如何追踪垃圾邮件脚本?

tag-icon tag-icon php spam email
如何追踪垃圾邮件脚本?

我的服务器昨晚发送了 83,000 封垃圾邮件,我一直在尝试追查罪魁祸首,但我不知道如何具体找出原因。

  • 在日志中,“发件人”地址总是类似于@#!
  • 连接似乎来自本地主机

让我相信这是一个使用 php mail();函数或 CGI 的脚本。那么,我如何找出哪个脚本?

编辑 更正,已发送 354284 封电子邮件,每封包含 50 个“收件人”地址....17,714,200 封电子邮件....非常好。

编辑 看起来像 smtp 用户/机器人网络...邮件是由经过身份验证的用户发送的....

Apr 22 06:31:41 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25411 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25412 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25413 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25414 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25415 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:42 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25416 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25417 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25418 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25419 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25420 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25422 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25421 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25423 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25424 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25425 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:45 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:45 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:45 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:45 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: SMTP connect from [email protected] [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: smtp_auth: SMTP user [email protected] : /var/qmail/mailnames/--removed--.com/--removed-- logged in from [email protected] [71.129.165.22]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: Handlers Filter before-queue for qmail started ...
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: [email protected]

然后是 50 个或更多的“收件人”地址,我没有在日志中发现这个地址的原因是他们在这里登录 - 丢弃了队列中的大多数电子邮件,然后其余 300m+ 日志是看起来像脚本的传递消息。该 IP 地址“71.129.165.22”也出现在 spamhause CBL 上......

当出现问题时,我只需要更仔细地阅读我的日志即可。

-肖恩

答案1

本周早些时候,我们也遭到了垃圾邮件发送者的攻击。我发现的一条建议是查看你能找到的最早的垃圾邮件的完整标题,并查找 UID 调用。你可以在密码文件中查找它,以确定使用哪个登录名来运行发送电子邮件的过程。

不管怎样,垃圾邮件的入口点原来是我们的 Web 邮件界面。垃圾邮件发送者使用现有帐户和密码登录,然后使用 Web 邮件应用程序发送电子邮件。据我所知,垃圾邮件发送者从未破坏过实际系统。

答案2

您应该创建一个包装器来记录有关请求的各种信息。

Parallels 为 Plesk 系统做了一个示例,但它看起来有些通用: http://kb.parallels.com/1711

答案3

虽然您可以只 grep 'mail(',但这并不是从 PHP 发送电子邮件的唯一方法。它也可以通过各种程序执行功能来完成(标准邮件 fn 只是 php.ini 中定义的程序的包装器)或者它可能连接到 SMTP 端口。

无论如何,处理那么多消息都应该花费一些时间 - 或者需要大量的 HTTP 请求 - 这两者都会在您的 Web 服务器日志中显示出来。

我建议将 php.ini 文件中配置的命令替换为一个可以收集尽可能多的有关调用它的信息的命令 - 并将其记录在某处。此外,如果您在计算机上打开了端口 25,则阻止脚本访问该端口(请注意,这可能会破坏您向用户提供的服务)。

答案4

如果您正在运行一个网站,那么这可能是某个网页中隐藏/不需要的功能,或者可能是污损。查看网络服务器访问日志,查找您认为邮件发送的时间间隔内的类似访问。

我还会查找可能正在发送邮件的 cronjobs。如果您使用的是 Linux,请键入ls -la /var/spool/cron/crontabs/以查找安装了 cron jobs 的所有用户并查看它们。

希望这可以帮助!

相关内容