A user informed me that an email message she was trying to send was not going out; Outlook showed it remaining in her outbox and would show an error message regarding its attempted connection to the SMTP server eventually, because it couldn't send the message.
When I looked at bandwidth utilization at the SMTP server end with
bwmon, I saw
that almost all the available bandwidth was being consumed. When I checked
to see what type of traffic was involved using
IPTraf and
pkstat, I saw that email traffic, i.e. connections to port 25 on the
server, was consuming the bandwidth. A netstat -a | grep smtp
command showed a lot of connections to the
SMTP port, which is port 25.
When I counted them with netstat -a | grep smtp | wc -l, I
found there were 51 connections, which is far more than I would normally
see to the server.
To try to get more information on that traffic, I installed ngrep. The author's description of the tool is listed below:
ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
To see the "from" and "to" addresses being used in the transmissions,
I used the command ngrep -i 'rcpt to|mail from' tcp port smtp,
The -i option tells ngrep to ignore the case of characters
when looking for pattern matches. The 'rcpt to|mail from'
tells it to look for either rcpt to or mail from,
which are the commands sent to an email server to specify the recipient
and the sender of an email message. SMTP transmissions use
the TCP, so
the tcp parameter specifies that protocol and the smtp
specifies that the SMTP port, port 25 is the one to monitor.
Note: you will need to run the command as root or you will get the
message "no suitable device found: Operation not permitted".
The command showed the followng output:
# ngrep -i 'rcpt to|mail from' tcp port smtp interface: eth0 (66.22.186.48/255.255.255.240) filter: (ip) and ( tcp port smtp ) match: rcpt to|mail from ############### T 59.172.123.117:1625 -> 66.22.186.53:25 [AP] MAIL FROM: <kvocqcbrxzqxqs@fdvwiqrprdewt.logicbest.com>.. #### T 59.172.123.117:1625 -> 66.22.186.53:25 [AP] RCPT TO:<janesmith@moonpoint.com>.. ########################### T 216.188.126.165:57486 -> 66.22.186.53:25 [AP] MAIL FROM:<175419_VMTA12778-angel=MOONPOINT.COM@DPCTECHNOLOGIES.NET> BODY=8 BITMIME..RCPT TO:<angelica1@MOONPOINT.COM>..DATA.. ############################# T 66.115.129.69:4852 -> 66.22.186.53:25 [AP] MAIL FROM:<>.. ## T 66.115.129.69:4852 -> 66.22.186.53:25 [AP] RCPT TO:<moonpointm@moonpoint.com>..
Most of the traffic had invalid "rcpt to" addresses, i.e. there was no such email address on the server. Many of the messages had no "mail from" address. The "mail from" and "rcpt to" addresses are for the "envelope" of the message, i.e., they aren't necessarily the same as the "from" and "to" addresses a recipient would see when viewing the message in an email client. Instead, they are part of the SMTP transmission protocol. An email server will use the "rcpt to" value to route a message to the appropriate mailbox.
While I was checking on the issue, the bandwidth utilization dropped back down to normal and I didn't take any further action.
References:
-
Bandwidth Monitoring on a Linux System
Date: September 15, 2004
MoonPoint Support -
Using pktstat to Monitor Network Traffic
Date: December 13, 2006
MoonPoint Support -
ngrep - network grep
By: Jordan Ritter
Date: November 18, 2006
SourceForge.net -
The MAIL, RCPT, and DATA verbs
By D. J. Bernstein
D.J. Bernstein - Mathematics and compuer science -
ngrep RPM for
Red Hat, CentOS, and Fedora
By: Dag Wiiers
DAG: Field Commander Wieers
