mail01:/var/log# grep 6F38E5F4595 mail.info Nov 11 07:02:29 mail01 postfix/qmgr[26195]: 6F38E5F4595: from=<[EMAIL PROTECTED]>, size=2091, nrcpt=9 (queue active) Nov 11 07:02:32 mail01 postfix/smtp[19552]: 6F38E5F4595: host mx2.comcast.net[76.96.30.116] refused to talk to me: 554 IMTA18.emeryville.ca.mail.comcast.net comcast 200.1.210.196 Comcast BL004 Blocked for spam. Please see http://help.comcast.net/content/faq/BL004 Nov 11 07:02:33 mail01 postfix/smtp[19552]: 6F38E5F4595: to=<[EMAIL PROTECTED]>, relay=mx1.comcast.net[76.96.62.116]:25, delay=302798, delays=302794/0.06/4.1/0, dsn=4.0.0, status=deferred (host mx1.comcast.net[76.96.62.116] refused to talk to me: 554 IMTA22.westchester.pa.mail.comcast.net comcast 200.1.210.196 Comcast BL004 Blocked for spam. Please see http://help.comcast.net/content/faq/BL004) Nov 11 07:02:33 mail01 postfix/smtp[19553]: 6F38E5F4595: host mail.swoca.net[216.48.128.4] said: 450 4.1.8 <[EMAIL PROTECTED]>: Sender address rejected: Domain not found (in reply to RCPT TO command) Nov 11 07:02:39 mail01 postfix/smtp[19553]: 6F38E5F4595: to=<[EMAIL PROTECTED]>, relay=mail.swoca.net[216.48.128.5]:25, delay=302804, delays=302794/0.07/10/0.57, dsn=4.1.8, status=deferred (host mail.swoca.net[216.48.128.5] said: 450 4.1.8 <[EMAIL PROTECTED]>: Sender address rejected: Domain not found (in reply to RCPT TO command)) Nov 11 08:25:49 mail01 postfix/qmgr[26195]: 6F38E5F4595: from=<[EMAIL PROTECTED]>, size=2091, nrcpt=9 (queue active) Nov 11 08:25:55 mail01 postfix/smtp[21638]: 6F38E5F4595: host mx2.comcast.net[76.96.30.116] refused to talk to me: 554 IMTA15.emeryville.ca.mail.comcast.net comcast 200.1.210.196 Comcast BL004 Blocked for spam. Please see http://help.comcast.net/content/faq/BL004 Nov 11 08:25:58 mail01 postfix/smtp[21638]: 6F38E5F4595: to=<[EMAIL PROTECTED]>, relay=mx1.comcast.net[76.96.62.116]:25, delay=307803, delays=307795/0.06/8.8/0, dsn=4.0.0, status=deferred (host mx1.comcast.net[76.96.62.116] refused to talk to me: 554 IMTA24.westchester.pa.mail.comcast.net comcast 200.1.210.196 Comcast BL004 Blocked for spam. Please see http://help.comcast.net/content/faq/BL004) Nov 11 08:26:00 mail01 postfix/smtp[21639]: 6F38E5F4595: host mail.swoca.net[216.48.128.5] said: 450 4.1.8 <[EMAIL PROTECTED]>: Sender address rejected: Domain not found (in reply to RCPT TO command) Nov 11 08:26:21 mail01 postfix/smtp[21639]: 6F38E5F4595: to=<[EMAIL PROTECTED]>, relay=mail.swoca.net[216.48.128.4]:25, delay=307826, delays=307795/0.06/26/5.5, dsn=4.1.8, status=deferred (host mail.swoca.net[216.48.128.4] said: 450 4.1.8 <[EMAIL PROTECTED]>: Sender address rejected: Domain not found (in reply to RCPT TO command)) Nov 11 09:45:33 mail01 postfix/postsuper[23914]: 6F38E5F4595: removed
I couldn't find any records of D8AFD5F4526 in my current logfile... mail01:/var/log# grep D8AFD5F4526 mail.info.3 -> Nov 7 18:55:47 mail01 postfix/smtpd[12749]: D8AFD5F4526: client=unknown[64.129.70.219], sasl_method=LOGIN, sasl_username=liz Nov 7 18:55:55 mail01 postfix/cleanup[12829]: D8AFD5F4526: message-id=<[EMAIL PROTECTED]> Nov 7 18:55:55 mail01 postfix/qmgr[26195]: D8AFD5F4526: from=<[EMAIL PROTECTED]>, size=1495, nrcpt=10 (queue active) Nov 7 18:56:02 mail01 postfix/cleanup[12974]: 6F38E5F4595: message-id=<[EMAIL PROTECTED]> Nov 7 18:56:02 mail01 postfix/smtp[13099]: D8AFD5F4526: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=8.1/0/0/6.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=12218-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6F38E5F4595, but 1 REJECT) Etc. etc. YES ! there's the hacked account. Problem was that the original message was already sent a few days ago, and therefore was in a logfile that was already zipped. Thanks a lot Wietse , for putting me on the right track.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wietse Venema Sent: Tuesday, November 11, 2008 1:30 PM To: Postfix users Subject: Re: Spammers abusing my postfix box What is the output of: grep 6F38E5F4595 /the/maillog/file grep D8AFD5F4526 /the/maillog/file One is before Amavis, one is after Amavis. Wietse -- I am using the free version of SPAMfighter. We are a community of 5.6 million users fighting spam. SPAMfighter has removed 920 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message
