root 22827 0.0 0.6 2776 1668 ? S 22:37 0:00 sendmail: server XXXXXXX.XXX.com [xx.xx.50.46] cmd read

output of ps -aux

and inside the maillog this

Apr 25 22:37:04 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Unknown command: "get".
Apr 25 22:37:04 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Too many arguments supplied.
Apr 25 22:37:05 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Unknown command: "accept-language:".
Apr 25 22:37:05 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Unknown command: "accept-encoding:".
Apr 25 22:37:05 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Too many arguments supplied.
Apr 25 22:37:05 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Unknown command: "host:".
Apr 25 22:37:05 server in.qpopper[22826]: (null) at XXX.XX.50.46 (XXX.XX.50.46): -ERR Unknown command: "connection:".

Any infos would be apprechiated. Possible hack attack ??

Looks like someone is trying to relay spam off your SMTP. I believe the RaQ has SMTP relaying disabled so he can't bounce mail.

I send that guy an email about this , he told me he has misstyped in the IE instead of port 21 port 25.

:confused: :eek:

yeah right:rolleyes:

Hi ZYE,

Qpopper is the POP3 daemon running on port 110.

Someone connected to your server and issued apparently the following commands:

"accept-language:".
"accept-encoding:".
"host:".
"connection:".

Qpopper doesn't understand these commands and therefore logged the error messages.

> Possible hack attack ??

Could be. But I'd rather lay my finger on the fact that someone just did something dumb. Like specifying the wrong port when making a connection.

You can reproduce the error messages yourself:

telnet <your ip address> 110

That will connect to port 110 on your RaQ. Then issue the commands above and see what kind of error messages you get. Then look at your logfiles:

tail -300 /var/log/maillog
tail -300 /var/log/messages


- Toska