Spamversand über welches Konto feststellen

#1
Immer wieder werden Emailkonten von Kunden gehackt. Das Logfile gibt jedoch keine Information welches Konto der Spamversender ist.

11F02C3B15 1642 Thu Aug 25 11:27:35 shelly_greene@kundendomain.xyz
(delivery temporarily suspended: host mailin-04.mx.aol.com[64.12.88.132] refused to talk to me: 421 4.7.1 :
(DYN:T1) https://postmaster.aol.com/error-codes#421dynt1)
iwtey2@aol.com

Wie kann ich das Konto am schnellsten herausfinden welches dieses Email über meinen Server verschickte.

Danke vorab
 
#2
erst mal mailq aufrufen und dir dann eine beliebige Mail-ID nehmen und dann postcat /var/spool/postfix/deferred/1/11F02C3B15 (aus deinem Beispiel)

Dort kannst dann sehen wer die Mail eingeliefert hat.
 

Till

Administrator
#3
Geht auch mit:

postcat -q 11F02C3B15

Die -q Option hat den Vorteil dass sie auf allen queues greift, Du alsi nicht den Pfad deferred, adtive usw. angeben musst :)
 
#4
Da bekomm ich

Code:
*** ENVELOPE RECORDS 5AA33C2842 ***
message_size:            1700             615               1               0            1700
message_arrival_time: Thu Aug 25 12:01:14 2016
create_time: Thu Aug 25 12:01:14 2016
named_attribute: rewrite_context=local
sender: diane_lynch@kundendomain.xyz
named_attribute: encoding=7bit
named_attribute: log_client_name=unknown
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=34860
named_attribute: log_message_origin=unknown[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=127.0.0.1
named_attribute: client_port=34860
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;w2w4w6w82000@yahoo.ca
original_recipient: w2w4w6w82000@yahoo.ca
recipient: w2w4w6w82000@yahoo.ca
*** MESSAGE CONTENTS 5AA33C2842 ***
Received: from localhost (unknown [127.0.0.1])
        by srv05.sid.at (Postfix) with ESMTP id 5AA33C2842
        for <w2w4w6w82000@yahoo.ca>; Thu, 25 Aug 2016 10:01:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at srv05.sid.at
Received: from srv05.sid.at ([127.0.0.1])
        by localhost (srv05.sid.at [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id p1utiU5OtYMv for <w2w4w6w82000@yahoo.ca>;
        Thu, 25 Aug 2016 12:01:09 +0200 (CEST)
Received: by srv05.sid.at (Postfix, from userid 5039)
        id DF509C2843; Thu, 25 Aug 2016 12:00:10 +0200 (CEST)
To: w2w4w6w82000@yahoo.ca
Subject: Two spicy bitches are sucking hard dick
X-PHP-Originating-Script: 5039:dir58.php(1962) : eval()'d code
Date: Thu, 25 Aug 2016 12:00:10 +0200
From: Diane Lynch <diane_lynch@kundendomain.xyz>
Message-ID: <17a7a84d2ce8f479e0d9632050ed62c8@kundendomain.xyz>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="b1_17a7a84d2ce8f479e0d9632050ed62c8"
Content-Transfer-Encoding: 8bit

--b1_17a7a84d2ce8f479e0d9632050ed62c8
Content-Type: text/plain; charset=us-ascii

Plumpy chick Hideko Okura soaps and washes cock in the shower room [ http://www.bellarosa-algerie.com/ini.php?c=111&fP4J7Dd8QrTNZyU4dfC7f4YESY=J7Cd&8Zd=1R&3QYNj=z ] Look here.


--b1_17a7a84d2ce8f479e0d9632050ed62c8
Content-Type: text/html; charset=us-ascii

<html>
<body>
<div style="font-family:Arial,sans-serif;color:#000000;font-size:14px;">
Plumpy chick Hideko Okura soaps and washes cock in the shower room <a href="http://www.bellarosa-algerie.com/ini.php?c=111&fP4J7Dd8QrTNZyU4dfC7f4YESY=J7Cd&8Zd=1R&3QYNj=z">Look here.</a>
</div>
</body>
</html>



--b1_17a7a84d2ce8f479e0d9632050ed62c8--

*** HEADER EXTRACTED 5AA33C2842 ***
named_attribute: encoding=8bit
*** MESSAGE FILE END 5AA33C2842 ***
 

Werbung

Top