Bonjour,
J’ai un serveur postfix qui ne servait plus depuis qq années qui a été la cible d’un envoi de 75278 mails dont voici le header d’un exemplaire:
Received: from PR1P264MB3769.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:181::9) by PR0P264MB1530.FRAP264.PROD.OUTLOOK.COM with HTTPS; Thu, 3 Feb 2022 09:01:44 +0000 Received: from PR3P193CA0040.EURP193.PROD.OUTLOOK.COM (2603:10a6:102:51::15) by PR1P264MB3769.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:181::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15; Thu, 3 Feb 2022 09:01:43 +0000 Received: from PR2FRA01FT006.eop-fra01.prod.protection.outlook.com (2603:10a6:102:51:cafe::34) by PR3P193CA0040.outlook.office365.com (2603:10a6:102:51::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.11 via Frontend Transport; Thu, 3 Feb 2022 09:01:43 +0000 Authentication-Results: spf=none (sender IP is 217.72.192.102) smtp.helo=mout-bounce.kundenserver.de; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine header.from=le.fqdn;compauth=fail reason=000 Received-SPF: None (protection.outlook.com: mout-bounce.kundenserver.de does not designate permitted sender hosts) Received: from mout-bounce.kundenserver.de (217.72.192.102) by PR2FRA01FT006.mail.protection.outlook.com (10.152.48.99) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12 via Frontend Transport; Thu, 3 Feb 2022 09:01:43 +0000 Authentication-Results-Original: mqeue113.server.lan; dkim=none Received: from le.fqdn ([xx.xx.xx.xx]) by mx.kundenserver.de (mxeue111 [217.72.192.67]) with ESMTP (Nemesis) id 1MQNyZ-1mtK911tIX-00MKM4 for plateforme@bambou.cfa-epure.com; Thu, 03 Feb 2022 10:01:42 +0100 Received: by le.fqdn (Postfix) id 39353C337A; Thu, 3 Feb 2022 10:01:32 +0100 (CET) Date: Thu, 3 Feb 2022 10:01:32 +0100 (CET) From: MAILER-DAEMON@le.fqdn (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: plateforme@bambou.cfa-epure.com Auto-Submitted: auto-replied Message-Id: 20220203090132.39353C337A@le.fqdn Envelope-To: plateforme@bambou.cfa-epure.com X-UI-Loop: V01:6QL5ZV6wwJ0=:v3y0cpIWTPOY5LC4P6hZj2MIN3KJO73uhVjJRedCZUc= X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Gt3Q3/3n30M=:Ears1Q5hxKpDLFIwR3dWwy 26cyhEgFcPD7bbU7ex/z3rREAWDBnQpVV6YWzIGx7j9jh5TctRsajC7d/tfupjc/i8YRmmyPj aKFJs8RN6uoV/pZZcim7yWMBd7cyIHS/IRt+mPW3blErmngZ/f8M9o//rZxNX7vS/QwwyEKip aGU6GGVEIQD0kPCwmcehdXAmyv7HK45p8eHn11DHJCIS8sY/WPtY5n2HLYLPYLxF/w95XdnU0 O66gplbPw4hbDCkf2BEXA+CAwCpNEXyAS/j9f7npjB8fxaw/1Jn8Rp5IZ/67GOTK7WMwmCBb9 aRi/hyZXxe6vCE8k1SVDl55WrTZCKPG1AwnsXwELDo0pk35549Mu7Xv4zvHTCBXOD1rzvO18P PEUyNGB2HSHe8w1D6A/cIO9xhLrUWKHSE4JKt8DYCrax8s8cc4g6I4OnVW/4Vq/cn3cElczBd nKE6yhyesg== Return-Path: <> X-MS-Exchange-Organization-ExpirationStartTime: 03 Feb 2022 09:01:43.4785 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: a694feb1-d7a0-4c4c-3a35-08d9e6f3ccaa X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: d8fdd076-bcb9-4323-af02-1c22f8a3f5b7:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-MS-PublicTrafficType: Email X-MS-Exchange-Organization-AuthSource: PR2FRA01FT006.eop-fra01.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Office365-Filtering-Correlation-Id: a694feb1-d7a0-4c4c-3a35-08d9e6f3ccaa X-MS-TrafficTypeDiagnostic: PR1P264MB3769:EE_ X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-Organization-SCL: 5 X-Forefront-Antispam-Report: CIP:217.72.192.102;CTRY:DE;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mout-bounce.kundenserver.de;PTR:mout-bounce.kundenserver.de;CAT:SPOOF;SFS:(13230001)(1930700014)(356005)(26005)(6266002)(1076003)(58800400005)(7596003)(7636003)(42882007)(9686003)(33964004)(336012)(83380400001)(33656002)(5660300002)(34206002)(22186003)(42186006)(8676002)(78352004)(1096003);DIR:INB; X-Microsoft-Antispam: BCL:0; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Feb 2022 09:01:43.4004 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a694feb1-d7a0-4c4c-3a35-08d9e6f3ccaa X-MS-Exchange-CrossTenant-Id: d8fdd076-bcb9-4323-af02-1c22f8a3f5b7 X-MS-Exchange-CrossTenant-AuthSource: PR2FRA01FT006.eop-fra01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1P264MB3769 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.2063751 X-MS-Exchange-Processed-By-BccFoldering: 15.20.4951.012 X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506458)(944626604)(920097)(930097)(3100021);RF:JunkEmail; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?pa5WZ1znAJz+0RVwhX+Zyddsf+RnMp5C7HZ1XFb49x5lKAfwjAfTfQPtZkvY?= ... boundary="B_3726808695_475925881" MIME-Version: 1.0
Peut on en déduire d’où vient l’attaque ?
Merci pour vos remarques