Loading ...
Sorry, an error occurred while loading the content.

trusted ip address spoofed (Logs) ?

Expand Messages
  • Dimitrios Karapiperis
    I attach some pieces of logs for better understanding /Hi there / // /I have a Postfix installation (postfix-2.6.5-1.rhel5) and I relay a couple of remote ip
    Message 1 of 2 , Feb 1, 2010
    • 0 Attachment
      I attach some pieces of logs for better understanding

      Hi there

      I have a Postfix installation (postfix-2.6.5-1.rhel5)  and I relay a couple of remote ip addresses
      (static adsl) of remote sites.

      I cannot figure out how a spam originator fired some e-mails through my mail server
      using a specific remote IP, which was relayed

      Return-Path: <oqoxlcfs@...>
      Received: from hhyllw (smtp.domain.tld[111.222.333.444])
         by smtp.thessaloniki.gr (Postfix) with ESMTP id 8DB72180C1
         for <jrochez@...>; Mon,  1 Feb 2010 08:49:00 +0200 (EET)
      Received: from beoeb ([xxx.yyy.zzz.ccc])
         by EADYCSRY (8.13.4/8.13.4) with SMTP id u4231584378453i6Ib016100
         for <jrochez@...>; Mon, 01 Feb 2010 08:48:56 +0200 (CDT)

      The 111.222.333.444 is the relayed trusted ip and xxx.yyy.zzz.ccc is the malicious one.




      Logs


      Feb  1 08:44:18 smtp postfix/smtpd[17200]: connect from serial.domain.tld[111.222.333.444]
      Feb  1 08:44:18 smtp postfix/qmgr[27864]: 88B76180FE: from=<mjandsvaw@...>, size=1997, nrcpt=2 (queue active)
      Feb  1 08:44:18 smtp amavis[17227]: (17227-16) Passed SPAM, ORIGINATING LOCAL [111.222.333.444] [xxx.yyy.zzz.jjj] <mjandsvaw@...> -> <gu_has@...>,<guido      .bergwitz@...>, Message-ID: <016d01caa309$f8d25ed0$be63cdd4@BNSXLDC>, mail_id:  VSiSm3-q73CN, Hits: 6.947, size: 1589, queued_as: 88B76180FE, 119 ms
      Feb  1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<gu_has@...>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status=sent (2      50 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE)
      Feb  1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<guido.bergwitz@...>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status      =sent (250 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE)
      Feb  1 08:44:18 smtp postfix/qmgr[27864]: 3CDEA180FD: removed


      111.222.333.444 is the trusted ip
      xxx.yyy.zzz.jjj is the spammy ip





    • Jim Wright
      ... Examine the logs from 111.222.333.444 and find out how that message was delivered there, if the message is spam, and it was delivered by a trusted source,
      Message 2 of 2 , Feb 1, 2010
      • 0 Attachment
        On Feb 1, 2010, at 2:17 AM, Dimitrios Karapiperis wrote:

        I attach some pieces of logs for better understanding

        Feb  1 08:44:18 smtp postfix/smtpd[17200]: connect from serial.domain.tld[111.222.333.444]
        Feb  1 08:44:18 smtp postfix/qmgr[27864]: 88B76180FE: from=<mjandsvaw@...>, size=1997, nrcpt=2 (queue active)
        Feb  1 08:44:18 smtp amavis[17227]: (17227-16) Passed SPAM, ORIGINATING LOCAL [111.222.333.444] [xxx.yyy.zzz.jjj] <mjandsvaw@...> -> <gu_has@...>,<guido      .bergwitz@...>, Message-ID: <016d01caa309$f8d25ed0$be63cdd4@BNSXLDC>, mail_id:  VSiSm3-q73CN, Hits: 6.947, size: 1589, queued_as: 88B76180FE, 119 ms
        Feb  1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<gu_has@...>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status=sent (2      50 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE)
        Feb  1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<guido.bergwitz@...>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status      =sent (250 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE)
        Feb  1 08:44:18 smtp postfix/qmgr[27864]: 3CDEA180FD: removed

        Examine the logs from 111.222.333.444 and find out how that message was delivered there, if the message is spam, and it was delivered by a trusted source, then you need to see how it arrived there.

      Your message has been successfully submitted and would be delivered to recipients shortly.