过去一天,我的服务器被用来发送垃圾邮件。我使用的是 Amazon Linux Distro(基于 RedHat)。它有 sendmail 8.14.4。它设置为需要身份验证、SSL 等。以下是日志和 mqueue 的一些摘录。我如何才能找到发生了什么并修复它?
Sep 10 21:57:03 ps-aws-p1 sendmail[11662]: r8AJtH4r011662: from=<[email protected]>, size=464, class=0, nrcpts=10, msgid=<[email protected]>, proto=ESMTP, daemon=TLSMTA, relay=dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may be forged)
Sep 10 21:57:12 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:18, xdelay=00:00:09, mailer=esmtp, pri=390464, relay=mailin-01.mx.aol.com. [205.188.159.42], dsn=5.1.1, stat=User unknown
Sep 10 21:57:19 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:25, xdelay=00:00:03, mailer=esmtp, pri=390464, relay=mx1.earthlink.net. [209.86.93.226], dsn=2.0.0, stat=Sent (1vju3P5qX3Nl34d0 Message accepted for delivery)
Sep 10 21:57:20 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:26, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=gmail-smtp-in.l.google.com. [74.125.136.27], dsn=2.0.0, stat=Sent (OK 1378843040 x42si1080567eel.116 - gsmtp)
Sep 10 21:57:21 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:27, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=5.1.1, stat=User unknown
Sep 10 21:57:22 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>,<[email protected]>, delay=00:00:28, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=2.0.0, stat=Sent ( <[email protected]> Queued mail for delivery)
Sep 10 21:57:24 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:30, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=zeno.mx25.net. [207.210.234.36], dsn=2.0.0, stat=Sent (893 bytes received in 00:00:00; Message id 201309101457230095 accepted for delivery)
Sep 10 21:57:25 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:31, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx1.seznam.cz. [77.75.76.42], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:26 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:32, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.seznam.cz. [77.75.76.32], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>,<[email protected]>, delay=00:00:34, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mta5.am0.yahoodns.net. [98.138.112.34], dsn=2.0.0, stat=Sent (ok dirdel 1/1)
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: r8AJvS4i011781: DSN: User unknown
> V8 T1378843014 K0 N0 P300464 Fbs
> $_dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged) $rESMTP $saambanyoqp ${daemon_flags}s a
> ${if_addr}10.246.123.145 S<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]>
> rRFC822; [email protected]
> RPFD:<[email protected]> rRFC822; [email protected]
> RPFD:<[email protected]> rRFC822; [email protected] RPFD:<[email protected]>
> rRFC822; [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> H?P?Return-Path:
> <<81>g> H??Received: from aambanyoqp
> (dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged))
> (authenticated bits=0)
> by ps-aws-p1.project-syndicate.org (8.14.4/8.14.4) with ESMTP id r8AJtH4r011662
> (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
> Tue, 10 Sep 2013 21:56:54 +0200 H?M?Message-Id: <[email protected]>
> H??Subject: H??From: "Wri Jm" <[email protected]> H??To:
> <[email protected]>, <[email protected]>,
> <[email protected]>, <[email protected]>,
> <[email protected]>, <[email protected]>, <[email protected]>,
> <[email protected]>, <[email protected]>,
> <[email protected]> H??Date: Tue, 10 Sep 2013 20:47:12 -0700 H??Mime-Version: 1.0 H??Content-Type: text/plain; charset="utf-7"
答案1
smtp 密码很可能已被泄露。
让您的 sendmail 记录使用的 SMTP AUTH 凭证 - 将 LogLevel 增加到 10。所需的 sendmail.mc 行:
define(`confLOG_LEVEL', `10')dnl
sendmail.mc 需要重新编译为 sendmail.cf。Sendmail 守护进程需要重新启动(或发送 HUP 信号)才能“看到”sendmail.cf 的新版本。