如何將後綴設置為僅忽略發給不存在使用者的郵件
我收到了大量針對隨機使用者名的垃圾郵件嘗試。我知道這在某種程度上發生在所有郵件伺服器上,但是在過去的兩周里,由於郵件日誌文件的大小,我的 VPS 的磁碟分配被填滿了!一周的日誌差不多有7GB,其他的小一些但不正常。我是閱讀日誌的新手,但這裡有一個隨機選擇的小片段:
Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 05DEA31470BF: from=<glenda_fitzgerald@l4jp.com>, size=1165, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 05DEA31470BF: to=<smith88@yahoo.com>, relay=none, delay=358802, delays=358802/0.07/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.34] while sending RCPT TO) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00B053186BAE: from=<minnie_duncan@l4jp.com>, size=1123, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 00DAD31454C1: to=<ginger_walton@l4jp.com>, relay=local, delay=391867, delays=391867/0.13/0/0.02, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "ginger_walton") Sep 11 03:53:16 vps-1011517-5697 postfix/smtp[26812]: 0099B3136B26: to=<aziz.toska@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.204.27]:25, delay=107076, delays=107075/0/0.39/0.68, dsn=4.7.1, status=SOFTBOUNCE (host gmail-smtp-in.l.google.com[74.125.204.27] said: 550-5.7.1 [27.112.107.68 1] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. q189si11097060pfq.189 - gsmtp (in reply to end of DATA command)) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00ECD3169334: from=<lauren_christensen@l4jp.com>, size=1106, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00ECD3169334: to=<judelaws67@yahoo.com>, relay=none, delay=246340, delays=246340/0.02/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.34] while sending RCPT TO) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0231E3138414: from=<david_moon@l4jp.com>, size=1560, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0231E3138414: to=<colbypeoples44@yahoo.com>, relay=none, delay=14482, delays=14482/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.34] while sending RCPT TO) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 062593144D72: from=<>, size=3463, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 08A1D31498F3: from=<>, size=3045, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27247]: 062593144D72: to=<isabel_miles@l4jp.com>, relay=local, delay=396966, delays=396966/0.01/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "isabel_miles") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0D692313F1DA: from=<>, size=3078, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 00EA0313F88E: from=<>, size=3464, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27248]: 08A1D31498F3: to=<bridget_harrison@l4jp.com>, relay=local, delay=321787, delays=321787/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "bridget_harrison") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0F2A33147B48: from=<>, size=3657, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 0D692313F1DA: to=<freda_gordon@l4jp.com>, relay=local, delay=430240, delays=430240/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "freda_gordon") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 046C83133878: from=<shelley_garcia@l4jp.com>, size=1180, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27247]: 00EA0313F88E: to=<amelia_hanson@l4jp.com>, relay=local, delay=425180, delays=425180/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "amelia_hanson") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 035633144D87: from=<>, size=3087, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 019673137E30: from=<marguerite_lee@l4jp.com>, size=1161, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27248]: 0F2A33147B48: to=<della_wright@l4jp.com>, relay=local, delay=347073, delays=347073/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "della_wright") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 01F593146A8D: from=<>, size=3579, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 035633144D87: to=<kelley_strickland@l4jp.com>, relay=local, delay=396952, delays=396952/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "kelley_strickland") Sep 11 03:53:16 vps-1011517-5697 postfix/smtp[27074]: 0423D31361AE: to=<ka-abdel@hotmail.fr>, relay=mx3.hotmail.com[65.55.37.72]:25, delay=33557, delays=33557/0.01/0.38/0.12, dsn=4.0.0, status=SOFTBOUNCE (host mx3.hotmail.com[65.55.37.72] said: 550 SC-002 (COL004-MC1F20) Unfortunately, messages from 27.112.107.68 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command)) Sep 11 03:53:16 vps-1011517-5697 postfix/smtp[27074]: 0423D31361AE: lost connection with mx3.hotmail.com[65.55.37.72] while sending RCPT TO Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 078CF312D56D: from=<>, size=3751, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27247]: 01F593146A8D: to=<eva_morrison@l4jp.com>, relay=local, delay=371261, delays=371261/0.02/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "eva_morrison") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 0CB143130F4A: from=<>, size=3022, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27248]: 078CF312D56D: to=<gwen_mendoza@l4jp.com>, relay=local, delay=321700, delays=321700/0.01/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "gwen_mendoza") Sep 11 03:53:16 vps-1011517-5697 postfix/qmgr[31514]: 02A0C31284D7: from=<>, size=3032, nrcpt=1 (queue active) Sep 11 03:53:16 vps-1011517-5697 postfix/local[27246]: 0CB143130F4A: to=<marcia_harvey@l4jp.com>, relay=local, delay=242903, delays=242903/0.01/0/0, dsn=4.1.1, status=SOFTBOUNCE (unknown user: "marcia_harvey")
三個沉思:
- 我對“SOFTBOUNCE”的理解不適合這種情況——無效的使用者名應該是硬退回,對吧?無論如何,我寧願根本沒有任何反彈,因為這既浪費資源又給垃圾郵件發送者太多資訊。
- 我不明白來自 Google 伺服器的投訴文本 - 句子中似乎隨機插入了數字“500-5.7.1”。但我認為如果有足夠多的這些傳出的反彈,它們本身就可以被解釋為垃圾郵件,對吧?
- 來自 French Hotmail 的關於阻止列表的投訴可能是由我的伺服器或其他人的伺服器引起的;對 107 個黑名單的檢查僅在其中兩個上報告了我的 IP,所以我認為我的網站上沒有真正的垃圾郵件生成器或類似的東西。
無論如何,我在域上只有一個有效的使用者名,所以是否可以配置 postfix 以簡單地將任何郵件嘗試丟棄到任何其他使用者名?如果沒有發送退回郵件,甚至沒有在日誌文件中輸入任何內容,我會很高興,因為正如我所說,日誌文件本身正在填滿。或者,如果有更好的方法來處理這種攻擊,我會全神貫注。
**編輯#1:**為了回應關於連接/斷開連接條目的評論,我搜尋了第一次出現的“連接”(周圍有空格 - 否則我得到所有“失去的連接”條目),然後grepped後續引用同一個郵件伺服器。這是其中的第一個序列,發生在兩秒內,因此可能與同一電子郵件嘗試有關:
Sep 11 03:53:25 vps-1011517-5697 postfix/smtpd[20505]: connect from simcoe209srvr.owm.bell.net[184.150.200.209] Sep 11 03:53:25 vps-1011517-5697 postfix/smtpd[20505]: setting up TLS connection from simcoe209srvr.owm.bell.net[184.150.200.209] Sep 11 03:53:26 vps-1011517-5697 postfix/smtpd[20505]: TLS connection established from simcoe209srvr.owm.bell.net[184.150.200.209]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bi ts) Sep 11 03:53:26 vps-1011517-5697 postfix/smtpd[20505]: NOQUEUE: reject: RCPT from simcoe209srvr.owm.bell.net[184.150.200.209]: 450 4.1.1 <louise_bryant@l4jp.com>: Recipient address rejected: User unknown in local recipient table; from=<> to=<louise_bryant@l4jp.com> proto=ESMTP helo=<torfep04.bell.net> Sep 11 03:53:27 vps-1011517-5697 postfix/smtpd[20505]: disconnect from simcoe209srvr.owm.bell.net[184.150.200.209]
這些不是日誌中的連續條目;在相同的兩秒鐘內有大量不相關的條目。但是,如果您要我在其中搜尋相關的內容,請告訴我要查找的內容。
**編輯#2:**作為對 JennyD 的回應,這是我的 /etc/postfix/main.cf (當然刪除了評論):
soft_bounce = yes queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix myhostname = l4jp.com mydomain = l4jp.com mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.3.3/samples readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES # THE FOLLOWING IS FROM: http://www.anchor.com.au/hosting/dedicated/Postfix-SASL-setup smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_tls_security_level = may smtpd_tls_key_file = /etc/ssl/smtpd.key smtpd_tls_cert_file = /etc/ssl/smtpd.crt smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes #My settings for virtual mailbox domains (which I don't think I actually use for anything) virtual_mailbox_domains = /etc/postfix/vhosts.txt virtual_mailbox_base = /var/spool/vmail virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt virtual_minimum_uid = 100 virtual_uid_maps = static:101 virtual_gid_maps = static:101 message_size_limit = 30720000
編輯#3: Dom 推薦 softbounce=no。我在進行更改之前和之後發送了一封測試電子郵件 - 以下是相關的日誌條目(發件人地址已清理):
Sep 12 20:38:39 vps-1011517-5697 postfix/smtpd[5343]: connect from gateway21.websitewelcome.com[192.185.45.43] Sep 12 20:38:39 vps-1011517-5697 postfix/smtpd[5343]: setting up TLS connection from gateway21.websitewelcome.com[192.185.45.43] Sep 12 20:38:39 vps-1011517-5697 postfix/smtpd[5343]: TLS connection established from gateway21.websitewelcome.com[192.185.45.43]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Sep 12 20:38:40 vps-1011517-5697 postfix/smtpd[5343]: NOQUEUE: reject: RCPT from gateway21.websitewelcome.com[192.185.45.43]: 450 4.1.1 <testing@l4jp.com>: Recipient address rejected: User unknown in local recipient table; from=<myotheremail@otherdomain.com> to=<testing@l4jp.com> proto=ESMTP helo=<gateway21.websitewelcome.com> Sep 12 20:38:40 vps-1011517-5697 postfix/smtpd[5343]: disconnect from gateway21.websitewelcome.com[192.185.45.43] Sep 12 20:43:06 vps-1011517-5697 postfix/smtpd[6400]: connect from gateway23.websitewelcome.com[192.185.50.119] Sep 12 20:43:06 vps-1011517-5697 postfix/smtpd[6400]: setting up TLS connection from gateway23.websitewelcome.com[192.185.50.119] Sep 12 20:43:07 vps-1011517-5697 postfix/smtpd[6400]: TLS connection established from gateway23.websitewelcome.com[192.185.50.119]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Sep 12 20:43:07 vps-1011517-5697 postfix/smtpd[6400]: NOQUEUE: reject: RCPT from gateway23.websitewelcome.com[192.185.50.119]: 550 5.1.1 <testing@l4jp.com>: Recipient address rejected: User unknown in local recipient table; from=<myotheremail@otherdomain.com> to=<testing@l4jp.com> proto=ESMTP helo=<gateway23.websitewelcome.com> Sep 12 20:43:07 vps-1011517-5697 postfix/smtpd[6400]: disconnect from gateway23.websitewelcome.com[192.185.50.119]
在這兩種情況下都有五個條目 - 日誌中的唯一區別是錯誤程式碼(如預期的那樣)。但是在更改之後,我收到了一條實際退回郵件到我發送測試的地址。發送給垃圾郵件發送者不是一件壞事嗎?
**編輯#4:**響應 masegaloeh 的評論,要求提供與同一消息隊列 ID 相關的所有條目。他作為範例給出的 ID 來自我關閉 soft_bounce 之前的原始文件,但我懷疑沒有 soft_bounce 的 ID 更有用,所以這裡是一個最近的隨機範例:
[root](10:27:06)[~]$ grep E6CBF312663B /var/log/maillog Sep 15 10:26:11 vps-1011517-5697 postfix/cleanup[10347]: E6CBF312663B: message-id=<20160915012611.E6CBF312663B@l4jp.com> Sep 15 10:26:11 vps-1011517-5697 postfix/bounce[10292]: 47A8E3126F85: sender non-delivery notification: E6CBF312663B Sep 15 10:26:11 vps-1011517-5697 postfix/qmgr[8701]: E6CBF312663B: from=<>, size=3801, nrcpt=1 (queue active) Sep 15 10:26:11 vps-1011517-5697 postfix/local[10477]: E6CBF312663B: to=<eula_mcdonald@l4jp.com>, relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1, status=bounced (unknown user: "eula_mcdonald") Sep 15 10:26:11 vps-1011517-5697 postfix/qmgr[8701]: E6CBF312663B: removed
目前的日誌文件僅用了大約 2.5 天就增長到了 1.2GB。我無法承受這樣的速度……
**編輯#5:**接下來,masegaloeh 要求這樣做:
[root](09:03:50)[/var/log]$ grep 47A8E3126F85 maillog Sep 15 10:26:10 vps-1011517-5697 postfix/pickup[10444]: 47A8E3126F85: uid=500 from=<eula_mcdonald@l4jp.com> Sep 15 10:26:10 vps-1011517-5697 postfix/cleanup[10347]: 47A8E3126F85: message-id=<7adc4f0bc266b560e0ec0521654f81b8@l4jp.com> Sep 15 10:26:10 vps-1011517-5697 postfix/qmgr[8701]: 47A8E3126F85: from=<eula_mcdonald@l4jp.com>, size=1153, nrcpt=1 (queue active) Sep 15 10:26:11 vps-1011517-5697 postfix/smtp[9981]: 47A8E3126F85: to=<nashvilleguy717@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.189.27]:25, delay=1.7, delays=0.02/0.39/0.51/0.75, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[64.233.189.27] said: 550-5.7.1 [27.112.107.68 1] Our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. n130si231260oig.169 - gsmtp (in reply to end of DATA command)) Sep 15 10:26:11 vps-1011517-5697 postfix/bounce[10292]: 47A8E3126F85: sender non-delivery notification: E6CBF312663B Sep 15 10:26:11 vps-1011517-5697 postfix/qmgr[8701]: 47A8E3126F85: removed
**編輯#6:**在採取邁克爾漢普頓建議的行動之後,我再次查看了日誌的尾部。“接受投遞”這句話引起了我的注意,因為我沒有發送或接收任何真正的郵件 - 這是與我注意到的那個相關的系列:
[root](15:01:16)[/var/log]$ grep 638BD3122039 maillog Sep 17 14:59:34 vps-1011517-5697 postfix/pickup[8959]: 638BD3122039: uid=500 from=<juanita_ellis@l4jp.com> Sep 17 14:59:34 vps-1011517-5697 postfix/cleanup[9099]: 638BD3122039: message-id=<106604bcf476c97586ba8590c7db683e@l4jp.com> Sep 17 14:59:34 vps-1011517-5697 postfix/qmgr[7492]: 638BD3122039: from=<juanita_ellis@l4jp.com>, size=1185, nrcpt=1 (queue active) Sep 17 14:59:38 vps-1011517-5697 postfix/smtp[9109]: 638BD3122039: to=<john.timmermans@philips.com>, relay=gw-eur1.smtp.philips.com[212.159.218.9]:25, delay=3.6, delays=0.07/0.01/1.6/2, dsn=2.0.0, status=sent (250 2.0.0 kVzb1t0041UaJoz01VzcmY mail accepted for delivery) Sep 17 14:59:38 vps-1011517-5697 postfix/qmgr[7492]: 638BD3122039: removed
當然這裡沒有 juanita_ellis。什麼可能導致該消息被發送?我真的發送垃圾郵件???
我沒有
mynetworks =
在您的 Postfix 配置中看到指定main.cf
。如果未指定,則與您位於同一本地網路的任何人都可以通過您的伺服器中繼郵件而無需身份驗證,從而使您的郵件伺服器至少在某種程度上是開放的中繼。如果您的系統有一個全球 IP 地址,例如因為您託管在某種 VPS 提供商(如 Digital Ocean)中,那麼它就會受到附近機器的攻擊,這些機器託管在同一提供商處。
這應該立即修復。
將其鎖定以便只有本地主機可以通過伺服器發送未經身份驗證的郵件:
mynetworks = 127.0.0.0/8 [::1]/128
另外,考慮刪除伺服器上所有排隊的郵件(垃圾郵件!),這樣 Postfix 就不會嘗試重新發送它。
查看隊列,
mailq
如果您沒有看到任何合法的內容,請使用 刪除所有內容postsuper -d ALL
。您的最後一次編輯清楚地表明您系統上的本地程序正在生成郵件。該程序以 uid 500 執行,這很可能是您的帳戶。所以看起來你已經被妥協了。從軌道上用核彈發射它;這是唯一確定的方法。