connections - min 10 rcpts, max 50 lines):
>     251/251: localhost.localdomain [127.0.0.1]
>     118/118: majordom at localhost
>     86/86: apache at localhost
>     47/47: root at localhost
>     19/19: [69.6.40.28]
>     19/2: 12-203-211-4.client.insightBB.com [12.203.211.4]
>     ...
>
> What exactly is this reporting?  Am I suppose to do something about them or
> is it reporting something that I just want to know about?

These are the 'senders' sending messages to you through SMTP. The name
'relays' is wrong if you ask me. Or at least too confusing to be good.

Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij at vanderkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.


More information about the Logwatch mailing list