[BlueOnyx:12452] Re: Forged mail getting through
Robert Fitzpatrick
robert at webtent.org
Wed Mar 6 15:26:29 -05 2013
Robert Fitzpatrick wrote:
> Dogsbody wrote:
>> On 05/03/2013 14:44, Robert Fitzpatrick wrote:
>>> I had several forged emails get through a BO 5106 server this morning
>>> and trying to figure out how they were allowed to be sent via the server...
>>>
>>> Mar 5 09:01:37 vnyxbo sendmail[18836]: r25E1F36018836: from=<forged at domain
>>> .com>, size=299, class=0, nrcpts=1,
>>> msgid=<201303051401.r25E1F36018836 at vnyxbo.we
>>> btent.net>, proto=ESMTP, daemon=TLSMTA,
>>> relay=node-3ld.pool-101-51.dynamic.totbb
>>> .net [101.51.18.49]
>> Grep your mail logs for the ID (r25E1F36018836) to see the whole mails
>> journey through your server.
>>
>
> Thanks, I did that already, but this is all I get....
>
> [root at vnyxbo log]# grep r25E1F36018836 maillog.1
> Mar 5 09:01:37 vnyxbo sendmail[18836]: r25E1F36018836:
> from=<user at domain.com>, size=299, class=0, nrcpts=1,
> msgid=<201303051401.r25E1F36018836 at vnyxbo.webtent.net>, proto=ESMTP,
> daemon=TLSMTA, relay=node-3ld.pool-101-51.dynamic.totbb.net [101.51.18.49]
> Mar 5 09:01:37 vnyxbo sendmail[18874]: r25E1F36018836:
> to=<michelle.l.elliott at us.army.mil>, delay=00:00:02, xdelay=00:00:00,
> mailer=relay, pri=120299, relay=esmtp.webtent.net. [216.139.202.5],
> dsn=2.0.0, stat=Sent (Ok: queued as DE4C22E33F)
>
> The second entry is it being delivered to the outgoing smarthost of that
> server. Does this show me how it was authorized?
>
Finally solved by searching for the IP used to send in the logs. Tried
that yesterday, but it seems the log had rolled over and the authid was
in the previous log...thanks!
--
Robert <robert at webtent.org>
More information about the Blueonyx
mailing list