这不是重复问题。请先阅读并理解该问题,然后再将其标记为已回答的重复问题。
有几位客户报告了类似下面的退回邮件。起初我以为他们的电脑感染了病毒,但后来我收到了服务器生成的邮件,所以问题出在服务器上。
我检查了日志,这些电子邮件地址没有出现在日志中。我看到的唯一不记得过去见过的是这样的条目:
Apr 30 13:34:49 psa86 qmail-queue-handlers[20994]: hook_dir = '/var/qmail//handlers/before-queue'
Apr 30 13:34:49 psa86 qmail-queue-handlers[20994]: recipient[3] = '[email protected]'
Apr 30 13:34:49 psa86 qmail-queue-handlers[20994]: handlers dir = '/var/qmail//handlers/before-queue/recipient/[email protected]'
我已经在这里和网络上搜索过了,也许我只是没有输入正确的搜索词,但我没有找到关于这个问题的任何信息。
有人知道黑客如何将额外的电子邮件地址附加到服务器上的消息中,并且不让它们出现在日志中吗?
CentOS 版本 5.4、Plesk 8.6、QMail 1.03
Hi. This is the qmail-send program at psa.aaaaaa.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[email protected]>:
82.201.133.227 does not like recipient.
Remote host said: 550 #5.1.0 Address rejected.
Giving up on 82.201.133.227.
<[email protected]>:
64.18.7.10 does not like recipient.
Remote host said: 550 No such user - psmtp
Giving up on 64.18.7.10.
<[email protected]>:
173.194.68.27 does not like recipient.
Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 w8si1903qag.18 - gsmtp
Giving up on 173.194.68.27.
<[email protected]>:
207.115.36.23 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.36.23.
<[email protected]>:
207.115.37.22 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.22.
<[email protected]>:
207.115.37.20 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.20.
<[email protected]>:
207.115.37.23 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.23.
<[email protected]>:
207.115.36.22 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.36.22.
<[email protected]>:
74.205.16.140 does not like recipient.
Remote host said: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1)
Giving up on 74.205.16.140.
<[email protected]>:
207.115.36.20 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.36.20.
<[email protected]>:
207.115.37.21 does not like recipient.
Remote host said: 550 5.2.1 <[email protected]>... Addressee unknown, relay=[174.142.62.210]
Giving up on 207.115.37.21.
<[email protected]>:
192.169.41.23 failed after I sent the message.
Remote host said: 554 qq Sorry, no valid recipients (#5.1.3)
--- Below this line is a copy of the message.
Return-Path: <[email protected]>
Received: (qmail 15962 invoked from network); 1 May 2013 06:49:34 -0400
Received: from exprod6mo107.postini.com (64.18.1.18)
by psa.aaaaaa.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 May 2013 06:49:34 -0400
Received: from aaaaaa.com (exprod6lut001.postini.com [64.18.1.199])
by exprod6mo107.postini.com (Postfix) with SMTP id 47F80B8CA4
for <[email protected]>; Wed, 1 May 2013 03:49:33 -0700 (PDT)
From: "Support" <[email protected]>
To: [email protected]
Subject: Detected Potential Junk Mail
Date: Wed, 1 May 2013 03:49:33 -0700
Dear [email protected],
junk mail protection service has detected
suspicious email message(s) since your last visit and directed them
to your Message Center.
You can inspect your suspicious email at:
...
更新:一段时间内没有发现此问题后,我亲自发送了一封邮件,但立即被退回,邮件中有几个我知道不是我发送的坏地址。这些地址不在我的系统或服务器上。此问题在 Mac 和 Windows 客户端上都会发生,在 Postini 生成并发送给我系统上用户的邮件中也会发生。
这不是反向散射。如果是反向散射,其中就不会有我的消息内容。
更新 #2
这是另一次退回。这是我发送的,但很快就被退回了。
Hi. This is the qmail-send program at psa.aaaaaa.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[email protected]>:
71.74.56.227 does not like recipient.
Remote host said: 550 5.1.1 <[email protected]>... User unknown
Giving up on 71.74.56.227.
<[email protected]>:
Connected to 208.34.236.3 but sender was rejected.
Remote host said: 550 5.7.1 This system is configured to reject mail from 174.142.62.210 [174.142.62.210] (Host blacklisted - Found on Realtime Black List server 'bl.mailspike.net')
<[email protected]>:
66.96.80.22 failed after I sent the message.
Remote host said: 552 sorry, mailbox [email protected] is over quota temporarily (#5.1.1)
<[email protected]>:
83.145.109.52 does not like recipient.
Remote host said: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table
Giving up on 83.145.109.52.
<[email protected]>:
69.49.101.234 does not like recipient.
Remote host said: 550 5.7.1 <[email protected]>... H:M12 [174.142.62.210] Connection refused due to abuse. Please see http://mailspike.org/anubis/lookup.html or contact your E-mail provider.
Giving up on 69.49.101.234.
<[email protected]>:
212.55.154.36 does not like recipient.
Remote host said: 550-The account has been suspended for inactivity
550 A conta do destinatario encontra-se suspensa por inactividade (#5.2.1)
Giving up on 212.55.154.36.
<[email protected]>:
199.168.90.102 failed after I sent the message.
Remote host said: 552 Transaction [email protected] failed, remote said "550 No such user" (#5.1.1)
<[email protected]>:
98.136.217.192 failed after I sent the message.
Remote host said: 554 delivery error: dd Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102]. - mta1210.sbc.mail.gq1.yahoo.com
--- Below this line is a copy of the message.
Return-Path: <[email protected]>
Received: (qmail 2618 invoked from network); 2 Jun 2013 22:32:51 -0400
Received: from 75-138-254-239.dhcp.jcsn.tn.charter.com (HELO ?192.168.0.66?) (75.138.254.239)
by psa.aaaaaa.com with SMTP; 2 Jun 2013 22:32:48 -0400
User-Agent: Microsoft-Entourage/12.34.0.120813
Date: Sun, 02 Jun 2013 21:32:39 -0500
Subject: Refinance
From: Tim Duncklee <[email protected]>
To: Scott jones <[email protected]>
Message-ID: <CDD16A79.67344%[email protected]>
Thread-Topic: Reference
Thread-Index: Ac5gAp2QmTs+LRv0SEOy7AJTX2DWzQ==
Mime-version: 1.0
Content-type: multipart/mixed;
boundary="B_3453053568_12034440"
> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--B_3453053568_12034440
Content-type: multipart/related;
boundary="B_3453053568_11982218"
--B_3453053568_11982218
Content-type: multipart/alternative;
boundary="B_3453053568_12000660"
--B_3453053568_12000660
Content-type: text/plain;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Scott,
... email body here ...
以下是相关日志条目:
Jun 2 22:32:50 psa qmail-queue[2616]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Jun 2 22:32:50 psa qmail-queue[2616]: scan: the message(drweb.tmp.i2SY0n) sent by [email protected] to [email protected] should be passed without checks, because contains uncheckable addresses
Jun 2 22:32:50 psa qmail-queue-handlers[2617]: Handlers Filter before-queue for qmail started ...
Jun 2 22:32:50 psa qmail-queue-handlers[2617]: [email protected]
Jun 2 22:32:50 psa qmail-queue-handlers[2617]: [email protected]
Jun 2 22:32:50 psa qmail-queue-handlers[2617]: hook_dir = '/var/qmail//handlers/before-queue'
Jun 2 22:32:50 psa qmail-queue-handlers[2617]: recipient[3] = '[email protected]'
Jun 2 22:32:50 psa qmail-queue-handlers[2617]: handlers dir = '/var/qmail//handlers/before-queue/recipient/[email protected]'
Jun 2 22:32:51 psa qmail: 1370226771.060211 starting delivery 57: msg 1540285 to remote [email protected]
Jun 2 22:32:51 psa qmail: 1370226771.060402 status: local 0/10 remote 1/20
Jun 2 22:32:51 psa qmail: 1370226771.060556 new msg 4915232
Jun 2 22:32:51 psa qmail: 1370226771.060671 info msg 4915232: bytes 687899 from <[email protected]> qp 2618 uid 2020
Jun 2 22:32:51 psa qmail-remote-handlers[2619]: Handlers Filter before-remote for qmail started ...
Jun 2 22:32:51 psa qmail-queue-handlers[2617]: starter: submitter[2618] exited normally
Jun 2 22:32:51 psa qmail-remote-handlers[2619]: from=
Jun 2 22:32:51 psa qmail-remote-handlers[2619]: [email protected]
Jun 2 22:32:51 psa qmail: 1370226771.078732 starting delivery 58: msg 4915232 to remote [email protected]
Jun 2 22:32:51 psa qmail: 1370226771.078825 status: local 0/10 remote 2/20
Jun 2 22:32:51 psa qmail-remote-handlers[2621]: Handlers Filter before-remote for qmail started ...
Jun 2 22:32:51 psa qmail-remote-handlers[2621]: [email protected]
Jun 2 22:32:51 psa qmail-remote-handlers[2621]: [email protected]
答案1
您的(或您的客户的)地址簿中是否有实际的目标电子邮件地址?当有人试图从外部欺骗您的域名(纯粹是为了发送垃圾邮件)时,通常会发现这种活动。换句话说,他们设置了一个流氓非权威电子邮件服务器,并声称他们就是您。如果是这样,您就没有病毒或服务器受到攻击。
如果确实如此,您可以考虑在 DNS 记录(在注册商处)中添加严格的 SPF 记录,并为权威服务器启用 DKIM 和反向 DNS。这些措施可以加强您的域名和电子邮件的身份,使域名欺骗者更难成功地将带有您的名字(或您客户的名字)的电子邮件发送到某人的收件箱,尽管这不一定能阻止他们尝试,并且在此过程中您仍可能会看到退回的电子邮件报告。
如果出现退回邮件的情况,则表明目标电子邮件地址不存在,他们只是通过批量电子邮件发件人运行列表。由于他们将您的域名作为发件人身份,因此邮件自然会寄给您或他们所欺骗的人。
答案2
您是否在 lastlog 中看到可疑条目?您是否检查过 shadow 以查看是否有不应具有 shell 访问权限的人?您是否运行过 chkrootkit?如果您坚信它在您的服务器中但不确定在哪里,我会将 strace 附加到该进程,在运行时重现问题(保存到文件),然后检查输出。lsof 可能表示可疑文件仍处于打开状态。netstat -anp 可能显示可疑连接仍在运行。