Dear Patrick,
I did a testing and i was able to successful in linking the message to
the original username that was used in authenticating the connection
for message delivery.
the key was to grep '9A2E240330CE2' from the header
33 Received: from laptop.localnet (unknown [122.161.212.115])
34 by zmta01.trade-india-local.com (Postfix) with ESMTPA id
9A2E240330CE2
35 for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:07 +0530 (IST)
in the logs resulting in
grep 9A2E240330CE2 /var/log/zimbra.log
Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: 9A2E240330CE2:
client=unknown[122.161.212.115], sasl_method=PLAIN,
sasl_username=mal...@tradeindia.com
Apr 25 07:18:07 zmta01 postfix/cleanup[24623]: 9A2E240330CE2:
message-id=<201104250714.11986.mal...@tradeindia.com>
Apr 25 07:18:07 zmta01 postfix/qmgr[5096]: 9A2E240330CE2:
from=<mal...@tradeindia.com>, size=627, nrcpt=1 (queue active)
Apr 25 07:18:09 zmta01 postfix/smtp[24624]: 9A2E240330CE2:
to=<mallah.raj...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=1.4, delays=0.1/0/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok,
id=00783-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
0AE8A403E4DA5)
Apr 25 07:18:09 zmta01 postfix/qmgr[5096]: 9A2E240330CE2: removed
Thanks for the info provided.
Regds
mallah.
1 *** ENVELOPE RECORDS deferred/0/0AE8A403E4DA5 ***
2 message_size: 1137 665 1
0 1137
3 message_arrival_time: Mon Apr 25 07:18:09 2011
4 create_time: Mon Apr 25 07:18:09 2011
5 named_attribute: rewrite_context=local
6 sender: mal...@tradeindia.com
7 named_attribute: encoding=7bit
8 named_attribute: log_client_name=localhost.localdomain
9 named_attribute: log_client_address=127.0.0.1
10 named_attribute: log_client_port=39357
11 named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
12 named_attribute: log_helo_name=localhost
13 named_attribute: log_protocol_name=ESMTP
14 named_attribute: client_name=localhost.localdomain
15 named_attribute: reverse_client_name=localhost.localdomain
16 named_attribute: client_address=127.0.0.1
17 named_attribute: client_port=39357
18 named_attribute: helo_name=localhost
19 named_attribute: protocol_name=ESMTP
20 named_attribute: client_address_type=2
21 named_attribute: dsn_orig_rcpt=rfc822;mallah.raj...@gmail.com
22 original_recipient: mallah.raj...@gmail.com
23 recipient: mallah.raj...@gmail.com
24 *** MESSAGE CONTENTS deferred/0/0AE8A403E4DA5 ***
25 Received: from localhost (localhost.localdomain [127.0.0.1])
26 by zmta01.trade-india-local.com (Postfix) with ESMTP id
0AE8A403E4DA5
27 for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:09 +0530 (IST)
28 X-Virus-Scanned: amavisd-new at zmta01.trade-india-local.com
29 Received: from zmta01.trade-india-local.com ([127.0.0.1])
30 by localhost (zmta01.trade-india-local.com [127.0.0.1])
(amavisd-new, port 10024)
31 with ESMTP id b0lW-AuJD4rB for <mallah.raj...@gmail.com>;
32 Mon, 25 Apr 2011 07:18:07 +0530 (IST)
33 Received: from laptop.localnet (unknown [122.161.212.115])
34 by zmta01.trade-india-local.com (Postfix) with ESMTPA id
9A2E240330CE2
35 for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:07 +0530 (IST)
36 From: Rajesh Kumar Mallah <mal...@tradeindia.com>
37 Organization: Infocom Network Limited
38 To: mallah.raj...@gmail.com
39 Subject: TEST 5 to gmail.
40 Date: Mon, 25 Apr 2011 07:14:11 +0530
41 User-Agent: KMail/1.12.2 (Linux/2.6.31-14-generic; KDE/4.3.2; i686; ; )
42 MIME-Version: 1.0
43 Content-Type: Text/Plain;
44 charset="us-ascii"
45 Content-Transfer-Encoding: 7bit
46 Message-Id: <201104250714.11986.mal...@tradeindia.com>
47
48 TEST
49 *** HEADER EXTRACTED deferred/0/0AE8A403E4DA5 ***
50 named_attribute: encoding=7bit
51 *** MESSAGE FILE END deferred/0/0AE8A403E4DA5 ***
----------------- Relevant LOG entries
---------------------------------------------------
Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: warning: 122.161.212.115:
hostname ABTS-North-Dynamic-115.212.161.122.airtelbroadband.in
verification failed: Name or service not known
Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: connect from
unknown[122.161.212.115]
Apr 25 07:18:07 zmta01 saslauthd[7714]: zmauth: authenticating against
elected url 'https://zmbox01.trade-india-local.com:7071/service/admin/soap/'
...
Apr 25 07:18:07 zmta01 saslauthd[7714]: zmpost:
url='https://zmbox01.trade-india-local.com:7071/service/admin/soap/'
returned buffer->data='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope";><soap:Header><context
xmlns="urn:zimbra"><change
token="448795"/></context></soap:Header><soap:Body><AuthResponse
xmlns="urn:zimbraAccount"><authToken>0_90fdbaa24f04d0a5b49b0692e3a6d4068db426bb_69643d33363a34396163643561342d316634652d343530332d626433312d3562303063356433313938653b6578703d31333a313330333836383838373533383b76763d323a31303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>',
hti->error=''
Apr 25 07:18:07 zmta01 saslauthd[7714]: auth_zimbra:
mal...@tradeindia.com auth OK
Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: 9A2E240330CE2:
client=unknown[122.161.212.115], sasl_method=PLAIN,
sasl_username=mal...@tradeindia.com
Apr 25 07:18:07 zmta01 postfix/cleanup[24623]: 9A2E240330CE2:
message-id=<201104250714.11986.mal...@tradeindia.com>
Apr 25 07:18:07 zmta01 postfix/qmgr[5096]: 9A2E240330CE2:
from=<mal...@tradeindia.com>, size=627, nrcpt=1 (queue active)
Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) ESMTP::10024
/opt/zimbra/data/amavisd/tmp/amavis-20110425T063930-00783:
<mal...@tradeindia.com> -> <mallah.raj...@gmail.com> SIZE=627
Received: from zmta01.trade-india-local.com ([127.0.0.1]) by localhost
(zmta01.trade-india-local.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:07
+0530 (IST)
Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) Checking: b0lW-AuJD4rB
[122.161.212.115] <mal...@tradeindia.com> -> <mallah.raj...@gmail.com>
Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) Open relay? Nonlocal
recips but not originating: mallah.raj...@gmail.com
Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) cached
2debfdcf79f03e4a65a667d21ef9de14 from <mal...@tradeindia.com> (0,0)
Apr 25 07:18:09 zmta01 postfix/smtpd[26372]: connect from
localhost.localdomain[127.0.0.1]
Apr 25 07:18:09 zmta01 postfix/smtpd[26372]: 0AE8A403E4DA5:
client=localhost.localdomain[127.0.0.1]
Apr 25 07:18:09 zmta01 postfix/cleanup[24623]: 0AE8A403E4DA5:
message-id=<201104250714.11986.mal...@tradeindia.com>
Apr 25 07:18:09 zmta01 postfix/smtpd[26372]: disconnect from
localhost.localdomain[127.0.0.1]
Apr 25 07:18:09 zmta01 postfix/qmgr[5096]: 0AE8A403E4DA5:
from=<mal...@tradeindia.com>, size=1137, nrcpt=1 (queue active)
Apr 25 07:18:09 zmta01 amavis[783]: (00783-12) FWD via SMTP:
<mal...@tradeindia.com> -> <mallah.raj...@gmail.com>,BODY=7BIT 250
2.0.0 Ok, id=00783-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 0AE8A403E4DA5
Apr 25 07:18:09 zmta01 amavis[783]: (00783-12) Passed CLEAN,
[122.161.212.115] [122.161.212.115] <mal...@tradeindia.com> ->
<mallah.raj...@gmail.com>, Message-ID:
<201104250714.11986.mal...@tradeindia.com>, mail_id: b0lW-AuJD4rB,
Hits: -3.395, size: 627, queued_as: 0AE8A403E4DA5, 1324 ms
Apr 25 07:18:09 zmta01 postfix/smtp[24624]: 9A2E240330CE2:
to=<mallah.raj...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=1.4, delays=0.1/0/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok,
id=00783-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
0AE8A403E4DA5)
Apr 25 07:18:09 zmta01 postfix/qmgr[5096]: 9A2E240330CE2: removed
Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to
gmail-smtp-in.l.google.com[72.14.213.27]:25: Connection refused
Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to
alt1.gmail-smtp-in.l.google.com[74.125.67.27]:25: Connection refused
Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to
alt2.gmail-smtp-in.l.google.com[74.125.47.27]:25: Connection refused
Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to
alt3.gmail-smtp-in.l.google.com[74.125.113.27]:25: Connection refused
Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to
alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection refused
Apr 25 07:18:09 zmta01 postfix/smtp[24603]: 0AE8A403E4DA5:
to=<mallah.raj...@gmail.com>, relay=none, delay=0.59,
delays=0/0/0.58/0, dsn=4.4.1, status=deferred (connect to
alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection refused)
On Mon, Apr 25, 2011 at 6:51 AM, Rajesh Kumar Mallah
<mallah.raj...@gmail.com> wrote:
> Dear Patrixk,
>
> I express my gratitude to this list . I am grateful for the people
> in the list who contribute their gems. I am new to postfix (qmail migrant) ,
> but with a lively list like this i am feeling home.
>
> the postcat is very handy to print the headers and contents
> i am sure i should be able to nab the culprit next time he/she
> does the same.
>
> In the meantime i shall improve the password policy and do research
> on the valuable inputs got .
>
> Kind Regds
> mallah.
>
> On Mon, Apr 25, 2011 at 12:52 AM, Patrick Ben Koetter
> <p...@state-of-mind.de> wrote:
>> * mallah.raj...@gmail.com <mallah.raj...@gmail.com>:
>>> i am using policyd but it looks like it has no control once the initial
>>> connection is established , authenticated and pipelining is being used to
>>> pump spam . Is it really so?.
>>
>> At least version 1 of policyd can throtte SASL authenticated senders. I don't
>> know about v2.
>>
>>> Also can anyone pls guide if/how it is possible to know what account was
>>> compromised by seeing the files that lie in the deferred section of postfix
>>> queue?
>>
>> Use "postqueue -p" to identify a spam message in the deferred queue.
>> Use "postcat -q QUEUEID" to examine the message and verify it is spam.
>> grep for the QUEUEID in your logs. If you run a recent version of Postfix the
>> log will turn up the sasl_login name. Search for the sasl_login name in your
>> database to identify the account and disable it.
>>
>> p@rick
>>
>> --
>> All technical questions asked privately will be automatically answered on the
>> list and archived for public access unless privacy is explicitely required
>> and
>> justified.
>>
>> saslfinger (debugging SMTP AUTH):
>> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>>
>
