几天以来,我的网络/邮件服务器(centos 6.4)不断发送垃圾邮件,只有停止 postfix 服务才能结束它。
SMPT 设置为仅接受通过 ssl 并使用用户名/密码的连接。我已经更改了(疑似)受感染电子邮件帐户的密码。
电子邮件是通过 iRedMail 设置的。
欢迎任何有关识别和阻止此问题的帮助!
添加:一些日志摘录:
Mar 23 05:01:52 MyServer postfix/smtp[9494]: 4E81026038: to=<[email protected]>, relay=mail.suddenlinkmail.com[208.180.40.132]:25, delay=3, delays=0.07/0/2.4/0.5, dsn=2.0.0, status=sent (250 Message received: [email protected])
Mar 23 05:02:01 MyServer postfix/smtp[9577]: 209BA26067: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=12/0/0/2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B654226078)
Mar 23 05:02:01 MyServer postfix/smtp[9495]: 8278726077: to=<[email protected]>, relay=mx-biz.mail.am0.yahoodns.net[98.139.171.245]:25, delay=0.88, delays=0.25/0/0.47/0.14, dsn=4.7.1, status=deferred (host mx-biz.mail.am0.yahoodns.net[98.139.171.245] said: 421 4.7.1 [TS03] All messages from [IPADDRESS] will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command))
无法送达的报告的邮件标题:
Return-Path: <MAILER-DAEMON>
Delivered-To: [email protected]
Received: from localhost (icantinternet.org [127.0.0.1])
by icantinternet.org (Postfix) with ESMTP id 4669E25D9D
for <[email protected]>; Mon, 24 Mar 2014 14:20:15 +0100 (CET)
X-Virus-Scanned: amavisd-new at icantinternet.org
X-Spam-Flag: YES
X-Spam-Score: 9.501
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.501 tagged_above=2 required=6.2
tests=[BAYES_99=3.5, BAYES_999=0.2, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RDNS_NONE=0.793,
URIBL_BLACK=1.7] autolearn=no
Received: from icantinternet.org ([127.0.0.1])
by localhost (icantinternet.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FOrkYnmugXGk for <[email protected]>;
Mon, 24 Mar 2014 14:20:13 +0100 (CET)
Received: from spamfilter2.webreus.nl (unknown [46.235.46.231])
by icantinternet.org (Postfix) with ESMTP id D15BA25D14
for <[email protected]>; Mon, 24 Mar 2014 14:20:12 +0100 (CET)
Received: from spamfilter2.webreus.nl (localhost [127.0.0.1])
by spamfilter2.webreus.nl (Postfix) with ESMTP id 7FB2EE78EFF
for <[email protected]>; Mon, 24 Mar 2014 14:20:13 +0100 (CET)
X-Virus-Scanned: by SpamTitan at webreus.nl
Received: from mx-in-2.webreus.nl (mx-in-2.webreus.nl [46.235.44.240])
by spamfilter2.webreus.nl (Postfix) with ESMTP id 3D793E78E5A
for <[email protected]>; Mon, 24 Mar 2014 14:20:09 +0100 (CET)
Received-SPF: None (mx-in-2.webreus.nl: no sender authenticity
information available from domain of
[email protected]) identity=pra;
client-ip=62.146.106.25; receiver=mx-in-2.webreus.nl;
envelope-from=""; x-sender="[email protected]";
x-conformance=sidf_compatible
Received-SPF: None (mx-in-2.webreus.nl: no sender authenticity
information available from domain of
[email protected]) identity=mailfrom;
client-ip=62.146.106.25; receiver=mx-in-2.webreus.nl;
envelope-from=""; x-sender="[email protected]";
x-conformance=sidf_compatible
Received-SPF: None (mx-in-2.webreus.nl: no sender authenticity
information available from domain of
[email protected]) identity=helo;
client-ip=62.146.106.25; receiver=mx-in-2.webreus.nl;
envelope-from=""; x-sender="[email protected]";
x-conformance=sidf_compatible
Received: from athosian.udag.de ([62.146.106.25])
by mx-in-2.webreus.nl with ESMTP; 24 Mar 2014 14:20:03 +0100
Received: by athosian.udag.de (Postfix)
id 3B16E54807C; Mon, 24 Mar 2014 14:19:59 +0100 (CET)
Date: Mon, 24 Mar 2014 14:19:59 +0100 (CET)
From: [email protected] (Mail Delivery System)
Subject: ***Spam*** Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="36D9C5488E5.1395667199/athosian.udag.de"
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
答案1
Pravin 提供了一些很好的一般观点,但没有真正详细说明其中任何一个,也没有解决您可能的问题实际的问题。
首先,您需要找出 postfix 如何接收这些消息以及为什么选择转发它们(这两个问题很可能相关)。
最好的方法是查看任意一条消息的消息 ID,然后在mail.log文件中查找与其相关的所有日志条目。这至少会告诉你消息来自哪里,以及 postfix 对它做了什么,直到它离开它的照顾并继续进入世界。这是(已编辑的)示例摘录:
Mar 26 00:51:13 vigil postfix/smtpd[9120]: 3B7085E038D: client=foo.bar.com[1.2.3.4]
Mar 26 00:51:13 vigil postfix/cleanup[9159]: 3B7085E038D: message-id=<------------@someserver>
Mar 26 00:51:13 vigil postfix/qmgr[5366]: 3B7085E038D: from=<[email protected]>, size=456346, nrcpt=2 (queue active)
Mar 26 00:51:13 vigil postfix/lmtp[9160]: 3B7085E038D: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.3, delays=0.11/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04611-19, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6EA115E038F)
Mar 26 00:51:13 vigil postfix/qmgr[5366]: 3B7085E038D: removed
这告诉我以下几点:
- 该消息来自 foo.bar.com,IP 地址为 1.2.3.4 的服务器,自称为 foo.bar.com
- (由于没有警告而暗示)根据正向和反向 DNS,该地址确实与该名称匹配。
- 该消息是发送给名为 的用户的
[email protected],服务器认为该用户是可接受的目标地址。 - 根据其配置,邮件服务器通过
127.0.0.1:10024(我们的垃圾邮件/病毒过滤器)中继消息以进行进一步处理。 - 过滤器说:“好吧,我会将其作为 ID 为 6EA115E038F 的消息进行排队,并从这里处理它。”
- 收到此确认后,主服务器声明已完成并从队列中删除原始消息。
现在,一旦您知道消息如何进入系统,您就可以开始找出问题所在。
如果它来自其他地方并完全中继到其他地方,则 postfix 当前充当开放中继。这是非常非常糟糕的,你应该加强你的
smtpd_recipient_restrictions和smtpd_client_restrictions设置/etc/postfix/main.cf。如果它来自
localhost,则很可能某个虚拟主机用户或其他用户已受到按需发送垃圾邮件的 php 脚本的攻击。使用该find命令查找最近添加或更改的 .php 文件,然后仔细查看任何可疑名称。
任何更具体的内容都将在很大程度上取决于上述调查的结果,因此尝试详细说明是没有意义的。我会给您留下更一般的警告,至少要安装和配置后灰色尽早有机会。
答案2
让 PHP 通过本地 postfix 安装发送邮件,而不是直接在互联网上或通过网络托管主机发送邮件。
请检查任何触发邮件的 php 脚本。
让邮件服务器发送其 HELO (EHLO) 及其正确的 FQDN
不要将您的服务器配置为开放中继。
对外发电子邮件实施 DKIM 签名
为您的域发布 SPF 记录,表明您的服务器是您的域的合法发件人主机
将您的服务器添加到 DNSWL.ORG