Ubuntu
了解 exim4 傳出消息日誌。我是垃圾郵件發送者嗎?
今天我的郵箱收到了很多垃圾郵件,我查看了 exim4 日誌,發現了一些可疑活動。
我想了解這種攻擊的伺服器性,如果我收到垃圾郵件,我可以刪除它們並添加一些規則,但是我想確定我不是垃圾郵件發送者。
我閱讀了許多這樣的日誌:
2016-03-09 07:53:12 1adXzZ-0007sb-Pz <= info@mydomain.com H=([127.0.0.1]) [129.137.152.170] P=esmtpa A=plain: S=1298 id=E10ADF97.F4977D1149D4C689@mydomain.com 2016-03-09 07:53:12 1adXzZ-0007sb-Pz no immediate delivery: more than 10 messages received in one connection 2016-03-09 08:16:57 1adXzZ-0007sb-Pz => kamikaze_****@hotmail.co.uk R=dnslookup T=remote_smtp H=mx3.hotmail.com [207.46.8.167] X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 CV=no DN="CN=*.hotmail.com" C="250 <E10ADF97.F4977D1149D4C689@mydomain.com> Queued mail for delivery" 2016-03-09 08:16:57 1adXzZ-0007sb-Pz Completed
請考慮:
- kamikaze_****@hotmail.co.uk(我添加了一些星號以保護隱私)不是已知的收件人,這不是我伺服器中的郵箱。
- Realy 應該只允許經過身份驗證的使用者,在這裡我沒有找到任何身份驗證資訊。
- 在日誌中有一個 250 和“已完成”,所以似乎沒有引發錯誤。日誌的符號是“=>”,表示傳出消息…
**所以,我是垃圾郵件發送者?**我的伺服器是否在未經身份驗證的情況下發送郵件?
這是我的配置:
accept_8bitmime acl_smtp_data = acl_check_data acl_smtp_data_prdr = accept acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt admin_groups = no_allow_domain_literals no_allow_mx_to_ip no_allow_utf8_domains auth_advertise_hosts = * auto_thaw = 0s av_scanner = sophie:/var/run/sophie bounce_return_body bounce_return_message bounce_return_size_limit = 100K callout_domain_negative_expire = 3h callout_domain_positive_expire = 1w callout_negative_expire = 2h callout_positive_expire = 1d callout_random_local_part = $primary_hostname-$tod_epoch-testing check_log_inodes = 0 check_log_space = 0 check_rfc2047_length check_spool_inodes = 0 check_spool_space = 0 daemon_smtp_ports = smtp daemon_startup_retries = 9 daemon_startup_sleep = 30s delay_warning = 1d delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}} no_deliver_drop_privilege deliver_queue_load_max = delivery_date_remove no_disable_ipv6 dkim_verify_signers = $dkim_signers dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$ dns_csa_search_limit = 5 dns_csa_use_reverse dns_dnssec_ok = -1 dns_retrans = 0s dns_retry = 0 dns_use_edns0 = -1 no_drop_cr dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain> envelope_to_remove exim_group = Debian-exim exim_path = /usr/sbin/exim4 exim_user = Debian-exim extract_addresses_remove_arguments finduser_retries = 0 freeze_tell = postmaster gecos_name = $1 gecos_pattern = ^([^,:]*) no_gnutls_allow_auto_pkcs11 no_gnutls_compat_mode header_line_maxsize = 0 header_maxsize = 1048576 headers_charset = UTF-8 helo_allow_chars = _ helo_lookup_domains = @ : @[] host_lookup = * host_lookup_order = bydns:byaddr ignore_bounce_errors_after = 2d no_ignore_fromline_local keep_malformed = 4d no_ldap_start_tls ldap_version = -1 no_local_from_check local_interfaces = <; ::0 ; 0.0.0.0 local_scan_timeout = 5m local_sender_retain log_file_path = /var/log/exim4/%slog log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn no_log_timezone lookup_open_max = 25 max_username_length = 0 no_message_body_newlines message_body_visible = 500 message_logs message_size_limit = 50M no_move_frozen_messages no_mua_wrapper mysql_servers = localhost/system/exim/mypassw never_users = no_perl_at_start pid_file_path = /var/run/exim4/exim.pid pipelining_advertise_hosts = * prdr_enable no_preserve_message_logs primary_hostname = srv1.mydomain.com no_print_topbitchars process_log_path = /var/spool/exim4/exim-process.info prod_requires_admin qualify_domain = mydomain.com qualify_recipient = mydomain.com queue_list_requires_admin no_queue_only queue_only_load = queue_only_load_latch queue_only_override no_queue_run_in_order queue_run_max = 5 receive_timeout = 0s received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}} received_headers_max = 30 recipients_max = 0 no_recipients_max_reject remote_max_parallel = 2 retry_data_expire = 1w retry_interval_max = 1d return_path_remove rfc1413_hosts = @[] rfc1413_query_timeout = 0s slow_lookup_log = 0 smtp_accept_keepalive smtp_accept_max = 20 smtp_accept_max_nonmail = 10 smtp_accept_max_nonmail_hosts = * smtp_accept_max_per_connection = 1000 smtp_accept_queue = 0 smtp_accept_queue_per_connection = 10 smtp_accept_reserve = 0 smtp_banner = $smtp_active_hostname ESMTP Exim $version_number Ubuntu $tod_full smtp_check_spool_space smtp_connect_backlog = 20 smtp_enforce_sync smtp_etrn_serialize smtp_load_reserve = smtp_max_synprot_errors = 3 smtp_max_unknown_commands = 3 no_smtp_return_error_details spamd_address = 127.0.0.1 783 no_split_spool_directory spool_directory = /var/spool/exim4 sqlite_lock_timeout = 5 no_strict_acl_vars no_strip_excess_angle_brackets no_strip_trailing_dot syslog_duplication syslog_processname = exim syslog_timestamp tcp_nodelay timeout_frozen_after = 1w tls_advertise_hosts = * tls_certificate = /etc/exim4/exim.crt tls_dh_max_bits = 2236 tls_eccurve = prime256v1 tls_on_connect_ports = 465 tls_privatekey = /etc/exim4/exim.key no_tls_remember_esmtp tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}} trusted_groups = trusted_users = uucp untrusted_set_sender = * uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d? uucp_from_sender = $1 write_rejectlog
這是 PLAIN 驗證器:
plain: driver = plaintext public_name = PLAIN server_advertise_condition = yes server_condition = ${if eq{$3}{${lookup mysql{ SELECT password FROM users WHERE CONCAT(username,'@',domain)='${quote_mysql:$2}' AND smtp>0 }}}{yes}{no}} server_set_id = $2
是的,您正在執行一個開放中繼,並且您的伺服器正被用於發送垃圾郵件。
您應該將配置更改為僅讓經過身份驗證的使用者盡快中繼。也許這個ServerFault 問題會幫助你這樣做。還有很多很好的howtos。
至於
H=([127.0.0.1]) [129.137.152.170]
: 127.0.0.1 是發件人所說的主機名,而 129.137.152.170 是發件人的實際 IP。此外,您可能想聯繫發件人 IP 地址的濫用聯繫人並通知他們,他們有惡意活動。