Qmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

qmail-smtpd, status 11, just curious

from [Matt Simpson] [Permanent Link][Original]
To: qmail@list.cr.yp.to
Subject: qmail-smtpd, status 11, just curious
From: Matt Simpson <net-qmlist@jmatt.net>
Date: Fri, 8 Dec 2006 09:26:41 -0500
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Delivered-to: sp-com-lists@consult.net
Delivered-to: gmail-qmail@securepoint.com
Delivered-to: sp.com.list@gmail.com
Delivered-to: mailing list qmail@list.cr.yp.to
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jmatt.net; b=IfX1Sb8UyyWLb0x8XyPcAsmkUQ6vx8SWzCSYiXmwdPNfeX04nLJm+1M7bTg/cW6TLuOd96oGuYGcA8posuXwQjJDNgmpQGg2yLOjXxmQUGrAo8GrK+8yjYCm0uX3mC4aTTRJxD0Dp4PS6oROR/lxNdNLDCeS9RYhf95cM/7gz9s=; h=Received:Mime-Version:Message-Id:Date:From:Subject:Mime-Version:Content-Type;
Domainkey-status: bad
Mailing-list: contact qmail-help@list.cr.yp.to; run by ezmlm
I get occasional bursts of lots of "status 11" messages in my qmail-smtpd log. When it happens, it's usually repeated attempts from 1 or 2 servers that look suspiciously like spammers. As I understand it, "status 11" just means the session terminated abnormally.
Today, I saw it happening and managed to turn on recordio in time to capture one of the "abnormally terminating" sessions. It was indeed a spammer (or phisher, or virus, or something worthless).
Dec 8 08:47:31 crossbo smtpd: 1165585651.835186 tcpserver: ok 16990 crossbo.jmatt.net:208.116.11.36:25 mail.craoffice.com:207.59.128.86::27603 Dec 8 08:47:31 crossbo smtpd: 1165585651.889022 16990 < EHLO craserver.craoffice.com? 
curator@crossbo:/home/curator> tail maillog
Dec 8 08:47:31 crossbo smtpd: 1165585651.889022 16990 < EHLO craserver.craoffice.com? Dec 8 08:47:31 crossbo smtpd: 1165585651.889193 16990 > 250-crossbo.jmatt.net Spammers will be nuked.? 
Dec  8 08:47:31 crossbo smtpd: 1165585651.889247 16990 > 250-STARTTLS?
Dec  8 08:47:31 crossbo smtpd: 1165585651.889273 16990 > 250-SIZE 0?
Dec  8 08:47:31 crossbo smtpd: 1165585651.889298 16990 > 250-PIPELINING?
Dec  8 08:47:31 crossbo smtpd: 1165585651.889319 16990 > 250 8BITMIME?
Dec 8 08:47:31 crossbo smtpd: 1165585651.921652 16990 < MAIL FROM:<service@paypal.com>? 
Dec  8 08:47:32 crossbo smtpd: 1165585652.947645 16990 > [EOF]
Dec  8 08:47:32 crossbo smtpd: 1165585652.947761 tcpserver: end 16990 status 11
Dec  8 08:47:32 crossbo smtpd: 1165585652.947925 tcpserver: status: 0/10
If I'm reading this correctly, my server hung up after receiving the "MAIL FROM". In this case, I don't really care, since it was mail I didn't want. But I don't understand why it happened, which makes me wonder if it might happen sometime when I do care.
I have some spam control, but I don't think any of it should cause this behavior. I invoke SpamAssassin via simscan, which is a qmail-queue frontend, but obviously it hasn't gotten involved at this point. I also have John Simpson's mega patch. But I think the only hooks in there that would catch anything that early would be MFCHECK, which checks the validity of the MAIL FROM domain, and SPF checking. But I don't think either of those should have caught this message, and even if they did, I think they would have issued a message.
Does anybody know what might make qmail-smtpd just suddenly hang up on a sender with no explanation?
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Alternatives to sendmail and milter to control SMTP connections, Kyle Wheeler
Next by Date:  Re: Alternatives to sendmail and milter to control SMTP connections, Donald Nash
Previous by Thread:  temporary stopping remote delivery / php mail() when qmail stopped?, Olivier Mueller
Next by Thread:  Re: qmail-smtpd, status 11, just curious, John Simpson
Indexes:  [Date] [Thread] [Top] [All Lists]