Re: AW: AW: Mailrelay und Absenderfälschungen

sschieke at hans-bredow-institut.de sschieke at hans-bredow-institut.de
Do Jan 31 18:15:23 CET 2019


Die Logeinträge:

======================8<--------------

Jan 29 10:09:46 mail2 postfix/postscreen[19811]: CONNECT from [64.98.42.108]:49356 to [10.10.24.101]:25
Jan 29 10:09:46 mail2 postfix/dnsblog[22437]: addr 64.98.42.108 listed by domain list.dnswl.org as 127.0.5.0
Jan 29 10:09:46 mail2 postfix/dnsblog[22229]: addr 64.98.42.108 listed by domain spam.dnsbl.sorbs.net as 127.0.0.6
Jan 29 10:09:47 mail2 postfix/dnsblog[19826]: addr 64.98.42.108 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
Jan 29 10:09:48 mail2 postfix/postscreen[19811]: CONNECT from [64.98.42.118]:60166 to [10.10.24.101]:25
Jan 29 10:09:48 mail2 postfix/dnsblog[23172]: addr 64.98.42.118 listed by domain list.dnswl.org as 127.0.5.0
Jan 29 10:09:48 mail2 postfix/dnsblog[23219]: addr 64.98.42.118 listed by domain spam.dnsbl.sorbs.net as 127.0.0.6
Jan 29 10:09:48 mail2 postfix/dnsblog[19828]: addr 64.98.42.118 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
Jan 29 10:09:50 mail2 postfix/postscreen[19811]: PASS NEW [64.98.42.108]:49356
Jan 29 10:09:50 mail2 postfix/smtpd[23474]: connect from smtprelay0108.b.hostedemail.com[64.98.42.108]
Jan 29 10:09:51 mail2 postfix/smtpd[23474]: NOQUEUE: client=smtprelay0108.b.hostedemail.com[64.98.42.108]
Jan 29 10:09:51 mail2 amavis[22953]: (22953-19) ESMTP [127.0.0.1]:10024 /var/lib/amavis/tmp/amavis-20190129T093905-22953-j6jyCey4: <ein.benutzer at unsere-domain.de> -> <anderer.benutzer at unsere-domain.de> SIZE=1876 BODY=8BITMIME Received: from mail2.
unsere-domain.de ([127.0.0.1]) by localhost (mail2.unsere-domain.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <anderer.benutzer at unsere-domain.de>; Tue, 29 Jan 2019 10:09:51 +0100 (CET)
Jan 29 10:09:51 mail2 amavis[22953]: (22953-19) Checking: 3OVfVi6afs2g [64.98.42.108] <ein.benutzer at unsere-domain.de> -> <anderer.benutzer at unsere-domain.de>
Jan 29 10:09:51 mail2 amavis[22953]: (22953-19) p001 1 Content-Type: text/plain, size: 94 B, name:
Jan 29 10:09:51 mail2 postfix/smtpd[23230]: NOQUEUE: client=mail21-118.srv2.de[91.241.72.118]
Jan 29 10:09:52 mail2 postfix/postscreen[19811]: PASS NEW [64.98.42.118]:60166
Jan 29 10:09:52 mail2 postfix/smtpd[23478]: connect from smtprelay0118.b.hostedemail.com[64.98.42.118]
Jan 29 10:09:53 mail2 postfix/smtpd[23478]: NOQUEUE: client=smtprelay0118.b.hostedemail.com[64.98.42.118]
Jan 29 10:09:53 mail2 amavis[23479]: (22953-19) SA info: util: setuid: ruid=114 euid=114 rgid=123 123 egid=123 123
Jan 29 10:09:53 mail2 amavis[23473]: (23473-01) ESMTP [127.0.0.1]:10024 /var/lib/amavis/tmp/amavis-20190129T100953-23473-Kl5bntE3: <ein.benutzer at unsere-domain.de> -> <weiterer.benutzer at unsere-domain.de> SIZE=1876 BODY=8BITMIME Received: from mail2.unsere-domain.de ([127.0.0.1]) by localhost (mail2.unsere-domain.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <weiterer.benutzer at unsere-domain.de>; Tue, 29 Jan 2019 10:09:53 +0100 (CET)
Jan 29 10:09:53 mail2 amavis[23473]: (23473-01) Checking: XKalWugpbQu9 [64.98.42.118] <ein.benutzer at unsere-domain.de> -> <weiterer.benutzer at unsere-domain.de>
Jan 29 10:09:53 mail2 amavis[23473]: (23473-01) p001 1 Content-Type: text/plain, size: 94 B, name:
Jan 29 10:09:53 mail2 postfix/smtpd[23301]: connect from localhost[127.0.0.1]
Jan 29 10:09:53 mail2 postfix/smtpd[23301]: 8FCD7DFDB0: client=localhost[127.0.0.1], orig_client=smtprelay0108.b.hostedemail.com[64.98.42.108]
Jan 29 10:09:53 mail2 postfix/cleanup[23294]: 8FCD7DFDB0: message-id=<6a02d44b1b40aeeca363745281ca37af at jazeaccountancy.co.uk>
Jan 29 10:09:53 mail2 postfix/qmgr[12371]: 8FCD7DFDB0: from=<ein.benutzer at unsere-domain.de>, size=2627, nrcpt=1 (queue active)
Jan 29 10:09:53 mail2 postfix/smtpd[23301]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jan 29 10:09:53 mail2 amavis[22953]: (22953-19) 3OVfVi6afs2g FWD from <ein.benutzer at unsere-domain.de> -> <anderer.benutzer at unsere-domain.de>, BODY=8BITMIME 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FCD7DFDB0
Jan 29 10:09:53 mail2 amavis[22953]: (22953-19) Passed CLEAN {RelayedInbound}, [64.98.42.108]:49356 [79.170.44.243] <ein.benutzer at unsere-domain.de> -> <anderer.benutzer at unsere-domain.de>, Message-ID: <6a02d44b1b40aeeca363745281ca37af at jazeaccountancy.co.uk>, mail_id: 3OVfVi6afs2g, Hits: 1.765, size: 2104, queued_as: 8FCD7DFDB0, 2060 ms
Jan 29 10:09:53 mail2 amavis[22953]: (22953-19) TIMING-SA total 1896 ms - parse: 1.49 (0.1%), extract_message_metadata: 3.5 (0.2%), get_uri_detail_list: 0.20 (0.0%), tests_pri_-1000: 6 (0.3%), tests_pri_-950: 0.83 (0.0%), tests_pri_-900: 0.90 (0.0%), tests_pri_-90: 9 (0.5%), check_bayes: 8 (0.4%), b_tokenize: 2.5 (0.1%), b_tok_get_all: 1.96 (0.1%), b_comp_prob: 1.37 (0.1%), b_tok_touch_all: 0.09 (0.0%), b_finish: 0.43 (0.0%), tests_pri_0: 458 (24.2%), check_spf: 421 (22.2%), poll_dns_idle: 403 (21.3%), check_dkim_adsp: 2.5 (0.1%), tests_pri_20: 1313 (69.2%), check_razor2: 1312 (69.2%), tests_pri_30: 70 (3.7%), check_pyzor: 68 (3.6%), tests_pri_500: 17 (0.9%), get_report: 0.35 (0.0%)
Jan 29 10:09:53 mail2 postfix/smtpd[23474]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FCD7DFDB0; from=<ein.benutzer at unsere-domain.de> to=<anderer.benutzer at unsere-domain.de> proto=ESMTP helo=<smtprelay.b.hostedemail.com>
Jan 29 10:09:53 mail2 amavis[22953]: (22953-19) size: 2104, TIMING [total 2063 ms] - SMTP greeting: 1.1 (0%)0, SMTP EHLO: 0.6 (0%)0, SMTP pre-MAIL: 0.3 (0%)0, SMTP pre-DATA-flush: 1.6 (0%)0, SMTP DATA: 0.3 (0%)0, check_init: 1.1 (0%)0, digest_hdr: 0.5 (0%)0, digest_body_dkim: 0.1 (0%)0, collect_info: 1.3 (0%)0, mime_decode: 4.0 (0%)1, get-file-type1: 16 (1%)1, parts_decode: 0.2 (0%)1, check_header: 0.5 (0%)1, AV-scan-1: 5 (0%)2, spam-wb-list: 0.8 (0%)2, SA msg read: 0.3 (0%)2, SA parse: 2.2 (0%)2, SA check: 1893 (92%)94, decide_mail_destiny: 11 (1%)94, notif-quar: 0.2 (0%)94, fwd-connect: 4.4 (0%)94, fwd-xforward: 0.3 (0%)94, fwd-mail-pip: 2.1 (0%)94, fwd-rcpt-pip: 0.1 (0%)94, fwd-data-chkpnt: 0.0 (0%)94, write-header: 0.3 (0%)94, fwd-data-contents: 0.0 (0%)94, fwd-end-chkpnt: 108 (5%)100, prepare-dsn: 0.9 (0%)100, report: 1.1 (0%)100, main_log_entry: 2.8 (0%)100, update_snmp: 0.8 (0%)100, SMTP pre-response: 0.3 (0%)100, SMTP response: 0.1 (0%)100, unlink-1-files: 0.2 (0%)100, rundown: 0.7 (0%)100
Jan 29 10:09:53 mail2 postfix/smtpd[23474]: disconnect from smtprelay0108.b.hostedemail.com[64.98.42.108] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 29 10:09:54 mail2 postfix/smtp[23295]: 8FCD7DFDB0: to=<anderer.benutzer at unsere-domain.de>, relay=148.251.39.234[148.251.39.234]:25, delay=0.62, delays=0.11/0/0.01/0.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AF96D5E056B)
Jan 29 10:09:54 mail2 postfix/qmgr[12371]: 8FCD7DFDB0: removed

======================8<--------------

Ungünstig wirkt sich in diesem Fall vermutlich auch das Whitelisting in Postscreen aus. Immerhin stand die IP bereits auf 2 Blacklists :

        list.dnswl.org=127.0.[0..255].0*-2
        list.dnswl.org=127.0.[0..255].1*-3
        list.dnswl.org=127.0.[0..255].[2..3]*-4


Mehr Informationen über die Mailingliste Postfixbuch-users