我有一台 Windows 2008 R2 服务器。我正在使用 mailenable professional 版本 7.59。
我在 MTA 日志中注意到随机(不存在)邮件帐户正在发送垃圾邮件。这些邮件来自 NULL 邮局,但域扩展名是正确的。
例如。域名 abc.com 在 mailenable 中配置为邮局。并且它只有[电子邮件保护]用户。然而,在日志中我看到[电子邮件保护]使用 smtp-out(2) 发送电子邮件
我尝试了各种方法追踪这些电子邮件,以了解它们的来源,但一无所获。由于它是 smtp-out(2),我假设它们是由服务器上的脚本发送的。但我可能错了。
我登录了 phpmail,扫描了服务器以查找隐形程序,尝试了 mailenable 消息跟踪。但我什么也没找到。
有人有过类似的经历吗?有人能建议一种捕捉这种症状的方法吗?
以下是我从 /m.usgoabuse.net/ 收到的一份报告,显然这封电子邮件暴露了垃圾邮件发送者的真面目。有人能说出这封电子邮件是如何产生的吗?:
Received: from [209.143.155.230] by usgo.net
(USGO MTA v5/:PGRlaWRyZS5yaXR0ZXJAcG93ZXJmaW5hbmNldGV4YXMuY29tPjxqa2lzY2hAbW5pbnRlci5uZXQ_)
with SMTP id <20141125073414002607200015> for <[email protected]>;
Tue, 25 Nov 2014 07:34:14 -0600 (CST)
(envelope-from [email protected], notifiable emailhost server.powerfinancetexas.com)
Received: from localhost (localhost [127.0.0.1])
by server.powerfinancetexas.com (Postfix) with ESMTP id A556B39852EE
for <[email protected]>; Tue, 25 Nov 2014 07:15:44 -0600 (CST)
X-Virus-Scanned: amavisd-new at powerfinancetexas.com
Received: from server.powerfinancetexas.com ([127.0.0.1])
by localhost (server.powerfinancetexas.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id g8EjglQmmqU3 for <[email protected]>;
Tue, 25 Nov 2014 07:15:44 -0600 (CST)
Received: from domaininmyserver.com (ns2.myserver.net [MYSERVERIP])
by server.powerfinancetexas.com (Postfix) with ESMTPSA id 2055639852D5
for <[email protected]>; Tue, 25 Nov 2014 07:15:44 -0600 (CST)
Date: Tue, 25 Nov 2014 16:15:32 +0300
To: [email protected]
From: WhatsApp Messaging Service <[email protected]>
Reply-To: WhatsApp Messaging Service <[email protected]>
Subject: 1 New Voicemail(s)
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer 5.2.6 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_92448898bcaeb02b41ce6d783c32762d"
Content-Transfer-Encoding: 7bit
--b1_92448898bcaeb02b41ce6d783c32762d
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
WhatsApp
You have a new voicemail!
Details:
Time of Call: Nov-24 2014 06:19:22
Lenth of Call: 50sec
Play
*If you cannot play, move message to the "Inbox" folder.
2014 WhatsApp Inc
--b1_92448898bcaeb02b41ce6d783c32762d
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<!doctype html>
<html>
<body style=3D"font-family:Arial, Tahoma, sans-serif;">
<div style=3D"width:500px; height:274px;">
<div style=3D"margin:0px; padding:0px; height:85px; background:#27262b;
line-height:75px; font-size:26px; color:#FFFFFF; padding-left:82px; font-=
weight:bold;">
WhatsApp
</div>
<div style=3D"position:ralative;top:100px;background:#34af23; height:8px;=
width:500px;"></div>
<div align=3D"center" style=3D"font-size:18px;color:#5b5f62">
<br>
<br>
You have a new voicemail!
</div>
<div style=3D"padding:20px;">
<font color=3D"#40a9d8"><b>Details:</b></font>
<div style=3D"padding:10px;">
<font color=3D"#00000">Time of Call:</font> Nov-24 2014 06:19:22<br>
<font color=3D"#00000">Lenth of Call:</font> 50sec<br>
<br>
</div>
</div>
<div style=3D"margin:0px; padding:0px; height:180px;" align=3D"center">
<a href=3D"http://phamhongson.net/config.php?w=3DgV82A2+BchVQpCFkL3Jve9P3=
0KzpgPVhGeVFNBdjU9A=3D"=20
style=3D"display:block; width:167px; height:41px; line-height:41px;=20
font-size:26px; color:#ffffff; text-align:center; font-weight:bold;
border-radius:20px; -moz-border-radius:20px; -webkit-border-radius:20px;
background:#67c332; text-decoration:none;">Play</a>
<div style=3D"height:67px; margin:0px; padding:10px;font-size:12px">
<font color=3D"#5b5f62">
*If you cannot play, move message to the "Inbox" folder.
</font>
</div>
<p style=3D"height:30px;margin:0px;padding:10px;color:#FFFFFF;
background:#393e43;font-size:12px">
2014 WhatsApp Inc
</p>
</div>
</div>
</body>
</html>
--b1_92448898bcaeb02b41ce6d783c32762d--
答案1
这实际上可能不太实际,但这里有一个可行的策略:
启用进程跟踪审计,将进程的启动/停止跟踪到安全事件日志。
安装 Microsoft 网络监视器并使用目标 TCP 端口 25 的过滤器捕获流量。
查看捕获的内容并与您的日志进行关联,以查明异常的电子邮件流量。
网络监视器将捕获发送流量的程序的进程 ID。您可以使用安全事件日志确定发送违规流量的进程是如何启动的。