User:Woozle/2016/02/15/Postfix bounce-spam/mail.log 1

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to: navigation, search

I found this chunk by searching mail.log for the email address of the apparent target (C.Derbyshire249@BTInternet.com), then searching for the IP address of the sender (103.28.113.148). This is the complete history of cloud2's interaction with that IP address:

Feb 16 04:06:40 cloud2 postfix/smtpd[19909]: warning: hostname host-103-28-113-148.ldp.net.id does not resolve to address 103.28.113.148: Name or service not known
Feb 16 04:06:40 cloud2 postfix/smtpd[19909]: connect from unknown[103.28.113.148]
Feb 16 04:06:45 cloud2 postfix/smtpd[19909]: warning: SASL authentication failure: Password verification failed
Feb 16 04:06:45 cloud2 postfix/smtpd[19909]: warning: unknown[103.28.113.148]: SASL PLAIN authentication failed: authentication failure
Feb 16 04:06:47 cloud2 postfix/smtpd[19911]: warning: hostname unregistered.netregistry.net does not resolve to address 202.47.1.23
Feb 16 04:06:47 cloud2 postfix/smtpd[19911]: connect from unknown[202.47.1.23]
Feb 16 04:06:48 cloud2 postfix/smtpd[19909]: warning: SASL authentication failure: Password verification failed
Feb 16 04:06:48 cloud2 postfix/smtpd[19909]: warning: unknown[103.28.113.148]: SASL PLAIN authentication failed: authentication failure
Feb 16 04:06:49 cloud2 postfix/trivial-rewrite[19912]: warning: do not list domain VBZ.NET in BOTH mydestination and virtual_alias_domains
Feb 16 04:06:49 cloud2 postfix/smtpd[19911]: 5DE011413C6: client=unknown[202.47.1.23]
Feb 16 04:06:49 cloud2 postfix/smtpd[19909]: warning: SASL authentication failure: Password verification failed
Feb 16 04:06:49 cloud2 postfix/smtpd[19909]: warning: unknown[103.28.113.148]: SASL PLAIN authentication failed: authentication failure
Feb 16 04:06:50 cloud2 postfix/cleanup[19913]: 5DE011413C6: message-id=<8db01f85041e467228f5383e991b3a4c@realityfurniture.com.au>
Feb 16 04:06:50 cloud2 postfix/smtpd[19909]: lost connection after AUTH from unknown[103.28.113.148]
Feb 16 04:06:50 cloud2 postfix/smtpd[19909]: disconnect from unknown[103.28.113.148]
Feb 16 04:06:52 cloud2 postfix/smtpd[19909]: warning: hostname host-103-28-113-148.ldp.net.id does not resolve to address 103.28.113.148: Name or service not known
Feb 16 04:06:52 cloud2 postfix/smtpd[19909]: connect from unknown[103.28.113.148]
Feb 16 04:06:52 cloud2 postfix/qmgr[16733]: 5DE011413C6: from=<eula_weaver@realityfurniture.com.au>, size=2577, nrcpt=1 (queue active)
Feb 16 04:06:52 cloud2 postfix/cleanup[19913]: 5E5E21413C8: message-id=<8db01f85041e467228f5383e991b3a4c@realityfurniture.com.au>
Feb 16 04:06:52 cloud2 postfix/qmgr[16733]: 5E5E21413C8: from=<eula_weaver@realityfurniture.com.au>, size=2732, nrcpt=1 (queue active)
Feb 16 04:06:52 cloud2 postfix/local[19914]: 5DE011413C6: to=<default-vbz.net@cloud2.hypertwins.net>, orig_to=<t.R@VBZ.NET>, relay=local, delay=3, delays=3/0.01/0/0, dsn=2.0.0, status=sent (forwarded as 5E5E21413C8)
Feb 16 04:06:52 cloud2 postfix/qmgr[16733]: 5DE011413C6: removed
Feb 16 04:06:52 cloud2 postfix/local[19914]: 5E5E21413C8: to=<null-hypertwins.net@cloud2.hypertwins.net>, orig_to=<t.R@VBZ.NET>, relay=local, delay=0, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to file: /dev/null)
Feb 16 04:06:52 cloud2 postfix/qmgr[16733]: 5E5E21413C8: removed
Feb 16 04:06:52 cloud2 postfix/smtpd[19911]: disconnect from unknown[202.47.1.23]
Feb 16 04:06:56 cloud2 postfix/trivial-rewrite[19912]: warning: do not list domain ownedbycats.org in BOTH mydestination and virtual_alias_domains
Feb 16 04:06:56 cloud2 postfix/smtpd[19909]: 93AD11413C6: client=unknown[103.28.113.148], sasl_method=PLAIN, sasl_username=harena
Feb 16 04:06:57 cloud2 postfix/cleanup[19913]: 93AD11413C6: message-id=<7F33F06B-8A94-47E0-B3A6-8B8B673EA45A@ownedbycats.org>
Feb 16 04:06:57 cloud2 postfix/qmgr[16733]: 93AD11413C6: from=<ckelly383@ownedbycats.org>, size=691, nrcpt=1 (queue active)
Feb 16 04:06:59 cloud2 postfix/smtpd[19909]: 291231413C8: client=unknown[103.28.113.148], sasl_method=PLAIN, sasl_username=harena
Feb 16 04:07:00 cloud2 postfix/cleanup[19913]: 291231413C8: message-id=<79816A1E-A7A3-490F-F62D-77D316B94A0D@ownedbycats.org>
Feb 16 04:07:00 cloud2 postfix/qmgr[16733]: 291231413C8: from=<gabsy@ownedbycats.org>, size=682, nrcpt=1 (queue active)
Feb 16 04:07:02 cloud2 postfix/smtpd[19909]: 4BC1E1413E6: client=unknown[103.28.113.148], sasl_method=PLAIN, sasl_username=harena
Feb 16 04:07:03 cloud2 postfix/cleanup[19913]: 4BC1E1413E6: message-id=<7A636FD3-85FD-42CC-A115-7DD9171DE1F3@ownedbycats.org>
Feb 16 04:07:03 cloud2 postfix/qmgr[16733]: 4BC1E1413E6: from=<gabsy@ownedbycats.org>, size=655, nrcpt=1 (queue active)
Feb 16 04:07:04 cloud2 postfix/smtpd[19909]: C83501413EA: client=unknown[103.28.113.148], sasl_method=PLAIN, sasl_username=harena
Feb 16 04:07:06 cloud2 postfix/cleanup[19913]: C83501413EA: message-id=<5C10A207-860D-42CC-9E58-4DA9AEC1FF1B@ownedbycats.org>
Feb 16 04:07:06 cloud2 postfix/qmgr[16733]: C83501413EA: from=<gabsy@ownedbycats.org>, size=630, nrcpt=1 (queue active)
Feb 16 04:07:06 cloud2 postfix/smtp[19923]: C83501413EA: to=<jay@cfpworldwide.com>, relay=ASPMX.L.GOOGLE.com[74.125.22.26]:25, delay=1.9, delays=1.3/0/0.41/0.21, dsn=2.0.0, status=sent (250 2.0.0 OK 1455613626 s65si39474105qhb.93 - gsmtp)
Feb 16 04:07:06 cloud2 postfix/qmgr[16733]: C83501413EA: removed
Feb 16 04:07:07 cloud2 postfix/smtpd[19909]: 461B71413EA: client=unknown[103.28.113.148], sasl_method=PLAIN, sasl_username=harena
Feb 16 04:07:07 cloud2 postfix/smtp[19922]: 4BC1E1413E6: to=<C.Derbyshire249@BTInternet.com>, relay=mx.bt.lon5.cpcloud.co.uk[65.20.0.49]:25, delay=5.6, delays=1.3/0/0.89/3.4, dsn=5.0.0, status=bounced (host mx.bt.lon5.cpcloud.co.uk[65.20.0.49] said: 554 Message rejected for policy reasons (3.2.1.1) - Please report any problems to BT via the postmaster@btinternet.com mailbox and include your sending ip address with an example header of your email (in reply to end of DATA command))
Feb 16 04:07:07 cloud2 postfix/cleanup[19926]: DA4491413FA: message-id=<20160216090707.DA4491413FA@cloud2.hypertwins.net>
Feb 16 04:07:07 cloud2 postfix/qmgr[16733]: DA4491413FA: from=<>, size=3028, nrcpt=1 (queue active)
Feb 16 04:07:07 cloud2 postfix/bounce[19924]: 4BC1E1413E6: sender non-delivery notification: DA4491413FA
Feb 16 04:07:07 cloud2 postfix/qmgr[16733]: 4BC1E1413E6: removed

It looks like it tried to log on via several methods which failed (no usernames listed in the log -- which may mean they were anonymous logins or may mean that the log only lists usernames for successful connections -- and then finally succeeded as user "harena", whence it sent a small sequence of spams and then disconnected.