我有一个 Postfix 邮件中继服务器,作为 Exchange 智能主机运行,并在本地托管另一个邮件。
上周我发现该服务器受到了攻击,有人利用它向不同的目的地发送大量电子邮件。
我找不到它是从哪里连接的,并且“发件人”地址也被屏蔽了。
以下是邮件日志:
Apr 16 06:29:10 mail.xxx.com postfix/qmgr[25497]: EC5A91D727: from=<>, size=3096, nrcpt=1 (queue active)
Apr 16 06:29:10 mail.xxx.com postfix/bounce[12183]: B37D31D6FA: sender non-delivery notification: EC5A91D727
Apr 16 06:29:10 mail.xxx.com postfix/qmgr[25497]: B37D31D6FA: removed
Apr 16 06:29:11 mail.xxx.com postfix/smtp[12164]: 1A9B71D801: to=<xxx@inver**.com>, relay=inver**.com[164.138.x.x]:25, delay=50, delays=39/0/6.7/5, dsn=2.0.0, status=sent (250 OK id=1lX6jh-000875-TC)
Apr 16 06:29:11 mail.xxx.com postfix/qmgr[25497]: 1A9B71D801: removed
Apr 16 06:29:11 mail.xxx.com postfix/smtp[11990]: 3BEAB1D9C3: to=<xxx@tms**.pl>, relay=tms**.pl[194.181.x.x]:25, delay=49, delays=37/0/6.7/5.4, dsn=2.0.0, status=sent (250 OK id=1lX6ji-000469-QT)
Apr 16 06:29:11 mail.xxx.com postfix/qmgr[25497]: 3BEAB1D9C3: removed
Apr 16 06:29:12 mail.xxx.com postfix/smtp[12954]: 418621D80D: to=<xxx@medi**.com.cn>, relay=mxw**.com[198.x.x.x]:25, delay=51, delays=38/0/8.5/4.5, dsn=5.0.0, status=bounced (host mxw.mxhichina.com[198.11.189.243] said: 551 virus infected mail rejected (in reply to end of DATA command))
Apr 16 06:29:12 mail.xxx.com postfix/cleanup[7936]: 6711A1D7B7: message-id=<[email protected]>
Apr 16 06:29:12 mail.xxx.com postfix/bounce[12184]: 418621D80D: sender non-delivery notification: 6711A1D7B7
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 418621D80D: removed
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 6711A1D7B7: from=<>, size=2554, nrcpt=1 (queue active)
Apr 16 06:29:12 mail.xxx.com postfix/smtp[11499]: 65E4C1D95F: to=<xxx@an**.com>, relay=aspmx.l.google.com[172.217.x.x]:25, delay=51, delays=38/0/6.3/6.7, dsn=5.7.0, status=bounced (host aspmx.l.google.com[172.217.194.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. z63si3810735ybh.300 - gsmtp (in reply to end of DATA command))
Apr 16 06:29:12 mail.xxx.com postfix/cleanup[10468]: 705F91D801: message-id=<[email protected]>
Apr 16 06:29:12 mail.xxx.com postfix/smtp[11996]: F05911DBCA: to=<xxx@maq**.ae>, relay=maq**.protection.outlook.com[104.47.x.x]:25, delay=36, delays=27/0/3.1/6, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=93338229282509, Hostname=DB8PR10MB2745.EURPRD10.PROD.OUTLOOK.COM] 933811 bytes in 3.322, 274.451 KB/sec Queued mail for delivery)
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: F05911DBCA: removed
Apr 16 06:29:12 mail.xxx.com postfix/bounce[12183]: 65E4C1D95F: sender non-delivery notification: 705F91D801
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 65E4C1D95F: removed
如何检查攻击源在哪里?有没有办法限制只能在特定范围内的域用于邮件中继?
我不是 Postfix 专业人士,因此如果能提供任何建议/意见我将非常感激。
答案1
获取消息 ID 并对其进行 grep。
例如,在下面的行中,消息 ID 是 F05911DBCA。
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: F05911DBCA: removed
所以你可以执行
$ grep F05911DBCA /var/log/maillog
它将列出有关此消息的所有 Postfix 日志行,以便您可以检查 Postfix 针对此特定连接完成的所有步骤。
另外,使用 grep 搜索 sasl_username 以获取发送消息的用户帐户。您可以使用“wc - l”命令来获取帐户通过身份验证发送电子邮件的次数。
查明哪个帐户已被泄露,您可以锁定该帐户,使其无法发送电子邮件。