User:Woozle/2016/02/15/Postfix bounce-spam/tcpdump 1

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
< User:Woozle‎ | 2016/02/15/Postfix bounce-spam
Revision as of 16:44, 15 February 2016 by Woozle (talk | contribs) (mail.log)
Jump to navigation Jump to search

A sample from tcpdump -- most of what I saw seemed legitimate (related to emails recently sent), but this did not:

11:24:52.649377 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [S], seq 2358666894, win 29200, options [mss 1460,sackOK,TS val 12615285 ecr 0,nop,wscale 8], length 0
11:24:52.775950 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], ack 4150325630, win 29200, options [nop,nop,TS val 12615317 ecr 707961258], length 0
11:24:52.902203 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], ack 20, win 29200, options [nop,nop,TS val 12615348 ecr 707961385], length 0
11:24:52.902328 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 0:28, ack 20, win 29200, options [nop,nop,TS val 12615348 ecr 707961385], length 28
11:24:53.028395 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 28:66, ack 100, win 29200, options [nop,nop,TS val 12615380 ecr 707961511], length 38
11:24:53.207441 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 66:99, ack 108, win 29200, options [nop,nop,TS val 12615425 ecr 707961690], length 33
11:24:53.333167 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 99:105, ack 116, win 29200, options [nop,nop,TS val 12615456 ecr 707961816], length 6
11:24:53.463143 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], seq 105:2901, ack 130, win 29200, options [nop,nop,TS val 12615489 ecr 707961946], length 2796
11:24:53.463184 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 2901:4100, ack 130, win 29200, options [nop,nop,TS val 12615489 ecr 707961946], length 1199
11:24:55.042054 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 4100:4106, ack 423, win 30016, options [nop,nop,TS val 12615883 ecr 707963521], length 6
11:24:55.042081 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [F.], seq 4106, ack 423, win 30016, options [nop,nop,TS val 12615883 ecr 707963521], length 0
11:24:55.168094 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [R], seq 2358671002, win 0, length 0
11:24:55.168125 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [R], seq 2358671002, win 0, length 0

94.100.180.150 apparently belongs to a mail host in Russia. The above network traffic appears to be associated with this sequence in mail.log:

Feb 15 11:24:51 cloud2 postfix/trivial-rewrite[9974]: warning: do not list domain ownedbycats.org in BOTH mydestination and virtual_alias_domains
Feb 15 11:24:51 cloud2 postfix/smtpd[10587]: CE374140249: client=unknown[189.234.134.82]
Feb 15 11:24:51 cloud2 postfix/cleanup[10588]: CE374140249: message-id=<2016021410200162ICCIYOZSBADMH7980737@gmail.com>
Feb 15 11:24:51 cloud2 postfix/qmgr[22622]: CE374140249: from=<panfilova.765@mail.ru>, size=1969, nrcpt=1 (queue active)
Feb 15 11:24:52 cloud2 postfix/smtpd[10587]: disconnect from unknown[189.234.134.82]
Feb 15 11:24:52 cloud2 postfix/local[10589]: CE374140249: to=<spam.ownedbycats@cloud2.hypertwins.net>, orig_to=<cotton_shineharena@ownedbycats.org>, relay=local, delay=0.54, delays=0.13/0/0/0.41, dsn=5.2.0, status=bounced (can't create user output file)
Feb 15 11:24:52 cloud2 postfix/cleanup[10588]: 5D9A114024F: message-id=<20160215162452.5D9A114024F@cloud2.hypertwins.net>
Feb 15 11:24:52 cloud2 postfix/qmgr[22622]: 5D9A114024F: from=<>, size=3993, nrcpt=1 (queue active)
Feb 15 11:24:52 cloud2 postfix/bounce[10611]: CE374140249: sender non-delivery notification: 5D9A114024F
Feb 15 11:24:52 cloud2 postfix/qmgr[22622]: CE374140249: removed
Feb 15 11:24:55 cloud2 postfix/smtp[10613]: 5D9A114024F: to=<panfilova.765@mail.ru>, relay=mxs.mail.ru[94.100.180.150]:25, delay=2.7, delays=0/0.01/0.64/2, dsn=5.0.0, status=bounced (host mxs.mail.ru[94.100.180.150] said: 550 spam message rejected. Please visit http://help.mail.ru/notspam-support/id?c=yYGgH-hRivasAiCteDfNIj-BdlPyhWEAZ-tn7yUBJZUQAAAAIeYAAARdJjI~ or  report details to abuse@corp.mail.ru. Error code: 1FA081C9F68A51E8AD2002AC22CD37785376813F006185F2EF67EB6795250125. ID: 000000100000E62132265D04. (in reply to end of DATA command))
Feb 15 11:24:55 cloud2 postfix/qmgr[22622]: 5D9A114024F: removed