RE: (grep followed msg) Installing smtp auth did not help my spam issue Below is example

[Josh Cason]

Now this has always been puzzling. This looks like a spam from a  
customers machine. They swear up an down there machine is clean. The  
are also a good friend of the boss. Well he knowns them. What I did  
was grep the 2E3F10D8005 and then did another grep when 7F92C10D8193  
via mailscanner.

Thanks,
Josh

Jun  7 08:57:28 primary postfix/smtpd[32012]: 2E03F10D8005:  
client=primary.mychoice.cc[172.16.0.185], sasl_method=PLAIN,  
sasl_username=p...@mychoice.cc
Jun  7 08:57:28 primary postfix/cleanup[32032]: 2E03F10D8005: hold:  
header Received: from localhost (primary.mychoice.cc  
[172.16.0.185])??(Authenticated sender: p...@mychoice.cc)??by  
primary.mychoice.cc (Postfix) with ESMTP id 2E03F10D8005;??Mon,  7 Jun  
2010 08:57:28 -0600 ( from primary.mychoice.cc[172.16.0.185];  
from=<fk0...@gmail.com> to=<jzbig...@gmail.com> proto=ESMTP  
helo=<localhost>
Jun  7 08:57:28 primary postfix/cleanup[32032]: 2E03F10D8005:  
message-id=<20100607085728.zpp6nrf09skcs...@www.mychoice.cc>
Jun  7 08:57:30 primary MailScanner[31332]: SpamAssassin cache hit for  
message 2E03F10D8005.C2137
Jun  7 08:57:34 primary MailScanner[31332]: Requeue:  
2E03F10D8005.C2137 to 7F92C10D8193   ----- this is were is was changed  
via mailscanner
Jun  7 08:57:34 primary postfix/qmgr[23472]: 7F92C10D8193:  
from=<fk0...@gmail.com>, size=1172, nrcpt=20 (queue active)
Jun  7 08:57:34 primary postfix/smtp[32286]: 7F92C10D8193:  
to=<ab...@hotmail.com>, relay=mx1.hotmail.com[65.55.92.168]:25,  
delay=6.5, delays=6.1/0.01/0.23/0.19, dsn=2.0.0, status=sent (250   
<20100607085728.zpp6nrf09skcs...@www.mychoice.cc> Queued mail for  
delivery)
Jun  7 08:57:34 primary postfix/smtp[32284]: 7F92C10D8193:  
to=<a-sta...@hotmail.co.uk>, relay=mx3.hotmail.com[65.54.188.94]:25,  
delay=6.5, delays=6.1/0.01/0.33/0.1, dsn=2.0.0, status=sent (250   
<20100607085728.zpp6nrf09skcs...@www.mychoice.cc> Queued mail for  
delivery)
Jun  7 08:57:34 primary postfix/smtp[32285]: 7F92C10D8193:  
to=<mary_sku...@hotmail.fr>, relay=mx2.hotmail.com[65.55.92.152]:25,  
delay=6.8, delays=6.1/0.01/0.42/0.27, dsn=2.0.0, status=sent (250   
<20100607085728.zpp6nrf09skcs...@www.mychoice.cc> Queued mail for  
delivery)
Jun  7 08:57:35 primary postfix/smtp[32287]: 7F92C10D8193:  
to=<myter.banis...@googlemail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=7,  
delays=6.1/0.01/0.21/0.64, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920903 d37si10986603wam.48)
Jun  7 08:57:35 primary postfix/smtp[32279]: 7F92C10D8193:  
to=<jimmytoosh...@europe.com>,  
relay=mailin-01.mx.aol.com[64.12.90.1]:25, delay=7,  
delays=6.1/0.01/0.62/0.23, dsn=5.1.1, status=bounced (host  
mailin-01.mx.aol.com[64.12.90.1] said: 550 5.1.1  
<jimmytoosh...@europe.com>: Recipient address rejected: europe.com (in  
reply to RCPT TO command))
Jun  7 08:57:35 primary postfix/smtp[32302]: 7F92C10D8193:  
to=<afilmb...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,  
delay=7.1, delays=6.1/0.04/0.22/0.76, dsn=2.0.0, status=sent (250 ok  
dirdel 2/1)
Jun  7 08:57:35 primary postfix/smtp[32302]: 7F92C10D8193:  
to=<j_jes...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,  
delay=7.1, delays=6.1/0.04/0.22/0.76, dsn=2.0.0, status=sent (250 ok  
dirdel 2/1)
Jun  7 08:57:35 primary postfix/smtp[32302]: 7F92C10D8193:  
to=<mike_a...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,  
delay=7.1, delays=6.1/0.04/0.22/0.76, dsn=2.0.0, status=sent (250 ok  
dirdel 2/1)
Jun  7 08:57:35 primary postfix/smtp[32283]: 7F92C10D8193:  
to=<raymondloanf...@financier.com>,  
relay=mailin-01.mx.aol.com[64.12.90.1]:25, delay=7.2,  
delays=6.1/0.01/0.63/0.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued  
as 5C29F3800011B)
Jun  7 08:57:36 primary postfix/smtp[32300]: 7F92C10D8193:  
to=<klausthaler...@web.de>, relay=mx-ha01.web.de[217.72.192.149]:25,  
delay=8, delays=6.1/0.02/0.54/1.3, dsn=2.0.0, status=sent (250 OK  
id=1OLdJP-0001xq-00)
Jun  7 08:57:36 primary postfix/smtp[32301]: 7F92C10D8193: host  
mx.wmint.net[80.247.237.14] said: 451 4.7.1 GreyShark: Grey listed for  
01:00, please try again later. (in reply to RCPT TO command)
Jun  7 08:57:37 primary postfix/smtp[32281]: 7F92C10D8193:  
to=<landon...@sbcglobal.net>,  
relay=sbcmx4.prodigy.net[207.115.20.23]:25, delay=8.9,  
delays=6.1/0.01/1.1/1.6, dsn=2.0.0, status=sent (250 2.0.0  
o57ESNSv024475 Message accepted for delivery)
Jun  7 08:57:37 primary postfix/smtp[32301]: 7F92C10D8193:  
to=<adams_brow...@webmail.co.za>,  
relay=mx.wmint.net[80.247.237.17]:25, delay=9.7,  
delays=6.1/0.03/3.3/0.29, dsn=4.7.1, status=deferred (host  
mx.wmint.net[80.247.237.17] said: 451 4.7.1 GreyShark: Grey listed for  
00:59, please try again later. (in reply to RCPT TO command))
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<richdoo...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=5.1.1, status=bounced (host  
gmail-smtp-in.l.google.com[72.14.213.27] said: 550-5.1.1 The email  
account that you tried to reach does not exist. Please try 550-5.1.1  
double-checking the recipient's email address for typos or 550-5.1.1  
unnecessary spaces. Learn more at                              550  
5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596  
h16si6707240rvn.68 (in reply to RCPT TO command))
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<adolf.munsterhj...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<ahmed.sulema...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<jak.gubre...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<jzbig...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<lucyb2...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<phil.mccrac...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:  
to=<tamja.warr...@gmail.com>,  
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,  
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK  
1275920931 h16si6707240rvn.68)
Jun  7 08:58:03 primary postfix/bounce[32293]: 7F92C10D8193: sender  
non-delivery notification: 697E010D818F
Jun  7 09:19:21 primary postfix/qmgr[23472]: 7F92C10D8193:  
from=<fk0...@gmail.com>, size=1172, nrcpt=20 (queue active)
Jun  7 09:19:22 primary postfix/smtp[1039]: 7F92C10D8193:  
to=<adams_brow...@webmail.co.za>,  
relay=mx.wmint.net[80.247.237.15]:25, delay=1315,  
delays=1314/0/0.6/0.42, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued  
as C0024584003)
Jun  7 09:19:22 primary postfix/qmgr[23472]: 7F92C10D8193: removed


--
This message has been scanned for viruses and
dangerous content by Mychoice, and is
believed to be clean.