一个骗子正在使用我的邮件服务器发送诈骗邮件,我有什么办法可以阻止他吗?
我在 Debian Stable 发行版上使用 Exim4 和 Dovecot。
以下是我收到的邮件:
------ This is a copy of the message, including all the headers. ------
Return-path: <[email protected]>
Received: from [210.83.81.189] (helo=User)
by server.hotconference.com with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1Mh7A5-0008Lz-Vo; Fri, 28 Aug 2009 15:31:03 -0400
Reply-To: <[email protected]>
From: "Mr. Frank Bell"<[email protected]>
Subject: Western Union Payment Center®
Date: Fri, 28 Aug 2009 12:30:54 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY bgcolor=#FFFFFF leftmargin=5 topin=5 rightmargin=5 bottommargin=5>
<FONT size=2 color=#000000 face="Arial">
<DIV>
</DIV>
<DIV>
Attn: Beneficiary,</DIV>
<DIV>
</DIV>
<DIV>
There is an issue with the WESTERN UNION MONEY TRANSFER NIGERIA in the amount of $500.000.00 USD directed in cash credited to file KTU/9023118308/03, at the owner of this email address. The INTERNATIONAL MONETARY FUND contacted us for your compensation a couple of hours ago due to your allocated security code.</DIV>
<DIV>
They said that they choose to send it to an email address instead of a name. We are unable to complete a transfer directed at an email address, so we require some more information in order to complete this transfer.</DIV>
<DIV>
</DIV>
<DIV>
FULL NAME:</DIV>
<DIV>
FULL CONTACT ADDRESS:</DIV>
<DIV>
MOBILE PHONE NUMBER:</DIV>
<DIV>
OCCUPATION:</DIV>
<DIV>
MARITAL STATUS AND AGE:</DIV>
<DIV>
</DIV>
<DIV>
In order to resolve this problem, please email via Western Union Solicitors Fund Verification Department: [email protected]</DIV>
<DIV>
As soon as this information is received, and you have complied with the requirements of our payment of the western union charges which is $420, payment will be made to your nominated bank account or at the counter directly from The Western Union Transferring Bank.</DIV>
<DIV>
Note: That this is directly from the Management of Western Union Money Transfer NIGERIA Head Office and our Motto is (To Serve You Better).</DIV>
<DIV>
Also note that you would be responsible for any payment that is needed for the transfer of your funds into your nominated bank account or at the counter directly from the Western Union Transferring Bank.</DIV>
<DIV>
THE MANAGEMENT OF WESTERN UNION MONEY TRANSFER, DISPATCHED THIS DAY.</DIV>
<DIV>
</DIV>
<DIV>
Call this number for verification +2348032263275</DIV>
<DIV>
Sincerely,</DIV>
<DIV>
Mr. Frank Bell.</DIV>
</FONT>
</BODY></HTML>
和这个:
Return-Path: <>
Delivered-To: [email protected]
Received: (qmail 5451 invoked from network); 14 Sep 2009 13:46:51 -0000
Received: from mx24-g26.free.fr (HELO server.hotconference.com) (212.27.42.86)
by mrelay6-g25.free.fr with SMTP; 14 Sep 2009 13:46:51 -0000
Received: from server.hotconference.com ([12.68.137.174])
by mx2-g20.free.fr (MXproxy) for [email protected] ;
Mon, 14 Sep 2009 15:46:51 +0200 (CEST)
X-ProXaD-SC: state=HAM score=10
Received: from mailnull by server.hotconference.com with local (Exim 4.69)
id 1MnBtK-0001Qr-Le
for [email protected]; Mon, 14 Sep 2009 09:46:50 -0400
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Subject: Warning: message 1Mh72E-0007Zk-0r delayed 384 hours
Message-Id: <[email protected]>
Date: Mon, 14 Sep 2009 09:46:50 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.hotconference.com
X-AntiAbuse: Original Domain - free.fr
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 384 hours on the queue on server.hotconference.com.
The message identifier is: 1Mh72E-0007Zk-0r
The subject of the message is: Western Union Payment Center®
The date of the message is: Fri, 28 Aug 2009 12:22:46 -0700
The addresses to which the message has not yet been delivered are:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
答案1
除非 210.83.81.189 属于您,否则我看不到任何证据表明有人在使用您的服务器发送电子邮件。
更新:好的,根据您 9 月 14 日的编辑,您的服务器可能被用来发送垃圾邮件,也可能没有。唯一的办法是查看您的外发邮件队列和邮件日志,看看是否有不该发送的邮件。
答案2
首先,检查邮件服务器上的日志。如果邮件头被伪造,则说明邮件服务器实际上并非中间人。服务器上的邮件日志应该会告诉您邮件从哪里收到,发往哪里。但请注意,如果您的系统遭到黑客攻击,日志可能会被伪造或更改。
其次,找到可以测试您的系统是否为开放中继的站点。
第三,检查并再三检查您的系统是否配置为仅为您授权的 IP 中继邮件。
第四,运行 rootkit 检查程序来检查系统是否存在异常。例如 rkhunter 和 chkrootkit 等程序。
第五,查找针对您的邮件服务器软件的强化邮件服务器的教程并重新检查配置。
第六,查看路由器,查找有关网络异常连接的信息,以及任何可疑信息。如果您可以按协议进行分解,您将了解网络中正在发生的事情,而不依赖于可能受到攻击的系统。
如果您的系统受到攻击,您应强烈考虑重新安装操作系统,因为如果它被黑客入侵,您无法确定二进制文件是否被替换,从而隐藏了其他恶意软件。甚至用于检测活动的可执行文件也可能已被更改(例如,PS 隐藏特定进程)。
此外,如果您的系统被入侵为开放中继,则您可能已被其他邮件服务器和列表阻止。您可以查看一些开放列表,看看您的域名是否已列出。
答案3
看起来您还没有受到攻击——210.83.81.189 正在向您发送一封带有伪造返回路径和回复的电子邮件。这封邮件之所以发送到您的邮件服务器,唯一的原因是它是发给您的。
检查服务器日志,查看邮件服务器是否实际上向其他计算机发送诈骗邮件,然后回报。