Re: (grep followed msg) Installing smtp auth did not help my spam issue Below is example

Mon, 07 Jun 2010 14:32:46 -0700 

On 6/7/2010 4:37 PM, Josh Cason wrote:

Now this has always been puzzling. This looks like a spam from a
customers machine. They swear up an down there machine is clean. The are
also a good friend of the boss. Well he knowns them. What I did was grep
the 2E3F10D8005 and then did another grep when 7F92C10D8193 via
mailscanner.



It's hard to tell whether a message is spam or not just by 
looking at the logs, but using a gmail sender address to lots 
of freemailer recipients is suspicious.



If the mail is still on your system somewhere you can examine 
it with the "postcat" command.



Maybe the customer is sending a semi-legit mail list with lots 
of bad recipients.



Next you need to search your logs and see if the majority of 
suspicious messages come from this one machine.


and fix the clock on your computer.

 -- Noel Jones




Thanks,

Josh

Jun 7 08:57:28 primary postfix/smtpd[32012]: 2E03F10D8005:
client=primary.mychoice.cc[172.16.0.185], sasl_method=PLAIN,
sasl_username=p...@mychoice.cc
Jun 7 08:57:28 primary postfix/cleanup[32032]: 2E03F10D8005: hold:
header Received: from localhost (primary.mychoice.cc
[172.16.0.185])??(Authenticated sender: p...@mychoice.cc)??by
primary.mychoice.cc (Postfix) with ESMTP id 2E03F10D8005;??Mon, 7 Jun
2010 08:57:28 -0600 ( from primary.mychoice.cc[172.16.0.185];
from=<fk0...@gmail.com> to=<jzbig...@gmail.com> proto=ESMTP
helo=<localhost>
Jun 7 08:57:28 primary postfix/cleanup[32032]: 2E03F10D8005:
message-id=<20100607085728.zpp6nrf09skcs...@www.mychoice.cc>
Jun 7 08:57:30 primary MailScanner[31332]: SpamAssassin cache hit for
message 2E03F10D8005.C2137
Jun 7 08:57:34 primary MailScanner[31332]: Requeue: 2E03F10D8005.C2137
to 7F92C10D8193 ----- this is were is was changed via mailscanner
Jun 7 08:57:34 primary postfix/qmgr[23472]: 7F92C10D8193:
from=<fk0...@gmail.com>, size=1172, nrcpt=20 (queue active)
Jun 7 08:57:34 primary postfix/smtp[32286]: 7F92C10D8193:
to=<ab...@hotmail.com>, relay=mx1.hotmail.com[65.55.92.168]:25,
delay=6.5, delays=6.1/0.01/0.23/0.19, dsn=2.0.0, status=sent (250
<20100607085728.zpp6nrf09skcs...@www.mychoice.cc> Queued mail for delivery)
Jun 7 08:57:34 primary postfix/smtp[32284]: 7F92C10D8193:
to=<a-sta...@hotmail.co.uk>, relay=mx3.hotmail.com[65.54.188.94]:25,
delay=6.5, delays=6.1/0.01/0.33/0.1, dsn=2.0.0, status=sent (250
<20100607085728.zpp6nrf09skcs...@www.mychoice.cc> Queued mail for delivery)
Jun 7 08:57:34 primary postfix/smtp[32285]: 7F92C10D8193:
to=<mary_sku...@hotmail.fr>, relay=mx2.hotmail.com[65.55.92.152]:25,
delay=6.8, delays=6.1/0.01/0.42/0.27, dsn=2.0.0, status=sent (250
<20100607085728.zpp6nrf09skcs...@www.mychoice.cc> Queued mail for delivery)
Jun 7 08:57:35 primary postfix/smtp[32287]: 7F92C10D8193:
to=<myter.banis...@googlemail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=7,
delays=6.1/0.01/0.21/0.64, dsn=2.0.0, status=sent (250 2.0.0 OK
1275920903 d37si10986603wam.48)
Jun 7 08:57:35 primary postfix/smtp[32279]: 7F92C10D8193:
to=<jimmytoosh...@europe.com>,
relay=mailin-01.mx.aol.com[64.12.90.1]:25, delay=7,
delays=6.1/0.01/0.62/0.23, dsn=5.1.1, status=bounced (host
mailin-01.mx.aol.com[64.12.90.1] said: 550 5.1.1
<jimmytoosh...@europe.com>: Recipient address rejected: europe.com (in
reply to RCPT TO command))
Jun 7 08:57:35 primary postfix/smtp[32302]: 7F92C10D8193:
to=<afilmb...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,
delay=7.1, delays=6.1/0.04/0.22/0.76, dsn=2.0.0, status=sent (250 ok
dirdel 2/1)
Jun 7 08:57:35 primary postfix/smtp[32302]: 7F92C10D8193:
to=<j_jes...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,
delay=7.1, delays=6.1/0.04/0.22/0.76, dsn=2.0.0, status=sent (250 ok
dirdel 2/1)
Jun 7 08:57:35 primary postfix/smtp[32302]: 7F92C10D8193:
to=<mike_a...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,
delay=7.1, delays=6.1/0.04/0.22/0.76, dsn=2.0.0, status=sent (250 ok
dirdel 2/1)
Jun 7 08:57:35 primary postfix/smtp[32283]: 7F92C10D8193:
to=<raymondloanf...@financier.com>,
relay=mailin-01.mx.aol.com[64.12.90.1]:25, delay=7.2,
delays=6.1/0.01/0.63/0.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 5C29F3800011B)
Jun 7 08:57:36 primary postfix/smtp[32300]: 7F92C10D8193:
to=<klausthaler...@web.de>, relay=mx-ha01.web.de[217.72.192.149]:25,
delay=8, delays=6.1/0.02/0.54/1.3, dsn=2.0.0, status=sent (250 OK
id=1OLdJP-0001xq-00)
Jun 7 08:57:36 primary postfix/smtp[32301]: 7F92C10D8193: host
mx.wmint.net[80.247.237.14] said: 451 4.7.1 GreyShark: Grey listed for
01:00, please try again later. (in reply to RCPT TO command)
Jun 7 08:57:37 primary postfix/smtp[32281]: 7F92C10D8193:
to=<landon...@sbcglobal.net>,
relay=sbcmx4.prodigy.net[207.115.20.23]:25, delay=8.9,
delays=6.1/0.01/1.1/1.6, dsn=2.0.0, status=sent (250 2.0.0
o57ESNSv024475 Message accepted for delivery)
Jun 7 08:57:37 primary postfix/smtp[32301]: 7F92C10D8193:
to=<adams_brow...@webmail.co.za>, relay=mx.wmint.net[80.247.237.17]:25,
delay=9.7, delays=6.1/0.03/3.3/0.29, dsn=4.7.1, status=deferred (host
mx.wmint.net[80.247.237.17] said: 451 4.7.1 GreyShark: Grey listed for
00:59, please try again later. (in reply to RCPT TO command))
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<richdoo...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=5.1.1, status=bounced (host
gmail-smtp-in.l.google.com[72.14.213.27] said: 550-5.1.1 The email
account that you tried to reach does not exist. Please try 550-5.1.1
double-checking the recipient's email address for typos or 550-5.1.1
unnecessary spaces. Learn more at 550 5.1.1
http://mail.google.com/support/bin/answer.py?answer=6596
h16si6707240rvn.68 (in reply to RCPT TO command))
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<adolf.munsterhj...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<ahmed.sulema...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<jak.gubre...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<jzbig...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<lucyb2...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<phil.mccrac...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/smtp[32282]: 7F92C10D8193:
to=<tamja.warr...@gmail.com>,
relay=gmail-smtp-in.l.google.com[72.14.213.27]:25, delay=35,
delays=6.1/0.01/0.17/29, dsn=2.0.0, status=sent (250 2.0.0 OK 1275920931
h16si6707240rvn.68)
Jun 7 08:58:03 primary postfix/bounce[32293]: 7F92C10D8193: sender
non-delivery notification: 697E010D818F
Jun 7 09:19:21 primary postfix/qmgr[23472]: 7F92C10D8193:
from=<fk0...@gmail.com>, size=1172, nrcpt=20 (queue active)
Jun 7 09:19:22 primary postfix/smtp[1039]: 7F92C10D8193:
to=<adams_brow...@webmail.co.za>, relay=mx.wmint.net[80.247.237.15]:25,
delay=1315, delays=1314/0/0.6/0.42, dsn=2.0.0, status=sent (250 2.0.0
Ok: queued as C0024584003)
Jun 7 09:19:22 primary postfix/qmgr[23472]: 7F92C10D8193: removed


























					Reply via email to