Finding reason for smtpd rejections

Today's pflogsumm report includes this rejection:

Recipient address rejected: Please see http (total: 2)
2 <a href=""></a>

Since this is my address I'm curious why two incoming messages were rejected
when many more were passed. I'd appreciate advice on how I can identify
these two messages in /var/log/maillog.1 among all the logged incoming
messages to this address.




Re: Finding reason for smtpd rejections

By Wietse Venema at 12/06/2018 - 12:10

Rich Shepard:
pflogsumm *summarizes* a detailed logfile.

You look at the *detailed* log messages that produced the above result.


Re: Finding reason for smtpd rejections

By Noel Jones at 12/06/2018 - 12:09

On 12/6/2018 9:59 AM, Rich Shepard wrote:

To see just the logged rejection (which is often enough):

grep reject: /var/log/maillog.1 | grep <a href=""></a>

To see more context of the connection that was rejected, open the
file with your favorite text editor and search for
/reject: .*rshepard@appl-ecosys

Wild guess: some spammer used your own address as sender, and the
connection was rejected by some of your spam controls, probably an rbl.

-- Noel Jones

Re: Finding reason for smtpd rejections

By Rich Shepard at 12/06/2018 - 12:46


There are certainly many rejected by a couple of rbls as well as by other
postfix UCE checks. Why these two were listed separately by pflogsumm is not
obvious when I look at the list grep returned.



Re: Finding reason for smtpd rejections

By Noel Jones at 12/06/2018 - 12:59

On 12/6/2018 10:46 AM, Rich Shepard wrote:

Possibly there are more clues in pflogsumm's output, such as the
heading or something else. Depending on how compact you've set the
output, it might be hard to identify with the existing information.
The heading may give the clue about which rule or control rejected

Maybe re-running pflogsumm with increasing detail will give hints
about which two rejections it's referring to.

-- Noel Jones