好吧,我厌倦了从我的服务器发出的垃圾邮件。我安装了 CSF 作为防火墙,它一直显示用户 127.0.0.1 的本地主机中继
Received: by 10.50.183.228 with SMTP id ep4csp81296igc;
Tue, 21 Feb 2012 08:07:52 -0800 (PST)
Received: by 10.216.138.36 with SMTP id z36mr5848554wei.22.1329840472165;
Tue, 21 Feb 2012 08:07:52 -0800 (PST)
Return-Path: <root@myhostname>
Received: from myhostname (myhostname. [109.236.81.230])
by mx.google.com with ESMTPS id p27si18775372weq.52.2012.02.21.08.07.51
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 21 Feb 2012 08:07:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of root@myhostname designates 109.236.81.230 as permitted sender) client-ip=109.236.81.230;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of root@myhostname designates 109.236.81.230 as permitted sender) smtp.mail=root@myhostname
Received: from root by myhostname with local (Exim 4.69)
(envelope-from <root@myhostname>)
id 1RzsFt-0000LJ-If
for [email protected]; Tue, 21 Feb 2012 17:07:53 +0100
To: [email protected]
Subject: lfd on myhostname: LOCALHOSTRELAY Alert for 127.0.0.1
From: <root@myhostname>
Message-Id: <E1RzsFt-0000LJ-If@myhostname>
Date: Tue, 21 Feb 2012 17:07:53 +0100
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - myhostname
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - myhostname
X-Source: /usr/bin/perl
X-Source-Args: lfd - (child) reporting exceeded LOCALHOSTRELAY limit
X-Source-Dir: /etc/csf
Time: Tue Feb 21 17:07:53 2012 +0100
Type: LOCALHOSTRELAY, localhost - 127.0.0.1
Count: 150 emails relayed
Blocked: No
前 10 封电子邮件的示例:
2012-02-21 17:07:50 1RzsFp-0008VC-QL <= [email protected] H=localhost (User) [127.0.0.1] P=smtp S=1203 T="HELLO" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2012-02-21 17:07:51 1RzsFq-0008VD-09 <= [email protected] H=localhost (User) [127.0.0.1] P=smtp S=1203 T="HELLO" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2012-02-21 17:07:51 1RzsFr-0008Vi-4y <= [email protected] H=localhost (User) [127.0.0.1] P=smtp S=1203 T="HELLO" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
我已更改主机名
谁能告诉我如何追踪垃圾邮件发件人?谢谢。
答案1
仅代表我个人观点:
因为连接到您服务器上的 127.0.0.1 可能是一个(恶意)脚本。
您的服务器也是 Web 服务器吗?如果是,我会检查 Web 目录(如果使用多/虚拟主机,则检查目录)中是否存在可疑脚本(例如,使用 grep 查找 PHP 脚本中的 mail() 函数)。
另外,如果使用某种网络邮件界面在同一台服务器上它将连接到 127.0.0.1。那么可能是您的某些用户的帐户被破解了(密码弱?),而垃圾邮件发送者正在使用这些凭据发送垃圾邮件。如果是这种情况,您应该检查网络邮件日志可以知道哪些用户发送了什么,而不仅仅是 smtp 服务器日志。
答案2
基于@MrShunz 的回答,如果服务器也是网络服务器,则不一定是恶意脚本导致此问题。机器人会积极地在互联网上搜索发送电子邮件的编写不当的网络表单,例如反馈表单。这些表单很容易成为注入攻击的受害者,这种攻击会欺骗邮件服务器匿名发送垃圾邮件。
这是很好地讨论了 PHP 表单中电子邮件注入漏洞的工作原理及其预防方法。
如果您确实在此邮件服务器上有 Web 服务器,我建议您审核通过此服务器运行的网站上的所有表单和脚本,以查看是否存在此特定问题。如果服务器很小并且您管理所有网站,您甚至可能知道这些表单在哪里。
如果您看到垃圾邮件到达通用邮箱([电子邮件保护]?)您可能会发现该服务器上托管着旨在发送到这些已被利用的地址的表单。