Ubuntu

了解 exim4 傳出消息日誌。我是垃圾郵件發送者嗎?

  • March 9, 2016

今天我的郵箱收到了很多垃圾郵件,我查看了 exim4 日誌,發現了一些可疑活動。

我想了解這種攻擊的伺服器性,如果我收到垃圾郵件,我可以刪除它們並添加一些規則,但是我想確定我不是垃圾郵件發送者。

我閱讀了許多這樣的日誌:

 2016-03-09 07:53:12 1adXzZ-0007sb-Pz <= info@mydomain.com H=([127.0.0.1]) [129.137.152.170] P=esmtpa A=plain: S=1298 id=E10ADF97.F4977D1149D4C689@mydomain.com
 2016-03-09 07:53:12 1adXzZ-0007sb-Pz no immediate delivery: more than 10 messages received in one connection
 2016-03-09 08:16:57 1adXzZ-0007sb-Pz => kamikaze_****@hotmail.co.uk R=dnslookup T=remote_smtp H=mx3.hotmail.com [207.46.8.167] X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 CV=no DN="CN=*.hotmail.com" C="250  <E10ADF97.F4977D1149D4C689@mydomain.com> Queued mail for delivery"
 2016-03-09 08:16:57 1adXzZ-0007sb-Pz Completed

請考慮:

  • kamikaze_****@hotmail.co.uk(我添加了一些星號以保護隱私)不是已知的收件人,這不是我伺服器中的郵箱。
  • Realy 應該只允許經過身份驗證的使用者,在這裡我沒有找到任何身份驗證資訊。
  • 在日誌中有一個 250 和“已完成”,所以似乎沒有引發錯誤。日誌的符號是“=>”,表示傳出消息…

**所以,我是垃圾郵件發送者?**我的伺服器是否在未經身份驗證的情況下發送郵件?

這是我的配置:

accept_8bitmime
acl_smtp_data = acl_check_data
acl_smtp_data_prdr = accept
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
admin_groups =
no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = *
auto_thaw = 0s
av_scanner = sophie:/var/run/sophie
bounce_return_body
bounce_return_message
bounce_return_size_limit = 100K
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 0
check_log_space = 0
check_rfc2047_length
check_spool_inodes = 0
check_spool_space = 0
daemon_smtp_ports = smtp
daemon_startup_retries = 9
daemon_startup_sleep = 30s
delay_warning = 1d
delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
no_deliver_drop_privilege
deliver_queue_load_max =
delivery_date_remove
no_disable_ipv6
dkim_verify_signers = $dkim_signers
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
dns_csa_search_limit = 5
dns_csa_use_reverse
dns_dnssec_ok = -1
dns_retrans = 0s
dns_retry = 0
dns_use_edns0 = -1
no_drop_cr
dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
envelope_to_remove
exim_group = Debian-exim
exim_path = /usr/sbin/exim4
exim_user = Debian-exim
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell = postmaster
gecos_name = $1
gecos_pattern = ^([^,:]*)
no_gnutls_allow_auto_pkcs11
no_gnutls_compat_mode
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = UTF-8
helo_allow_chars = _
helo_lookup_domains = @ : @[]
host_lookup = *
host_lookup_order = bydns:byaddr
ignore_bounce_errors_after = 2d
no_ignore_fromline_local
keep_malformed = 4d
no_ldap_start_tls
ldap_version = -1
no_local_from_check
local_interfaces = <; ::0 ; 0.0.0.0
local_scan_timeout = 5m
local_sender_retain
log_file_path = /var/log/exim4/%slog
log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
no_log_timezone
lookup_open_max = 25
max_username_length = 0
no_message_body_newlines
message_body_visible = 500
message_logs
message_size_limit = 50M
no_move_frozen_messages
no_mua_wrapper
mysql_servers = localhost/system/exim/mypassw
never_users =
no_perl_at_start
pid_file_path = /var/run/exim4/exim.pid
pipelining_advertise_hosts = *
prdr_enable
no_preserve_message_logs
primary_hostname = srv1.mydomain.com
no_print_topbitchars
process_log_path = /var/spool/exim4/exim-process.info
prod_requires_admin
qualify_domain = mydomain.com
qualify_recipient = mydomain.com
queue_list_requires_admin
no_queue_only
queue_only_load =
queue_only_load_latch
queue_only_override
no_queue_run_in_order
queue_run_max = 5
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}
received_headers_max = 30
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = @[]
rfc1413_query_timeout = 0s
slow_lookup_log = 0
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 1000
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number Ubuntu $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
smtp_enforce_sync
smtp_etrn_serialize
smtp_load_reserve =
smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 3
no_smtp_return_error_details
spamd_address = 127.0.0.1 783
no_split_spool_directory
spool_directory = /var/spool/exim4
sqlite_lock_timeout = 5
no_strict_acl_vars
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_processname = exim
syslog_timestamp
tcp_nodelay
timeout_frozen_after = 1w
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_dh_max_bits = 2236
tls_eccurve = prime256v1
tls_on_connect_ports = 465
tls_privatekey = /etc/exim4/exim.key
no_tls_remember_esmtp
tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
trusted_groups =
trusted_users = uucp
untrusted_set_sender = *
uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
write_rejectlog

這是 PLAIN 驗證器:

plain:
driver                          = plaintext
public_name                     = PLAIN
server_advertise_condition      = yes
server_condition                = ${if eq{$3}{${lookup mysql{ SELECT password FROM users WHERE CONCAT(username,'@',domain)='${quote_mysql:$2}' AND smtp>0 }}}{yes}{no}}
server_set_id                   = $2

是的,您正在執行一個開放中繼,並且您的伺服器正被用於發送垃圾郵件。

您應該將配置更改為僅讓經過身份驗證的使用者盡快中繼。也許這個ServerFault 問題會幫助你這樣做。還有很多很好的howtos。

至於H=([127.0.0.1]) [129.137.152.170]: 127.0.0.1 是發件人所說的主機名,而 129.137.152.170 是發件人的實際 IP。

此外,您可能想聯繫發件人 IP 地址的濫用聯繫人並通知他們,他們有惡意活動。

引用自:https://serverfault.com/questions/762562