User:Woozle/2016/02/15/Postfix bounce-spam/tcpdump 1

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
< User:Woozle‎ | 2016/02/15/Postfix bounce-spam
Revision as of 19:02, 15 February 2016 by Woozle (talk | contribs) (more stuff)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

A sample from tcpdump -- most of what I saw seemed legitimate (related to emails recently sent), but this did not: 

11:24:52.649377 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [S], seq 2358666894, win 29200, options [mss 1460,sackOK,TS val 12615285 ecr 0,nop,wscale 8], length 0
11:24:52.775950 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], ack 4150325630, win 29200, options [nop,nop,TS val 12615317 ecr 707961258], length 0
11:24:52.902203 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], ack 20, win 29200, options [nop,nop,TS val 12615348 ecr 707961385], length 0
11:24:52.902328 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 0:28, ack 20, win 29200, options [nop,nop,TS val 12615348 ecr 707961385], length 28
11:24:53.028395 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 28:66, ack 100, win 29200, options [nop,nop,TS val 12615380 ecr 707961511], length 38
11:24:53.207441 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 66:99, ack 108, win 29200, options [nop,nop,TS val 12615425 ecr 707961690], length 33
11:24:53.333167 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 99:105, ack 116, win 29200, options [nop,nop,TS val 12615456 ecr 707961816], length 6
11:24:53.463143 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], seq 105:2901, ack 130, win 29200, options [nop,nop,TS val 12615489 ecr 707961946], length 2796
11:24:53.463184 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 2901:4100, ack 130, win 29200, options [nop,nop,TS val 12615489 ecr 707961946], length 1199
11:24:55.042054 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 4100:4106, ack 423, win 30016, options [nop,nop,TS val 12615883 ecr 707963521], length 6
11:24:55.042081 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [F.], seq 4106, ack 423, win 30016, options [nop,nop,TS val 12615883 ecr 707963521], length 0
11:24:55.168094 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [R], seq 2358671002, win 0, length 0
11:24:55.168125 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [R], seq 2358671002, win 0, length 0

94.100.180.150 apparently belongs to a mail host in Russia. The above network traffic appears to be associated with this sequence in mail.log:

Feb 15 11:24:51 cloud2 postfix/trivial-rewrite[9974]: warning: do not list domain ownedbycats.org in BOTH mydestination and virtual_alias_domains
Feb 15 11:24:51 cloud2 postfix/smtpd[10587]: CE374140249: client=unknown[189.234.134.82]
Feb 15 11:24:51 cloud2 postfix/cleanup[10588]: CE374140249: message-id=<2016021410200162ICCIYOZSBADMH7980737@gmail.com>
Feb 15 11:24:51 cloud2 postfix/qmgr[22622]: CE374140249: from=<panfilova.765@mail.ru>, size=1969, nrcpt=1 (queue active)
Feb 15 11:24:52 cloud2 postfix/smtpd[10587]: disconnect from unknown[189.234.134.82]
Feb 15 11:24:52 cloud2 postfix/local[10589]: CE374140249: to=<spam.ownedbycats@cloud2.hypertwins.net>, orig_to=<cotton_shineharena@ownedbycats.org>, relay=local, delay=0.54, delays=0.13/0/0/0.41, dsn=5.2.0, status=bounced (can't create user output file)
Feb 15 11:24:52 cloud2 postfix/cleanup[10588]: 5D9A114024F: message-id=<20160215162452.5D9A114024F@cloud2.hypertwins.net>
Feb 15 11:24:52 cloud2 postfix/qmgr[22622]: 5D9A114024F: from=<>, size=3993, nrcpt=1 (queue active)
Feb 15 11:24:52 cloud2 postfix/bounce[10611]: CE374140249: sender non-delivery notification: 5D9A114024F
Feb 15 11:24:52 cloud2 postfix/qmgr[22622]: CE374140249: removed
Feb 15 11:24:55 cloud2 postfix/smtp[10613]: 5D9A114024F: to=<panfilova.765@mail.ru>, relay=mxs.mail.ru[94.100.180.150]:25, delay=2.7, delays=0/0.01/0.64/2, dsn=5.0.0, status=bounced (host mxs.mail.ru[94.100.180.150] said: 550 spam message rejected. Please visit http://help.mail.ru/notspam-support/id?c=yYGgH-hRivasAiCteDfNIj-BdlPyhWEAZ-tn7yUBJZUQAAAAIeYAAARdJjI~ or report details to abuse@corp.mail.ru. Error code: 1FA081C9F68A51E8AD2002AC22CD37785376813F006185F2EF67EB6795250125. ID: 000000100000E62132265D04. (in reply to end of DATA command))
Feb 15 11:24:55 cloud2 postfix/qmgr[22622]: 5D9A114024F: removed

On further thought, what seems to be happening here is:

  • 189.234.134.82 connects to cloud2 with a message for cotton_shineharena@ownedbycats.org (an address we forward straight to the spam repository)
  • The message is a return of a message sent earlier to the server on whose behalf 189.234.134.82 is operating.

So this doesn't show cloud2 trying to send the message, but rather accepting the return of the bounce. If cloud2 sent it, then I should see evidence of that earlier in the log -- either from "cotton_shineharena@ownedbycats.org" or to "panfilova.765@mail.ru" -- and I don't see anything to panfilova.765@mail.ru going back over 24 hours, though there are plenty of other spam-bounces to cotton_shineharena. Looking through the previous log file (goes back to Feb. 8) does not seem to find panfilova.765@mail.ru at all.

...and unless Webmin is simply lying to me, I don't see any way that someone could be using Postfix to send messages illicitly unless they had hacked an actual user's password -- in which case mail.log would show that user's login associated with sending emails to weird addresses, and I don't see either one of those. (I do see regular Dovecot logins by our main user, and lots of failed login attempts using made-up addresses @vbz.net.)

Retrieved from "https://htyp.org/mw/index.php?title=User:Woozle/2016/02/15/Postfix_bounce-spam/tcpdump_1&oldid=21642"