Linux
檢測用於發送郵件的惡意腳本
我最近被用作開放中繼,大量垃圾郵件通過我的伺服器發送。從那以後我停止了它,但我的郵件日誌隨著這種類型的日誌而大大增加。
Aug 20 07:00:29 veepiz postfix/smtp[15001]: DC8BD1641F1: lost connection with mx1.hotmail.com[65.55.92.168] while sending RCPT TO Aug 20 07:00:29 veepiz postfix/smtp[15000]: DC8BD1641F1: host mx3.hotmail.com[65.55.92.152] said: 421 RP-001 (SNT0-MC2-F19) Unfortunately, some messages from 50.57.111.177 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command) Aug 20 07:00:29 veepiz postfix/smtp[15000]: DC8BD1641F1: lost connection with mx3.hotmail.com[65.55.92.152] while sending RCPT TO Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: host a.mx.mail.yahoo.com[67.195.168.31] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html Aug 20 07:00:29 veepiz postfix/smtpd[11929]: 6E6221641F2: reject: RCPT from cpe-76-175-170-10.socal.res.rr.com[76.175.170.10]: 554 5.7.1 <make30000000@yahoo.com.tw>: Relay access denied; from=<wowaish@gmail.com> to=<make30000000@yahoo.com.tw> proto=SMTP helo=<cpe-76-175-170-10.socal.res.rr.com> Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: host c.mx.mail.yahoo.com[98.139.175.225] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html Aug 20 07:00:29 veepiz postfix/smtp[15001]: DC8BD1641F1: to=<leebosser@msn.com>, relay=mx4.hotmail.com[65.55.92.136]:25, delay=44, delays=44/0.04/0.26/0.04, dsn=4.0.0, status=deferred (host mx4.hotmail.com[65.55.92.136] said: 421 RP-001 (SNT0-MC1-F17) Unfortunately, some messages from 50.57.111.177 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command)) Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: host k.mx.mail.yahoo.com[98.139.54.60] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html Aug 20 07:00:29 veepiz postfix/smtp[15000]: DC8BD1641F1: to=<yuejane81@hotmail.com>, relay=mx4.hotmail.com[65.54.188.126]:25, delay=44, delays=44/0.04/0.31/0.06, dsn=4.0.0, status=deferred (host mx4.hotmail.com[65.54.188.126] said: 421 RP-001 (BAY0-MC4-F28) Unfortunately, some messages from 50.57.111.177 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command)) Aug 20 07:00:29 veepiz postfix/smtpd[4410]: NOQUEUE: reject: RCPT from ppp089210016127.dsl.hol.gr[89.210.16.127]: 554 5.7.1 <swsead@yahoo.com.tw>: Relay access denied; from=<sdlhjjluct@googlegroups.com> to=<swsead@yahoo.com.tw> proto=SMTP helo=<ppp089210016127.dsl.hol.gr> Aug 20 07:00:29 veepiz postfix/smtpd[11903]: NOQUEUE: reject: RCPT from ppp089210016127.dsl.hol.gr[89.210.16.127]: 554 5.7.1 <stanley890143@yahoo.com.tw>: Relay access denied; from=<xlywm@yahoogroups.com> to=<stanley890143@yahoo.com.tw> proto=SMTP helo=<ppp089210016127.dsl.hol.gr> Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<alishatp@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<harleywsx@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<jujenwang@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<lace10200520@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<wu6428g@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Aug 20 07:00:29 veepiz postfix/smtpd[4063]: 3B9AA1641EC: reject: RCPT from cpe-76-175-170-10.socal.res.rr.com[76.175.170.10]: 554 5.7.1 <iuiu0452@yahoo.com.tw>: Relay access denied; from=<upqaxexwgcorm@googlegroups.com> to=<iuiu0452@yahoo.com.tw> proto=SMTP helo=<cpe-76-175-170-10.socal.res.rr.com> Aug 20 07:00:29 veepiz postfix/smtpd[7964]: connect from unknown[89.207.68.10] Aug 20 07:00:29 veepiz postfix/smtpd[5382]: NOQUEUE: reject: RCPT from 203-114-141-105.mu.eth.dyn.inspire.net.nz[203.114.141.105]: 554 5.7.1 <u8811086@yahoo.com.tw>: Relay access denied; from=<jutdtpibfavs@yahoo.com.tw> to=<u8811086@yahoo.com.tw> proto=SMTP helo=<203-114-141-105.mu.eth.dyn.inspire.net.nz> Aug 20 07:00:29 veepiz postfix/smtpd[4041]: connect from unknown[221.132.37.55] #qshape incoming active deferred T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 8899 511 402 646 2569 4771 0 0 0 0 0 hotmail.com 7838 376 325 530 2217 4390 0 0 0 0 0 msn.com 839 31 77 109 301 321 0 0 0 0 0 yahoo.com 78 16 0 3 27 32 0 0 0 0 0 gmail.com 65 65 0 0 0 0 0 0 0 0 0 kimo.com 41 12 0 3 16 10 0 0 0 0 0 yahoo.com.tw 15 9 0 0 1 5 0 0 0 0 0 live.com 4 0 0 0 3 1 0 0 0 0 0 citi.com 1 0 0 1 0 0 0 0 0 0 0 dfsd.com 1 0 0 0 0 1 0 0 0 0 0 benq.com 1 0 0 0 0 1 0 0 0 0 0 kim0.com 1 0 0 0 1 0 0 0 0 0 0 kiom.com 1 1 0 0 0 0 0 0 0 0 0 1111.com 1 0 0 0 0 1 0 0 0 0 0 test.com 1 0 0 0 0 1 0 0 0 0 0 kitty.com 1 0 0 0 0 1 0 0 0 0 0 hanam.com 1 0 0 0 1 0 0 0 0 0 0 pchome.com 1 0 0 0 1 0 0 0 0 0 0 hotmal.com 1 1 0 0 0 0 0 0 0 0 0 sinopac.com 1 0 0 0 0 1 0 0 0 0 0 hopnail.com 1 0 0 0 0 1 0 0 0 0 0 hoymail.com 1 0 0 0 0 1 0 0 0 0 0 sinamail.com 1 0 0 0 0 1 0 0 0 0 0 hiotmail.com 1 0 0 0 1 0 0 0 0 0 0 hotmaill.com 1 0 0 0 0 1 0 0 0 0 0 xasamail.com 1 0 0 0 0 1 0 0 0 0 0 twn.dupont.com 1 0 0 0 0 1 0 0 0 0 0我仍然無法發送或接收郵件。我已經保護了我的聯繫表格,並嘗試阻止一些違規的 IP 地址。今天早上我發現了新的IP地址。
我也試過http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam但日誌文件沒有附加。我真的很沮喪,還沒有找到解決辦法。有人可以指出我可以採取哪些步驟來解決問題。請。此外,我的郵件隊列也大大增加了。我將採取哪些步驟來查找我的伺服器上的任何惡意腳本?為什麼發送郵件不起作用?
向我詢問任何日誌,我將在此處輸出它們以嘗試解決此問題。
我正在使用 centos、nginx(作為代理)、varnish、用於 php 的 apache2 和 postfix。謝謝。
對不起,謝恩。
但是 Shane 的建議是錯誤的。現在你拒絕任何來自外部的連接!一定是
smtpd_recipient_restrictions = permit_mynetworks, reject以前的配置不是問題。如果您不設置 Shane 未命中的參數,則 Postfix 會隱式設置它們。不是
smtpd_client_restrictions,但smtpd_recipient_restrictions這些具有相同的效果。我測試了給定的配置,並且沒有打開繼電器。順便說一句,給定的日誌沒有顯示任何來自外部的可疑活動。只有還不錯的連接和好的拒絕。
您只能看到外發郵件。無論它們來自哪裡,因為您沒有顯示日誌,例如 ID 為 DC8BD1641F1 的郵件是如何來的。