[plug] any advice

jlmiller at mmtnetworks.com.au jlmiller at mmtnetworks.com.au
Sat Aug 7 08:54:05 WST 2010 

Had a look and there is no ip addr showing. I had read that a lot of the time the offending PC does not send the spam through the mail server.  What I see is a lot of data trying to go out but with no source IP from any internal PC.  
Sent via BlackBerry® from Vodafone

-----Original Message-----
From: Patrick Coleman <blinken at gmail.com>
Sender: plug-bounces at plug.org.au
Date: Fri, 6 Aug 2010 15:04:30 
To: <plug at plug.org.au>
Reply-To: plug at plug.org.au, blinken at gmail.com
Subject: Re: [plug] any advice

On Fri, Aug 6, 2010 at 2:05 PM, Jon L Miller
<jlmiller at mmtnetworks.com.au> wrote:
> I did a capture on the mailserver and this is what one of the streams
> produced.
> 220 mmtlnx.mmtnetworks.com.au ESMTP Postfix

If you're running Postfix, looking at /var/log/mail.log will tell you
the IP of the machine sending your mailserver the spammy email. Lines
like:

Aug  6 14:41:28 shell postfix/smtpd[2692]: A89BF6057:
client=na3sys009amx258.postini.com[74.125.149.142]
Aug  6 14:41:31 shell postfix/cleanup[4068]: A89BF6057:
message-id=<20100806064116.6065C54136 at i4-m3.sendgrid.net>
Aug  6 14:41:31 shell postfix/qmgr[1130]: A89BF6057:
from=<fakespamdomain at spamspamspam.com>, size=12473, nrcpt=1 (queue
active)
Aug  6 14:41:31 shell deliver(pcoleman at labyrinthdata.net.au):
msgid=<20100806064116.6065C54136 at i4-m3.sendgrid.net>: saved mail to
INBOX
Aug  6 14:41:31 shell postfix/pipe[4069]: A89BF6057:
to=<pcoleman at labyrinthdata.net.au>, relay=virtual, delay=6.6,
delays=6.5/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via virtual
service)
Aug  6 14:41:31 shell postfix/qmgr[1130]: A89BF6057: removed
Aug  6 14:41:32 shell postfix/smtpd[2692]: disconnect from
na3sys009amx258.postini.com[74.125.149.142]

...indicate that 74.125.149.142 connected, and gave you a message from
fakespamdomain at spamspamspam.com, to pcoleman at labyrinthdata.net.au.

Hope that helps?

Cheers,

Patrick


http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list