我在专用服务器上安装了 CentOS 6。我是唯一一个可以访问该服务器的 shell 的人。我在那里托管了 2 个 Wordpress 和几个简单的 PHP 网站。我的托管公司刚刚给我发了一封电子邮件,说他们封锁了我的 25 端口,因为我正在发送垃圾邮件。
# cat /var/log/maillog
Jul 11 16:43:28 stock postfix/smtp[31689]: 2D55610D3EE: to=<[email protected]>, relay=mail.athoise.com[217.16.10.3]:25, delay=0.53, delays=0.04/0/0.42/0.07, dsn=5.1.1, status=bounced (host mail.athoise.com[217.16.10.3] said: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command))
Jul 11 16:43:28 stock postfix/qmgr[15611]: 2D55610D3EE: removed
Jul 11 16:45:09 stock postfix/qmgr[15611]: C836D10D3AA: from=<>, size=15048, nrcpt=1 (queue active)
Jul 11 16:45:40 stock postfix/smtp[31836]: connect to syad.net[208.91.197.27]:25: Connection timed out
Jul 11 16:45:40 stock postfix/smtp[31836]: C836D10D3AA: to=<[email protected]>, relay=none, delay=424757, delays=424727/0.02/30/0, dsn=4.4.1, status=deferred (connect to syad.net[208.91.197.27]:25: Connection timed out)
Jul 11 16:45:48 stock postfix/anvil[31682]: statistics: max connection rate 1/60s for (smtp:92.84.169.239) at Jul 11 16:42:27
Jul 11 16:45:48 stock postfix/anvil[31682]: statistics: max connection count 1 for (smtp:92.84.169.239) at Jul 11 16:42:27
Jul 11 16:45:48 stock postfix/anvil[31682]: statistics: max cache size 1 at Jul 11 16:42:27
Jul 11 16:50:09 stock postfix/qmgr[15611]: AC61110D254: from=<[email protected]>, size=54804, nrcpt=1 (queue active)
Jul 11 16:50:57 stock postfix/smtp[32061]: AC61110D254: host gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1b] said: 421-4.7.0 [2001:41d0:2:a9e5::1 15] Our system has detected an unusual rate 421-4.7.0 of unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. ej4si5267528wid.3 - gsmtp (in reply to end of DATA command)
Jul 11 16:51:42 stock postfix/smtp[32061]: AC61110D254: to=<MY REAL EMAIL ADDRESS WAS HERE>, orig_to=<MY REAL EMAIL ADDRESS WAS HERE>, relay=gmail-smtp-in.l.google.com[173.194.67.26]:25, delay=1438, delays=1345/0.02/62/32, dsn=4.7.0, status=deferred (host gmail-smtp-in.l.google.com[173.194.67.26] said: 421-4.7.0 [188.165.222.229 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. fr7si4416957wib.79 - gsmtp (in reply to end of DATA command))
Jul 11 16:55:09 stock postfix/qmgr[15611]: 51C0910D03F: from=<[email protected]>, size=55141, nrcpt=1 (queue active)
Jul 11 16:55:38 stock postfix/smtp[32284]: 51C0910D03F: host gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1a] said: 421-4.7.0 [2001:41d0:2:a9e5::1 15] Our system has detected an unusual rate 421-4.7.0 of unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. pi9si4491273wjb.81 - gsmtp (in reply to end of DATA command)
Jul 11 16:56:09 stock postfix/smtp[32284]: 51C0910D03F: to=<MY REAL EMAIL ADDRESS WAS HERE>, orig_to=<MY REAL EMAIL ADDRESS WAS HERE>, relay=gmail-smtp-in.l.google.com[173.194.67.26]:25, delay=80376, delays=80316/0.02/50/11, dsn=4.7.0, status=deferred (host gmail-smtp-in.l.google.com[173.194.67.26] said: 421-4.7.0 [188.165.222.229 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. hj12si4501206wib.8 - gsmtp (in reply to end of DATA command))
Jul 11 17:00:09 stock postfix/qmgr[15611]: 64DEB10D2B9: from=<>, size=4743, nrcpt=1 (queue active)
Jul 11 17:00:11 stock postfix/smtp[32552]: 64DEB10D2B9: to=<[email protected]>, relay=none, delay=84582, delays=84580/0.02/1.9/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=primesentry.com type=MX: Host not found, try again)
Jul 11 17:05:49 stock dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=92.45.136.23, lip=188.165.222.229
Jul 11 17:06:17 stock dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=92.45.136.23, lip=188.165.222.229
Jul 11 17:10:09 stock postfix/qmgr[15611]: 3E11910D212: from=<[email protected]>, size=58247, nrcpt=1 (queue active)
以上都是垃圾邮件。我如何才能知道这些邮件是从哪里发来的?是 WordPress 漏洞吗?还是我的服务器上以某种方式安装了某种恶意脚本?还是其他原因?
非常感谢您的帮助。谢谢。
答案1
从您的日志来看,这些邮件最初是发送到您服务器上的一个电子邮件地址的,该地址设置为转发到 Gmail 地址。
因为这些邮件是垃圾邮件,所以当您将它们发送回去时,它们会被视为垃圾邮件。
我的建议是根本不要用这种方式转发邮件,而只是在这里接收并处理。我们大多数人都有多个电子邮件地址需要处理,这并不太不方便。