追踪垃圾郵件

如何在 linux 伺服器上找到垃圾郵件的來源？

   tail -f /var/log/exim_mainlog
2014-10-24 15:02:37 [28750] 1Xhl4A-0007Te-9C Completed QT=7s
2014-10-24 15:02:37 [28746] SMTP connection from gif2g4xf.gdp3.eu (00004e91.gdp3.eu) [107.6.36.81]:50136 I=[MY.IP]:25 closed by QUIT
2014-10-24 15:02:48 [20360] SMTP connection from [62.75.238.56]:4000 I=[MY.IP]:25 (TCP/IP connection count = 1)
2014-10-24 15:02:57 [28755] 1Xhl4S-0007Tn-IR H=static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as spam (7.7)"
2014-10-24 15:02:57 [28755] 1Xhl4S-0007Tn-IR <= burin@veraepsilon.com H=static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 P=esmtp S=7205 M8S=8 id=3189815@pzqcy.veraepsilon.com T="Do not drink soda again" from <burin@veraepsilon.com> for me@me.com
2014-10-24 15:02:57 [28756] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl4S-0007Tn-IR
2014-10-24 15:02:57 [28756] 1Xhl4S-0007Tn-IR => /dev/null <me@me.com> F=<burin@veraepsilon.com> R=central_filter T=**bypassed** S=0 QT=9s DT=0s
2014-10-24 15:02:57 [28756] 1Xhl4S-0007Tn-IR Completed QT=9s
2014-10-24 15:02:57 [28755] SMTP connection from static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 closed by QUIT
2014-10-24 15:03:09 [20360] SMTP connection from [67.216.227.212]:24536 I=[MY.IP]:25 (TCP/IP connection count = 1)
2014-10-24 15:03:22 [28760] 1Xhl4n-0007Ts-Lk H=smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as NOT spam (-2.9)"
2014-10-24 15:03:22 [28760] 1Xhl4n-0007Ts-Lk <= bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com H=smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 P=esmtp S=12162 M8S=0 id=23.E1.41333.B0A6A445@dc4mta03 T="Order your custom daily planners today!" from <bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> for me@me.com
2014-10-24 15:03:22 [28772] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl4n-0007Ts-Lk
2014-10-24 15:03:22 [28772] 1Xhl4n-0007Ts-Lk => my <me@me.com> F=<bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> P=<bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> R=virtual_user T=virtual_userdelivery S=12347 QT=13s DT=0s
2014-10-24 15:03:22 [28772] 1Xhl4n-0007Ts-Lk Completed QT=13s
2014-10-24 15:03:23 [20360] SMTP connection from [212.129.52.85]:59165 I=[MY.IP]:25 (TCP/IP connection count = 2)
2014-10-24 15:03:28 [28760] SMTP connection from smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 closed by QUIT
2014-10-24 15:03:31 [28777] 1Xhl52-0007U9-Ee H=212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as spam (13.2)"
2014-10-24 15:03:31 [28777] 1Xhl52-0007U9-Ee <= orbit@alliedunrolls.com H=212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 P=esmtp S=6378 M8S=8 id=9132058734131735379@vpu.alliedunrolls.com T="One day for perfect vision" from <orbit@alliedunrolls.com> for me@me.com
2014-10-24 15:03:31 [28778] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl52-0007U9-Ee
2014-10-24 15:03:31 [28778] 1Xhl52-0007U9-Ee => /dev/null <me@me.com> F=<orbit@alliedunrolls.com> R=central_filter T=**bypassed** S=0 QT=7s DT=0s
2014-10-24 15:03:31 [28778] 1Xhl52-0007U9-Ee Completed QT=7s
2014-10-24 15:03:31 [28777] SMTP connection from 212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 closed by QUIT

我還在我的 php.ini 文件中添加了以下內容

mail.add_x_header = On 
mail.log = /var/log/phpmail.log 

但是，日誌是空的。

我也跑了

find / -type f -name "*.php*" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log 

我還向 Exim 添加了以下內容：

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn 

聽起來您的系統正在發送垃圾郵件，但現在沒有發送垃圾郵件*（*在您查看它的那一刻）。您已經將日誌文件定位到 /var/log/exim_mainlog，所以現在要做的就是使用一個程序來分析所有日誌以查看發生了什麼。

Exim 帶有一個名為 eximstats 的日誌分析程序。它會分析您告訴它的許多文件，並以 html 格式輸出結果。假設您在該伺服器上執行 apache，並且 apache 根目錄是 /var/www/html，我可能會為每週的日誌文件製作一個網頁（假設您的 logrotate 配置為每週輪換它們），然後是一個大摘要。這應該可以解決問題：

mkdir /var/www/html/exim/
cd /var/log
for J in exim_mainlog*; do
 eximstats -h1 -html=/var/www/html/exim/$J.html $J
done
cd /var/www/html/exim/
# Now merge the weekly results into one big summary
eximstats -merge exim_mainlog*.html > summary.html

最後一件事是確保 Apache為該目錄設置了**+Indexes**，這樣它將顯示目錄中的文件，而不是查找 index.html。您可能需要添加一個**.htaccess**文件來為該目錄設置它。

引用自：https://serverfault.com/questions/639515