好吧,我厌倦了从我的服务器发送垃圾邮件。 我已经安装了CSF作为防火墙,并继续为用户127.0.0.1说本地主机中继
Received: by 10.50.183.228 with SMTP id ep4csp81296igc; Tue, 21 Feb 2012 08:07:52 -0800 (PST) Received: by 10.216.138.36 with SMTP id z36mr5848554wei.22.1329840472165; Tue, 21 Feb 2012 08:07:52 -0800 (PST) Return-Path: <root@myhostname> Received: from myhostname (myhostname. [109.236.81.230]) by mx.google.com with ESMTPS id p27si18775372weq.52.2012.02.21.08.07.51 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 08:07:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of root@myhostname designates 109.236.81.230 as permitted sender) client-ip=109.236.81.230; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of root@myhostname designates 109.236.81.230 as permitted sender) smtp.mail=root@myhostname Received: from root by myhostname with local (Exim 4.69) (envelope-from <root@myhostname>) id 1RzsFt-0000LJ-If for [email protected]; Tue, 21 Feb 2012 17:07:53 +0100 To: [email protected] Subject: lfd on myhostname: LOCALHOSTRELAY Alert for 127.0.0.1 From: <root@myhostname> Message-Id: <E1RzsFt-0000LJ-If@myhostname> Date: Tue, 21 Feb 2012 17:07:53 +0100 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - myhostname X-AntiAbuse: Original Domain - gmail.com X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - myhostname X-Source: /usr/bin/perl X-Source-Args: lfd - (child) reporting exceeded LOCALHOSTRELAY limit X-Source-Dir: /etc/csf Time: Tue Feb 21 17:07:53 2012 +0100 Type: LOCALHOSTRELAY, localhost - 127.0.0.1 Count: 150 emails relayed Blocked: No 前10封电子邮件的示例:
2012-02-21 17:07:50 1RzsFp-0008VC-QL <= [email protected] H=localhost (User) [127.0.0.1] P=smtp S=1203 T="HELLO" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 2012-02-21 17:07:51 1RzsFq-0008VD-09 <= [email protected] H=localhost (User) [127.0.0.1] P=smtp S=1203 T="HELLO" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] 2012-02-21 17:07:51 1RzsFr-0008Vi-4y <= [email protected] H=localhost (User) [127.0.0.1] P=smtp S=1203 T="HELLO" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
我已经改变了我的主机名称
谁能告诉我如何跟踪垃圾邮件发件人? 谢谢。
只是我的两分钱:
因为连接到您的服务器上的127.0.0.1可以是(恶意)脚本。
你的服务器也是一个networking服务器吗? 如果是这样,我会检查Web目录(如果使用多/虚拟主机的目录)的可疑脚本(例如PHP脚本中的grep for mail()函数)。
另外,如果在同一台服务器上使用某种webmail界面,它将连接到127.0.0.1。 那么可能有一些用户的帐户被破解(弱密码?),垃圾邮件发送者正在使用这些凭据发送垃圾邮件。 如果是这种情况,你应该检查networking邮件日志,以了解哪些用户发送什么,而不仅仅是smtp服务器日志。
build立在@MrShunz的答案之上,如果服务器也是一个networking服务器,它不需要是一个恶意脚本造成这种情况。 机器人积极地在互联网上search发送电子邮件的写得不好的网页表单,例如反馈表单。 这些可能很容易成为注入式攻击的受害者,使得邮件服务器匿名发送垃圾邮件。
这里有一个很好的讨论,电子邮件注入漏洞如何工作,并可以防止,在PHP的forms 。
如果你在这个邮件服务器上有一个networking服务器,我build议你审核通过这个服务器运行的网站上的所有表单和脚本,看看你是否有这个问题。 如果服务器很小,而且你pipe理的所有网站,你甚至可能知道这种forms。
如果您看到垃圾邮件到达通用邮箱([email protected]?),您可能会发现在此服务器上托pipe的表单旨在发送到已被利用的这些地址。