Dear Patrick, I did a testing and i was able to successful in linking the message to the original username that was used in authenticating the connection for message delivery.
the key was to grep '9A2E240330CE2' from the header 33 Received: from laptop.localnet (unknown [122.161.212.115]) 34 by zmta01.trade-india-local.com (Postfix) with ESMTPA id 9A2E240330CE2 35 for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:07 +0530 (IST) in the logs resulting in grep 9A2E240330CE2 /var/log/zimbra.log Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: 9A2E240330CE2: client=unknown[122.161.212.115], sasl_method=PLAIN, sasl_username=mal...@tradeindia.com Apr 25 07:18:07 zmta01 postfix/cleanup[24623]: 9A2E240330CE2: message-id=<201104250714.11986.mal...@tradeindia.com> Apr 25 07:18:07 zmta01 postfix/qmgr[5096]: 9A2E240330CE2: from=<mal...@tradeindia.com>, size=627, nrcpt=1 (queue active) Apr 25 07:18:09 zmta01 postfix/smtp[24624]: 9A2E240330CE2: to=<mallah.raj...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.1/0/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=00783-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0AE8A403E4DA5) Apr 25 07:18:09 zmta01 postfix/qmgr[5096]: 9A2E240330CE2: removed Thanks for the info provided. Regds mallah. 1 *** ENVELOPE RECORDS deferred/0/0AE8A403E4DA5 *** 2 message_size: 1137 665 1 0 1137 3 message_arrival_time: Mon Apr 25 07:18:09 2011 4 create_time: Mon Apr 25 07:18:09 2011 5 named_attribute: rewrite_context=local 6 sender: mal...@tradeindia.com 7 named_attribute: encoding=7bit 8 named_attribute: log_client_name=localhost.localdomain 9 named_attribute: log_client_address=127.0.0.1 10 named_attribute: log_client_port=39357 11 named_attribute: log_message_origin=localhost.localdomain[127.0.0.1] 12 named_attribute: log_helo_name=localhost 13 named_attribute: log_protocol_name=ESMTP 14 named_attribute: client_name=localhost.localdomain 15 named_attribute: reverse_client_name=localhost.localdomain 16 named_attribute: client_address=127.0.0.1 17 named_attribute: client_port=39357 18 named_attribute: helo_name=localhost 19 named_attribute: protocol_name=ESMTP 20 named_attribute: client_address_type=2 21 named_attribute: dsn_orig_rcpt=rfc822;mallah.raj...@gmail.com 22 original_recipient: mallah.raj...@gmail.com 23 recipient: mallah.raj...@gmail.com 24 *** MESSAGE CONTENTS deferred/0/0AE8A403E4DA5 *** 25 Received: from localhost (localhost.localdomain [127.0.0.1]) 26 by zmta01.trade-india-local.com (Postfix) with ESMTP id 0AE8A403E4DA5 27 for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:09 +0530 (IST) 28 X-Virus-Scanned: amavisd-new at zmta01.trade-india-local.com 29 Received: from zmta01.trade-india-local.com ([127.0.0.1]) 30 by localhost (zmta01.trade-india-local.com [127.0.0.1]) (amavisd-new, port 10024) 31 with ESMTP id b0lW-AuJD4rB for <mallah.raj...@gmail.com>; 32 Mon, 25 Apr 2011 07:18:07 +0530 (IST) 33 Received: from laptop.localnet (unknown [122.161.212.115]) 34 by zmta01.trade-india-local.com (Postfix) with ESMTPA id 9A2E240330CE2 35 for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:07 +0530 (IST) 36 From: Rajesh Kumar Mallah <mal...@tradeindia.com> 37 Organization: Infocom Network Limited 38 To: mallah.raj...@gmail.com 39 Subject: TEST 5 to gmail. 40 Date: Mon, 25 Apr 2011 07:14:11 +0530 41 User-Agent: KMail/1.12.2 (Linux/2.6.31-14-generic; KDE/4.3.2; i686; ; ) 42 MIME-Version: 1.0 43 Content-Type: Text/Plain; 44 charset="us-ascii" 45 Content-Transfer-Encoding: 7bit 46 Message-Id: <201104250714.11986.mal...@tradeindia.com> 47 48 TEST 49 *** HEADER EXTRACTED deferred/0/0AE8A403E4DA5 *** 50 named_attribute: encoding=7bit 51 *** MESSAGE FILE END deferred/0/0AE8A403E4DA5 *** ----------------- Relevant LOG entries --------------------------------------------------- Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: warning: 122.161.212.115: hostname ABTS-North-Dynamic-115.212.161.122.airtelbroadband.in verification failed: Name or service not known Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: connect from unknown[122.161.212.115] Apr 25 07:18:07 zmta01 saslauthd[7714]: zmauth: authenticating against elected url 'https://zmbox01.trade-india-local.com:7071/service/admin/soap/' ... Apr 25 07:18:07 zmta01 saslauthd[7714]: zmpost: url='https://zmbox01.trade-india-local.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="448795"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_90fdbaa24f04d0a5b49b0692e3a6d4068db426bb_69643d33363a34396163643561342d316634652d343530332d626433312d3562303063356433313938653b6578703d31333a313330333836383838373533383b76763d323a31303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error='' Apr 25 07:18:07 zmta01 saslauthd[7714]: auth_zimbra: mal...@tradeindia.com auth OK Apr 25 07:18:07 zmta01 postfix/smtpd[22832]: 9A2E240330CE2: client=unknown[122.161.212.115], sasl_method=PLAIN, sasl_username=mal...@tradeindia.com Apr 25 07:18:07 zmta01 postfix/cleanup[24623]: 9A2E240330CE2: message-id=<201104250714.11986.mal...@tradeindia.com> Apr 25 07:18:07 zmta01 postfix/qmgr[5096]: 9A2E240330CE2: from=<mal...@tradeindia.com>, size=627, nrcpt=1 (queue active) Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20110425T063930-00783: <mal...@tradeindia.com> -> <mallah.raj...@gmail.com> SIZE=627 Received: from zmta01.trade-india-local.com ([127.0.0.1]) by localhost (zmta01.trade-india-local.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <mallah.raj...@gmail.com>; Mon, 25 Apr 2011 07:18:07 +0530 (IST) Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) Checking: b0lW-AuJD4rB [122.161.212.115] <mal...@tradeindia.com> -> <mallah.raj...@gmail.com> Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) Open relay? Nonlocal recips but not originating: mallah.raj...@gmail.com Apr 25 07:18:07 zmta01 amavis[783]: (00783-12) cached 2debfdcf79f03e4a65a667d21ef9de14 from <mal...@tradeindia.com> (0,0) Apr 25 07:18:09 zmta01 postfix/smtpd[26372]: connect from localhost.localdomain[127.0.0.1] Apr 25 07:18:09 zmta01 postfix/smtpd[26372]: 0AE8A403E4DA5: client=localhost.localdomain[127.0.0.1] Apr 25 07:18:09 zmta01 postfix/cleanup[24623]: 0AE8A403E4DA5: message-id=<201104250714.11986.mal...@tradeindia.com> Apr 25 07:18:09 zmta01 postfix/smtpd[26372]: disconnect from localhost.localdomain[127.0.0.1] Apr 25 07:18:09 zmta01 postfix/qmgr[5096]: 0AE8A403E4DA5: from=<mal...@tradeindia.com>, size=1137, nrcpt=1 (queue active) Apr 25 07:18:09 zmta01 amavis[783]: (00783-12) FWD via SMTP: <mal...@tradeindia.com> -> <mallah.raj...@gmail.com>,BODY=7BIT 250 2.0.0 Ok, id=00783-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0AE8A403E4DA5 Apr 25 07:18:09 zmta01 amavis[783]: (00783-12) Passed CLEAN, [122.161.212.115] [122.161.212.115] <mal...@tradeindia.com> -> <mallah.raj...@gmail.com>, Message-ID: <201104250714.11986.mal...@tradeindia.com>, mail_id: b0lW-AuJD4rB, Hits: -3.395, size: 627, queued_as: 0AE8A403E4DA5, 1324 ms Apr 25 07:18:09 zmta01 postfix/smtp[24624]: 9A2E240330CE2: to=<mallah.raj...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.1/0/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=00783-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0AE8A403E4DA5) Apr 25 07:18:09 zmta01 postfix/qmgr[5096]: 9A2E240330CE2: removed Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to gmail-smtp-in.l.google.com[72.14.213.27]:25: Connection refused Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to alt1.gmail-smtp-in.l.google.com[74.125.67.27]:25: Connection refused Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to alt2.gmail-smtp-in.l.google.com[74.125.47.27]:25: Connection refused Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to alt3.gmail-smtp-in.l.google.com[74.125.113.27]:25: Connection refused Apr 25 07:18:09 zmta01 postfix/smtp[24603]: connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection refused Apr 25 07:18:09 zmta01 postfix/smtp[24603]: 0AE8A403E4DA5: to=<mallah.raj...@gmail.com>, relay=none, delay=0.59, delays=0/0/0.58/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection refused) On Mon, Apr 25, 2011 at 6:51 AM, Rajesh Kumar Mallah <mallah.raj...@gmail.com> wrote: > Dear Patrixk, > > I express my gratitude to this list . I am grateful for the people > in the list who contribute their gems. I am new to postfix (qmail migrant) , > but with a lively list like this i am feeling home. > > the postcat is very handy to print the headers and contents > i am sure i should be able to nab the culprit next time he/she > does the same. > > In the meantime i shall improve the password policy and do research > on the valuable inputs got . > > Kind Regds > mallah. > > On Mon, Apr 25, 2011 at 12:52 AM, Patrick Ben Koetter > <p...@state-of-mind.de> wrote: >> * mallah.raj...@gmail.com <mallah.raj...@gmail.com>: >>> i am using policyd but it looks like it has no control once the initial >>> connection is established , authenticated and pipelining is being used to >>> pump spam . Is it really so?. >> >> At least version 1 of policyd can throtte SASL authenticated senders. I don't >> know about v2. >> >>> Also can anyone pls guide if/how it is possible to know what account was >>> compromised by seeing the files that lie in the deferred section of postfix >>> queue? >> >> Use "postqueue -p" to identify a spam message in the deferred queue. >> Use "postcat -q QUEUEID" to examine the message and verify it is spam. >> grep for the QUEUEID in your logs. If you run a recent version of Postfix the >> log will turn up the sasl_login name. Search for the sasl_login name in your >> database to identify the account and disable it. >> >> p@rick >> >> -- >> All technical questions asked privately will be automatically answered on the >> list and archived for public access unless privacy is explicitely required >> and >> justified. >> >> saslfinger (debugging SMTP AUTH): >> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> >> >