I reset rgarrity’s password and things have been quiet. In my effort to understand what was happening let me describe what I think happened.
Someone got ahold of rgarrity’s password. With that password they were able to craft emails with forged headers that appeared to spawn new messages to different recipients when being processed. Is that what was going on? Thanks, Ben > On Dec 17, 2015, at 5:12 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > > On 12/17/2015 4:03 PM, Ben Greenfield wrote: >> Thank your for the tips. >> >> I just found this which looked wrong to me. >> >> I got this 433039B83D9A message id from the bad message sent by >> bjbear...@cogs.com <mailto:bjbear...@cogs.com>. Then I traced it >> back and see the message id come from an actual user, rgarrity. >> >> Am I reading that correctly is that what happened? >> >> 12/17/15 4:02:24 PMpostfix/smtpd[13501]433039B83D9A: >> client=unknown[190.254.55.184], sasl_method=CRAM-MD5, >> sasl_username=rgarrity >> 12/17/15 4:02:38 PMpostfix/cleanup[13595]433039B83D9A: >> message-id=<48415b66-3cb8-495f-a86b-294a1c4bb...@cogs.com >> <mailto:48415b66-3cb8-495f-a86b-294a1c4bb...@cogs.com>> >> 12/17/15 4:02:38 PMpostfix/qmgr[12965]433039B83D9A: >> from=<bjbear...@cogs.com <mailto:bjbear...@cogs.com>>, size=658, >> nrcpt=1 (queue active) >> 12/17/15 4:02:38 PMpostfix/smtp[13666]433039B83D9A: >> to=<mven...@niu.edu <mailto:mven...@niu.edu>>, >> relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=14/0/0/0.27, >> dsn=2.0.0, status=sent (250 2.0.0 Ok, id=13051-16, from >> MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5833E9B83DA3) >> 12/17/15 4:02:38 PMpostfix/qmgr[12965]433039B83D9A: removed >> > > User rgarrity is spamming. Most likely the password got > phished/compromised. Disable that account or manually change the > password. > > The messages from 127.0.0.1 are the output of your content_filter, > and normal. As you correctly did above, you must look at the > message where it first enters postfix before the content_filter. > > > > -- Noel Jones
