Loading ...
Sorry, an error occurred while loading the content.

262336trusted ip address spoofed (Logs) ?

Expand Messages
  • Dimitrios Karapiperis
    Feb 1, 2010
      I attach some pieces of logs for better understanding

      Hi there

      I have a Postfix installation (postfix-2.6.5-1.rhel5)  and I relay a couple of remote ip addresses
      (static adsl) of remote sites.

      I cannot figure out how a spam originator fired some e-mails through my mail server
      using a specific remote IP, which was relayed

      Return-Path: <oqoxlcfs@...>
      Received: from hhyllw (smtp.domain.tld[111.222.333.444])
         by smtp.thessaloniki.gr (Postfix) with ESMTP id 8DB72180C1
         for <jrochez@...>; Mon,  1 Feb 2010 08:49:00 +0200 (EET)
      Received: from beoeb ([xxx.yyy.zzz.ccc])
         by EADYCSRY (8.13.4/8.13.4) with SMTP id u4231584378453i6Ib016100
         for <jrochez@...>; Mon, 01 Feb 2010 08:48:56 +0200 (CDT)

      The 111.222.333.444 is the relayed trusted ip and xxx.yyy.zzz.ccc is the malicious one.




      Logs


      Feb  1 08:44:18 smtp postfix/smtpd[17200]: connect from serial.domain.tld[111.222.333.444]
      Feb  1 08:44:18 smtp postfix/qmgr[27864]: 88B76180FE: from=<mjandsvaw@...>, size=1997, nrcpt=2 (queue active)
      Feb  1 08:44:18 smtp amavis[17227]: (17227-16) Passed SPAM, ORIGINATING LOCAL [111.222.333.444] [xxx.yyy.zzz.jjj] <mjandsvaw@...> -> <gu_has@...>,<guido      .bergwitz@...>, Message-ID: <016d01caa309$f8d25ed0$be63cdd4@BNSXLDC>, mail_id:  VSiSm3-q73CN, Hits: 6.947, size: 1589, queued_as: 88B76180FE, 119 ms
      Feb  1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<gu_has@...>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status=sent (2      50 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE)
      Feb  1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<guido.bergwitz@...>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status      =sent (250 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE)
      Feb  1 08:44:18 smtp postfix/qmgr[27864]: 3CDEA180FD: removed


      111.222.333.444 is the trusted ip
      xxx.yyy.zzz.jjj is the spammy ip





    • Show all 2 messages in this topic