Help deciphering mail transaction that resulted in reply to spammer

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help deciphering mail transaction that resulted in reply to spammer

techlist06
This post has NOT been accepted by the mailing list yet.
Postfix 3.2.2, Centos7, amavisd, clamav

Upgrading my server, and recently migrated one of my older domains that gets more spam.  When checking my mail queue I saw a few deferred messages to addresses that alarmed me.  I had a moment of panick thinking maybe I had configured something allowing a relay.  Looked and decided I was OK there but I want to understand what casued these deferred messages.  I figure I have something set wrong that allowed it in the first place.  I *think* it's a bounce where I would not want a bounce.

Can someone help me follow this sample tranaction?  (apologies for the wrapping, copied/pasted out of putty).  My comments of the pieces I think I "get" are in-line:

Sanitized:
myuser@userdomain.org - target recipient
mail1.myserver - the server
pp.pp.pp.pp and ss.ss.ss.ss  primary and secondary IPs of the box.

> spammer connects
Jul 26 19:05:48 mail1 postfix/postscreen[11080]: CONNECT from [5.133.8.185]:44150 to [pp.pp.pp.pp]:25

> apparently passes postscreen, gets 450 "greylisted" due to after-220 checks

Jul 26 19:05:55 mail1 postfix/postscreen[11080]: NOQUEUE: reject: RCPT from [5.133.8.185]:44150: 450 4.3.2 Service c
urrently unavailable; from=<Online.Casino.Games@pearls.preal.us>, to=<myuser@userdomain.org>, proto=ESMTP, helo=<pearls
.preal.us>

> added to temp whitelist, disconnect

Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS NEW [5.133.8.185]:44150
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: DISCONNECT [5.133.8.185]:44150

> reconnects to secondary IP and is passed due to previous PASS
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: CONNECT from [5.133.8.185]:33753 to [ss.ss.ss.ss]:25
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS OLD [5.133.8.185]:33753

> the rest, and why there was a reply to spammer attempt is fuzzy to me:

Jul 26 19:05:56 mail1 postfix/smtpd[11088]: warning: hostname accept.rootp.us does not resolve to address 5.133.8.18
5: Name or service not known
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from unknown[5.133.8.185]
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02: client=unknown[5.133.8.185]

Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02: message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275
482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: from=<Online.Casino.Games@pearls.preal.us>, size=6760, nrcpt=1 (
queue active)
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) ESMTP :10024 /var/spool/amavisd/tmp/amavis-20170726T133617-05520-rH4y
Ye3A: <Online.Casino.Games@pearls.preal.us> -> <myuser@userdomain.org> SIZE=6760 BODY=8BITMIME RET=HDRS Received: from
mail1.myserver.com ([127.0.0.1]) by localhost (mail1.myserver.com [127.0.0.1]) (amavisd-new, port 10
024) with ESMTP for <myuser@userdomain.org>; Wed, 26 Jul 2017 19:05:57 -0500 (CDT)
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Checking: pqyogYJQxVad [5.133.8.185] <Online.Casino.Games@pearls.prea
l.us> -> <myuser@userdomain.org>
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) WARN: MIME::Parser error: unexpected end of header; ; error: couldn't
 parse head; error near:; ; ; error: part did not end with expected boundary; ; error: unexpected end of parts bef
ore epilogue
Jul 26 19:05:57 mail1 clamd[788]: SelfCheck: Database status OK.
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: connect from localhost[127.0.0.1]
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910: client=localhost[127.0.0.1]
Jul 26 19:05:57 mail1 postfix/cleanup[11094]: 67FB13910: message-id=<DSNpqyogYJQxVad@mail1.myserver.com>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>, size=3222, nrcpt=1 (queue active)
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) waLiP0ZsHz9C(pqyogYJQxVad) SEND from <> -> <Online.Casino.Games@pearl
s.preal.us>, ENVID=AM.waLiP0ZsHz9C.20170727T000557Z@mail1.myserver.com BODY=7BIT 250 2.0.0 from MTA(smtp:[1
27.0.0.1]:10025): 250 2.0.0 Ok: queued as 67FB13910
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Blocked BAD-HEADER-0 {BouncedInbound,Quarantined}, [5.133.8.185]:3375
3 [5.133.8.185] <Online.Casino.Games@pearls.preal.us> -> <myuser@userdomain.org>, Queue-ID: E58673D02, Message-ID: <5ad
4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>, mail_id: pqyogYJQxVad, Hits: -, size: 6763,
160 ms
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02: to=<myuser@userdomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay
=0.66, delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=05520-17, BOUNCE)
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: removed
Jul 26 19:05:57 mail1 postfix/smtpd[11088]: disconnect from unknown[5.133.8.185] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Jul 26 19:05:57 mail1 postfix/smtp[11064]: connect to mail.preal.us[5.133.8.185]:25: Connection refused
Jul 26 19:05:57 mail1 postfix/smtp[11064]: 67FB13910: to=<Online.Casino.Games@pearls.preal.us>, relay=none, delay=0.
38, delays=0.03/0/0.35/0, dsn=4.4.1, status=deferred (connect to mail.preal.us[5.133.8.185]:25: Connection refused


Postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 >$config_directory/$process_name.$process_id.log & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost, pp.pp.pp.pp, ss.ss.ss.ss
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = myserver.com
myhostname = mail1.myserver.com
mynetworks = localhost, $mydomain, pp.pp.pp.pp/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*2 b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net*2 dnsbl.sorbs.net psbl.surriel.com*2 list.dnswl.org=127.0.[2..15].0*-2 list.dnswl.org=127.0.[2..15].1*-3 list.dnswl.org=127.0.[2..15].[2..3]*-4 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = !ss.ss.ss.ss static:all
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.2/README_FILES
relay_domains = anothercompany.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix3-3.2.2/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2700
smtpd_recipient_restrictions = reject_invalid_hostname permit_dnswl_client list.dnswl.org=127.0.[2..14].[2..3], reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unknown_reverse_client_hostname, warn_if_reject reject_non_fqdn_helo_hostname, warn_if_reject reject_unknown_helo_hostname, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre check_recipient_access hash:/etc/postfix/recipient_checks check_helo_access hash:/etc/postfix/helo_checks check_sender_access hash:/etc/postfix/sender_checks check_client_access hash:/etc/postfix/client_checks check_client_access pcre:/etc/postfix/client_checks.pcre check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns-plus.pcre check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre reject_rbl_client zen.spamhaus.org=127.0.0.[2..255], reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99], permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_checks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/mail1.myserver.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail1.myserver.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users
Loading...