Linux
在沒有任何 X-PHP-Originating-Script 標頭的 Postfix 上發出垃圾郵件
很多垃圾郵件是從我的伺服器發送的,使用真實的電子郵件地址,我覺得這很奇怪,通常情況下,虛假地址被隨機使用。此外,我通常會在這些電子郵件中找到 X-PHP-Originating-Script 標頭,而在這種情況下,沒有。X-Mailer 的值並不總是相同的。這是我今天嘗試的:
- 我在整個系統上多次執行 Linux Malware Detect、ClamScan 和 ISPP Scan、Rkhunter,結果為負。
- 我更改了電子郵件的密碼,數據庫的root密碼,ISPConfig的管理員密碼,沒有任何更改
- Fail2ban 也在執行,它似乎檢測並禁止與這些電子郵件發送相關的 IP,但是如果我查看日誌,有很多提到“已經禁止”的 IP,所以我不是 100% 確定它正在正常工作。我有時會在埠 25 上執行“netstat”時看到相同的 IP,所以我猜它們與此有關,但我不知道該怎麼做。
關於我的系統的資訊:Debian 6、ISPConfig 3、PHP/MySQL 託管伺服器;Postfix + ClamAV + Amavis
垃圾郵件標頭範例:
regular_text: Received: from MYHOST (localhost.localdomain [127.0.0.1]) regular_text: by MYHOST (Postfix) with ESMTP id 68BBA2016422; regular_text: Thu, 23 Nov 2017 14:59:41 -0500 (EST) regular_text: Received: from 62.112.5.169 (unknown [175.223.31.212]) regular_text: by MYHOST (Postfix) with ESMTP id 9F04D2016473; regular_text: Thu, 23 Nov 2017 14:59:00 -0500 (EST) regular_text: From: PayPal Update Center <support662@accounts.net> regular_text: Subject: Regarding your information regular_text: MIME-Version: 1.0 regular_text: X-Priority: 3 regular_text: X-MSMail-Priority: Normal regular_text: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.6429 regular_text: X-Mailer: Microsoft Outlook Express 6.00.2600.6429 regular_text: Message-ID: <6BE2EBA74C8F3BFC4015DDFA0986CAFC@bk5h6y0SW3h.com> regular_text: Content-Type: multipart/mixed; boundary="_NextPart_000_0077_87BE7816.3B325A4E" regular_text: Date: Thu, 23 Nov 2017 14:59:00 -0500 (EST)
後置信-n:
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases always_add_missing_headers = yes always_bcc = mailarchive@localhost append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = scan:[127.0.0.1]:10025 disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = ks4000003.ip-198-245-60.net, localhost, localhost.localdomain myhostname = ks4000003.ip-198-245-60.net mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = smtp_destination_concurrency_limit = 5 smtp_destination_rate_delay = 1s smtp_extra_recipient_limit = 20 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = no smtpd_error_sleep_time = 0 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_whitelist, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_sender_access regexp:/etc/postfix/sender_access.regexp hash:/etc/postfix/sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client truncate.gbudb.net, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/internal_clients_filter, permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000
如果我關閉 Postfix 並查看 apache 日誌,我可以看到如下內容:
[Tue Nov 28 08:06:23 2017] [error] [client 168.1.128.35] Directory index forbidden by Options directive: /var/www/apps/ [Tue Nov 28 08:56:30 2017] [error] [client 66.249.64.210] File does not exist: /var/www/robots.txt [Tue Nov 28 09:06:10 2017] [error] [client 169.53.184.5] Directory index forbidden by Options directive: /var/www/apps/ [Tue Nov 28 09:11:25 2017] [error] [client 66.249.64.31] File does not exist: /var/www/robots.txt [Tue Nov 28 09:11:25 2017] [error] [client 66.249.64.4] File does not exist: /var/www/.well-known [Tue Nov 28 09:44:14 2017] [error] [client 66.249.64.26] File does not exist: /var/www/robots.txt [Tue Nov 28 09:44:14 2017] [error] [client 66.249.64.26] File does not exist: /var/www/.well-known [Tue Nov 28 09:45:13 2017] [error] [client 66.249.64.26] File does not exist: /var/www/.well-known [Tue Nov 28 09:52:50 2017] [error] [client 172.104.115.143] File does not exist: /var/www/favicon.ico [Tue Nov 28 10:00:13 2017] [error] [client 212.83.150.38] File does not exist: /var/www/a2billing [Tue Nov 28 10:01:25 2017] [error] [client 212.83.150.38] File does not exist: /var/www/a2billing [Tue Nov 28 10:07:28 2017] [error] [client 139.162.87.250] Directory index forbidden by Options directive: /var/www/apps/
我覺得奇怪的是隨機 IP 試圖訪問 /var/www/apps 等等,因為這些不是通常可以訪問的目錄。
以下是可疑腳本用於發送垃圾郵件的路徑範例:
Nov 30 09:44:10 ks4000003 postfix/smtpd[5035]: warning: hostname 201-46-61-66.wireless.dynamic.sbr1.ce.faster.net.br does not resolve to address 201.46.61.66: Name or service not known Nov 30 09:44:10 ks4000003 postfix/smtpd[5035]: connect from unknown[201.46.61.66] Nov 30 09:44:14 ks4000003 postfix/smtpd[5035]: Anonymous TLS connection established from unknown[201.46.61.66]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Nov 30 09:44:18 ks4000003 postfix/smtpd[5035]: warning: unknown[201.46.61.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 30 09:44:20 ks4000003 postfix/smtpd[5035]: warning: unknown[201.46.61.66]: SASL PLAIN authentication failed: Nov 30 09:44:21 ks4000003 postfix/smtpd[5035]: NOQUEUE: reject: RCPT from unknown[201.46.61.66]: 554 5.7.1 <sundberg.randy@yahoo.com>: Recipient address rejected: Access denied; from=<info@guylabbe.ca> to=<sundberg.randy@yahoo.com> proto=ESMTP helo=<[201.46.61.66]> Nov 30 09:44:21 ks4000003 postfix/smtpd[5035]: disconnect from unknown[201.46.61.66]
任何幫助將不勝感激,因為我對此感到非常絕望。對此我必須做一件簡單的事情。
我通常會在這些電子郵件中找到 X-PHP-Originating-Script 標頭
如果郵件是從易受攻擊的 PHP 腳本發送的,就會發生這種情況,就像以前一樣。但是,這封郵件似乎不是來自您的伺服器,而是使用您的伺服器作為中繼。
Received: from 62.112.5.169 (unknown [175.223.31.212]) by MYHOST (Postfix) with ESMTP id 9F04D2016473; Thu, 23 Nov 2017 14:59:00 -0500 (EST)
在這裡,這
62.112.5.169
是一個模糊的HELO
主機名,郵件實際上是175.223.28.0/22
從屬於韓國電信發送的。從您的配置很難說您實際上有什麼樣的限制,因為例如您
check_client_access
從多種來源和格式(正則表達式、BerkeleyDB 甚至 MySQL)收集數據。例如,您可以有一個鬆散的正則表達式,它實際上允許來自這些客戶端的郵件,從而有效地使您的郵件伺服器成為一個開放的中繼。我將從您的配置中刪除最複雜的來源開始。然後我會分別測試它們
postmap -q
,以確保它們確實按照您的假設進行。