trusted ip address spoofed (Logs) ?

Mon, 01 Feb 2010 00:17:58 -0800 

I attach some pieces of logs for better understanding

   /Hi there /
   //
   /I have a Postfix installation (postfix-2.6.5-1.rhel5)  and I relay
   a couple of remote ip addresses /
   /(static adsl) of remote sites. /
   //
   /I cannot figure out how a spam originator fired some e-mails
   through my mail server /
   /using a specific remote IP, which was relayed /
   //
   /Return-Path: <oqoxl...@hirewebdevelopersindia.com> /
   /Received: from hhyllw (smtp.domain.tld[111.222.333.444]) /
   /   by smtp.thessaloniki.gr (Postfix) with ESMTP id 8DB72180C1 /
   /   for <jroc...@domain1.tld>; Mon,  1 Feb 2010 08:49:00 +0200 (EET) /
   /Received: from beoeb ([xxx.yyy.zzz.ccc]) /
   /   by EADYCSRY (8.13.4/8.13.4) with SMTP id u4231584378453i6Ib016100 /
   /   for <jroc...@domain1.tld>; Mon, 01 Feb 2010 08:48:56 +0200 (CDT) /
   //
   /The 111.222.333.444 is the relayed trusted ip and xxx.yyy.zzz.ccc
   is the malicious one. /
   //
   //


Logs
Feb 1 08:44:18 smtp postfix/smtpd[17200]: connect from serial.domain.tld[111.222.333.444] Feb 1 08:44:18 smtp postfix/qmgr[27864]: 88B76180FE: from=<mjands...@tentonhammer.com>, size=1997, nrcpt=2 (queue active) Feb 1 08:44:18 smtp amavis[17227]: (17227-16) Passed SPAM, ORIGINATING LOCAL [111.222.333.444] [xxx.yyy.zzz.jjj] <mjands...@tentonhammer.com> -> <gu_...@web.de>,<guido .bergw...@web.de>, Message-ID: <016d01caa309$f8d25ed0$be63c...@bnsxldc>, mail_id: VSiSm3-q73CN, Hits: 6.947, size: 1589, queued_as: 88B76180FE, 119 ms Feb 1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<gu_...@web.de>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status=sent (2 50 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE) Feb 1 08:44:18 smtp postfix/smtp[17274]: 3CDEA180FD: to=<guido.bergw...@web.de>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.25/0/0/0.12, dsn=2.0.0, status =sent (250 2.0.0 Ok, id=17227-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 88B76180FE) 
Feb  1 08:44:18 smtp postfix/qmgr[27864]: 3CDEA180FD: removed


111.222.333.444 is the trusted ip
xxx.yyy.zzz.jjj is the spammy ip




/
/

Reply via email to