追踪垃圾邮件

追踪垃圾邮件

如何找到 Linux 服务器上发出的垃圾邮件的来源?

    tail -f /var/log/exim_mainlog
2014-10-24 15:02:37 [28750] 1Xhl4A-0007Te-9C Completed QT=7s
2014-10-24 15:02:37 [28746] SMTP connection from gif2g4xf.gdp3.eu (00004e91.gdp3.eu) [107.6.36.81]:50136 I=[MY.IP]:25 closed by QUIT
2014-10-24 15:02:48 [20360] SMTP connection from [62.75.238.56]:4000 I=[MY.IP]:25 (TCP/IP connection count = 1)
2014-10-24 15:02:57 [28755] 1Xhl4S-0007Tn-IR H=static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as spam (7.7)"
2014-10-24 15:02:57 [28755] 1Xhl4S-0007Tn-IR <= [email protected] H=static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 P=esmtp S=7205 M8S=8 [email protected] T="Do not drink soda again" from <[email protected]> for [email protected]
2014-10-24 15:02:57 [28756] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl4S-0007Tn-IR
2014-10-24 15:02:57 [28756] 1Xhl4S-0007Tn-IR => /dev/null <[email protected]> F=<[email protected]> R=central_filter T=**bypassed** S=0 QT=9s DT=0s
2014-10-24 15:02:57 [28756] 1Xhl4S-0007Tn-IR Completed QT=9s
2014-10-24 15:02:57 [28755] SMTP connection from static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 closed by QUIT
2014-10-24 15:03:09 [20360] SMTP connection from [67.216.227.212]:24536 I=[MY.IP]:25 (TCP/IP connection count = 1)
2014-10-24 15:03:22 [28760] 1Xhl4n-0007Ts-Lk H=smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as NOT spam (-2.9)"
2014-10-24 15:03:22 [28760] 1Xhl4n-0007Ts-Lk <= bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com H=smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 P=esmtp S=12162 M8S=0 id=23.E1.41333.B0A6A445@dc4mta03 T="Order your custom daily planners today!" from <bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> for [email protected]
2014-10-24 15:03:22 [28772] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl4n-0007Ts-Lk
2014-10-24 15:03:22 [28772] 1Xhl4n-0007Ts-Lk => my <[email protected]> F=<bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> P=<bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> R=virtual_user T=virtual_userdelivery S=12347 QT=13s DT=0s
2014-10-24 15:03:22 [28772] 1Xhl4n-0007Ts-Lk Completed QT=13s
2014-10-24 15:03:23 [20360] SMTP connection from [212.129.52.85]:59165 I=[MY.IP]:25 (TCP/IP connection count = 2)
2014-10-24 15:03:28 [28760] SMTP connection from smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 closed by QUIT
2014-10-24 15:03:31 [28777] 1Xhl52-0007U9-Ee H=212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as spam (13.2)"
2014-10-24 15:03:31 [28777] 1Xhl52-0007U9-Ee <= [email protected] H=212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 P=esmtp S=6378 M8S=8 [email protected] T="One day for perfect vision" from <[email protected]> for [email protected]
2014-10-24 15:03:31 [28778] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl52-0007U9-Ee
2014-10-24 15:03:31 [28778] 1Xhl52-0007U9-Ee => /dev/null <[email protected]> F=<[email protected]> R=central_filter T=**bypassed** S=0 QT=7s DT=0s
2014-10-24 15:03:31 [28778] 1Xhl52-0007U9-Ee Completed QT=7s
2014-10-24 15:03:31 [28777] SMTP connection from 212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 closed by QUIT

我还将以下内容添加到我的 php.ini 文件中

mail.add_x_header = On 
mail.log = /var/log/phpmail.log 

但是,日志是空的。

我也跑了

find / -type f -name "*.php*" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log 

我还将以下内容添加到了 Exim:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn 

答案1

听起来你的系统曾是发送垃圾邮件,但不会发送垃圾邮件现在(在您查看它时)。您已经将日志文件定位为 /var/log/exim_mainlog,因此现在要做的是使用程序分析所有日志以查看发生了什么。

Exim 附带一个名为 eximstats 的日志分析程序。它可以分析您指定的任意数量的文件,并以 html 格式输出结果。假设您在该服务器上运行 apache,并且 apache 根目录是 /var/www/html,我可能会为每周的日志文件制作一个网页(假设您的 logrotate 配置为每周轮换它们),然后制作一个大摘要。这应该可以解决问题:

mkdir /var/www/html/exim/
cd /var/log
for J in exim_mainlog*; do
  eximstats -h1 -html=/var/www/html/exim/$J.html $J
done
cd /var/www/html/exim/
# Now merge the weekly results into one big summary
eximstats -merge exim_mainlog*.html > summary.html

最后要确保 Apache 已+索引设置此目录,以便它会显示目录中的文件,而不是查找 index.html。您可能需要添加.htaccess文件来为此目录进行设置。

答案2

这在一定程度上取决于发行版,但可以使用 netstat。我运行 telnet 连接到 Yahoo SMTP 服务器,然后可以看到连接: telnet mta5.am0.yahoodns.net 25 sudo netstat -anp | grep ':25'

然后我收到此输出,显示 telnet 正在打开连接:

tcp 0 0 192.168.1.25:35053 98.136.217.202:25 已建立 31437/telnet

相关内容