Spamversand über welches Konto feststellen

andy1965

Member
Immer wieder werden Emailkonten von Kunden gehackt. Das Logfile gibt jedoch keine Information welches Konto der Spamversender ist.

11F02C3B15 1642 Thu Aug 25 11:27:35 shelly_greene@kundendomain.xyz
(delivery temporarily suspended: host mailin-04.mx.aol.com[64.12.88.132] refused to talk to me: 421 4.7.1 :
(DYN:T1) https://postmaster.aol.com/error-codes#421dynt1)
iwtey2@aol.com

Wie kann ich das Konto am schnellsten herausfinden welches dieses Email über meinen Server verschickte.

Danke vorab
 

wotan2005

Member
erst mal mailq aufrufen und dir dann eine beliebige Mail-ID nehmen und dann postcat /var/spool/postfix/deferred/1/11F02C3B15 (aus deinem Beispiel)

Dort kannst dann sehen wer die Mail eingeliefert hat.
 

Till

Administrator
Geht auch mit:

postcat -q 11F02C3B15

Die -q Option hat den Vorteil dass sie auf allen queues greift, Du alsi nicht den Pfad deferred, adtive usw. angeben musst :)
 

andy1965

Member
Da bekomm ich

Code:
*** ENVELOPE RECORDS 5AA33C2842 ***
message_size:            1700             615               1               0            1700
message_arrival_time: Thu Aug 25 12:01:14 2016
create_time: Thu Aug 25 12:01:14 2016
named_attribute: rewrite_context=local
sender: diane_lynch@kundendomain.xyz
named_attribute: encoding=7bit
named_attribute: log_client_name=unknown
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=34860
named_attribute: log_message_origin=unknown[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=127.0.0.1
named_attribute: client_port=34860
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;w2w4w6w82000@yahoo.ca
original_recipient: w2w4w6w82000@yahoo.ca
recipient: w2w4w6w82000@yahoo.ca
*** MESSAGE CONTENTS 5AA33C2842 ***
Received: from localhost (unknown [127.0.0.1])
        by srv05.sid.at (Postfix) with ESMTP id 5AA33C2842
        for <w2w4w6w82000@yahoo.ca>; Thu, 25 Aug 2016 10:01:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at srv05.sid.at
Received: from srv05.sid.at ([127.0.0.1])
        by localhost (srv05.sid.at [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id p1utiU5OtYMv for <w2w4w6w82000@yahoo.ca>;
        Thu, 25 Aug 2016 12:01:09 +0200 (CEST)
Received: by srv05.sid.at (Postfix, from userid 5039)
        id DF509C2843; Thu, 25 Aug 2016 12:00:10 +0200 (CEST)
To: w2w4w6w82000@yahoo.ca
Subject: Two spicy bitches are sucking hard dick
X-PHP-Originating-Script: 5039:dir58.php(1962) : eval()'d code
Date: Thu, 25 Aug 2016 12:00:10 +0200
From: Diane Lynch <diane_lynch@kundendomain.xyz>
Message-ID: <17a7a84d2ce8f479e0d9632050ed62c8@kundendomain.xyz>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="b1_17a7a84d2ce8f479e0d9632050ed62c8"
Content-Transfer-Encoding: 8bit

--b1_17a7a84d2ce8f479e0d9632050ed62c8
Content-Type: text/plain; charset=us-ascii

Plumpy chick Hideko Okura soaps and washes cock in the shower room [ http://www.bellarosa-algerie.com/ini.php?c=111&fP4J7Dd8QrTNZyU4dfC7f4YESY=J7Cd&8Zd=1R&3QYNj=z ] Look here.


--b1_17a7a84d2ce8f479e0d9632050ed62c8
Content-Type: text/html; charset=us-ascii

<html>
<body>
<div style="font-family:Arial,sans-serif;color:#000000;font-size:14px;">
Plumpy chick Hideko Okura soaps and washes cock in the shower room <a href="http://www.bellarosa-algerie.com/ini.php?c=111&fP4J7Dd8QrTNZyU4dfC7f4YESY=J7Cd&8Zd=1R&3QYNj=z">Look here.</a>
</div>
</body>
</html>



--b1_17a7a84d2ce8f479e0d9632050ed62c8--

*** HEADER EXTRACTED 5AA33C2842 ***
named_attribute: encoding=8bit
*** MESSAGE FILE END 5AA33C2842 ***
 

andy1965

Member
Denke habs gefunden, 5036(beoper) wurde vom Symantec Backup Exec Agent angelegt und über den werden die Spams versendet!
Unglaublich ...
 

Till

Administrator
Und der Versand erfolgt über das PHP script dir58.php.

X-PHP-Originating-Script: 5039:dir58.php(1962) : eval()'d code
 

Werbung

Top