Re: Deciphering maillog transaction that resulted in reply to spammer

[techlist06]

Sorry about the formatting.  Damn Outlook client I guess.  Hopefully below is
not messed up format wise.

Thanks for the pointer to Viktor's script.  It appears to just have the
postfix entries, not the handoffs back and forth.  Seems to pickup 6 of the
20+ realted lines.  I get that it's just doing postfix, but it did not
appear get all of postfix

###### collate.pl output ##############

Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from
unknown[5.133.8.185]
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02:
client=unknown[5.133.8.185]
Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02:
message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
from=<online.casino.ga...@pearls.preal.us>, size=6760, nrcpt=1 (queue
active)
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02:
to=<myu...@userdomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.66,
delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok,
id=05520-17, BOUNCE)
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: removed

#####  collate.pl end ##########

Hopefully this is clean enough for some instruction on what these steps are. 

##### log entries ############
Jul 26 19:05:48 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:44150 to [pp.pp.pp.pp]:25
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: NOQUEUE: reject: RCPT from
[5.133.8.185]:44150: 450 4.3.2 Service currently unavailable;
from=<online.casino.ga...@pearls.preal.us>, to=<myu...@userdomain.org>,
proto=ESMTP, helo=<pearls.preal.us>
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS NEW
[5.133.8.185]:44150
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: DISCONNECT
[5.133.8.185]:44150

# immediate retry on second connection to secondary IP:

Jul 26 19:05:55 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:33753 to [ss.ss.ss.ss]:25
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS OLD
[5.133.8.185]:33753
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: warning: hostname
accept.rootp.us does not resolve to address 5.133.8.185: Name or service not
known
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from
unknown[5.133.8.185]
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02:
client=unknown[5.133.8.185]
Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02:
message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
from=<online.casino.ga...@pearls.preal.us>, size=6760, nrcpt=1 (queue
active)
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) ESMTP :10024
/var/spool/amavisd/tmp/amavis-20170726T133617-05520-rH4yYe3A:
<online.casino.ga...@pearls.preal.us> -> <myu...@userdomain.org> SIZE=6760
BODY=8BITMIME RET=HDRS Received:
from mail1.myserver.com ([127.0.0.1]) by localhost (mail1.myserver.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
<myu...@userdomain.org>; Wed, 26 Jul 2017 19:05:57 -0500 (CDT)
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Checking: pqyogYJQxVad
[5.133.8.185] <online.casino.ga...@pearls.preal.us> ->
<myu...@userdomain.org>
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) WARN: MIME::Parser error:
unexpected end of header; ; error: couldn't parse head; error near:; ; ;
error: part did not end with expected boundary; ; error: unexpected end of
parts before epilogue
Jul 26 19:05:57 mail1 clamd[788]: SelfCheck: Database status OK.
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: connect from
localhost[127.0.0.1]
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910:
client=localhost[127.0.0.1]
Jul 26 19:05:57 mail1 postfix/cleanup[11094]: 67FB13910:
message-id=<dsnpqyogyjqx...@mail1.myserver.com>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>, size=3222,
nrcpt=1 (queue active)
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: disconnect from
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) waLiP0ZsHz9C(pqyogYJQxVad)
SEND from <> -> <online.casino.ga...@pearls.preal.us>,
ENVID=am.walip0zshz9c.20170727t0005...@mail1.myserver.com BODY=7BIT 250
2.0.0 from MTA(sm
tp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 67FB13910
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Blocked BAD-HEADER-0
{BouncedInbound,Quarantined}, [5.133.8.185]:33753 [5.133.8.185]
<online.casino.ga...@pearls.preal.us> -> <myu...@userdomain.org>, Queue-ID:
E58673D02, Message-ID:
<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>,
mail_id: pqyogYJQxVad, Hits: -, size: 6763, 160 ms
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02:
to=<myu...@userdomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.66,
delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok,
id=05520-17, BOUNCE)

##################





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/RE-Deciphering-maillog-transaction-that-resulted-in-reply-to-spammer-tp91584p91592.html
Sent from the Postfix Users mailing list archive at Nabble.com.