服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 追查垃圾邮件
Intereting Posts
Fedora Core 6迁移 nginx + uwsgi给502错误的网关 如何在Windows XP中启用多播路由 在交换networking中将stream量过滤到Vlan中 在2000域帐户下运行2008 R2服务 “组策略对象编辑器”中没有“terminal服务”分支 DHCP – >范围1 WiFi,范围2其他 #!/ bin / sh vs#!/ bin / bash以获得最大的可移植性 木偶无法通过openvpn工作:无法从远程服务器检索目录 RHEL 5.3上的bnx2和e1000e驱动程序检测到重复链路丢失 停止rsync删除正在上传的文件 将IP地址用于名称服务器,并将其专用于单个站点 可能以编程方式ALTER多个MySQL表? 端口80上的多个Tomcat服务 Apache – 从不同的子域+机器提供静态文件

追查垃圾邮件

如何在Linux服务器上查找垃圾邮件的来源? 

tail -f /var/log/exim_mainlog 2014-10-24 15:02:37 [28750] 1Xhl4A-0007Te-9C Completed QT=7s 2014-10-24 15:02:37 [28746] SMTP connection from gif2g4xf.gdp3.eu (00004e91.gdp3.eu) [107.6.36.81]:50136 I=[MY.IP]:25 closed by QUIT 2014-10-24 15:02:48 [20360] SMTP connection from [62.75.238.56]:4000 I=[MY.IP]:25 (TCP/IP connection count = 1) 2014-10-24 15:02:57 [28755] 1Xhl4S-0007Tn-IR H=static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as spam (7.7)" 2014-10-24 15:02:57 [28755] 1Xhl4S-0007Tn-IR <= [email protected] H=static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 P=esmtp S=7205 M8S=8 [email protected] T="Do not drink soda again" from <[email protected]> for [email protected] 2014-10-24 15:02:57 [28756] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl4S-0007Tn-IR 2014-10-24 15:02:57 [28756] 1Xhl4S-0007Tn-IR => /dev/null <[email protected]> F=<[email protected]> R=central_filter T=**bypassed** S=0 QT=9s DT=0s 2014-10-24 15:02:57 [28756] 1Xhl4S-0007Tn-IR Completed QT=9s 2014-10-24 15:02:57 [28755] SMTP connection from static-ip-62-75-238-56.inaddr.ip-pool.com (pzqcy.veraepsilon.com) [62.75.238.56]:4000 I=[MY.IP]:25 closed by QUIT 2014-10-24 15:03:09 [20360] SMTP connection from [67.216.227.212]:24536 I=[MY.IP]:25 (TCP/IP connection count = 1) 2014-10-24 15:03:22 [28760] 1Xhl4n-0007Ts-Lk H=smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as NOT spam (-2.9)" 2014-10-24 15:03:22 [28760] 1Xhl4n-0007Ts-Lk <= bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com H=smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 P=esmtp S=12162 M8S=0 id=23.E1.41333.B0A6A445@dc4mta03 T="Order your custom daily planners today!" from <bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> for [email protected] 2014-10-24 15:03:22 [28772] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl4n-0007Ts-Lk 2014-10-24 15:03:22 [28772] 1Xhl4n-0007Ts-Lk => my <[email protected]> F=<bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> P=<bounce-use=M=28238984975=echo4=4DC583C1B75C5251ABA5C6D33E7A3BC8@returnpath.bluehornet.com> R=virtual_user T=virtual_userdelivery S=12347 QT=13s DT=0s 2014-10-24 15:03:22 [28772] 1Xhl4n-0007Ts-Lk Completed QT=13s 2014-10-24 15:03:23 [20360] SMTP connection from [212.129.52.85]:59165 I=[MY.IP]:25 (TCP/IP connection count = 2) 2014-10-24 15:03:28 [28760] SMTP connection from smtp.clayton.bluehornet.com [67.216.227.212]:24536 I=[MY.IP]:25 closed by QUIT 2014-10-24 15:03:31 [28777] 1Xhl52-0007U9-Ee H=212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 Warning: "SpamAssassin as megraphi detected message as spam (13.2)" 2014-10-24 15:03:31 [28777] 1Xhl52-0007U9-Ee <= [email protected] H=212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 P=esmtp S=6378 M8S=8 [email protected] T="One day for perfect vision" from <[email protected]> for [email protected] 2014-10-24 15:03:31 [28778] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xhl52-0007U9-Ee 2014-10-24 15:03:31 [28778] 1Xhl52-0007U9-Ee => /dev/null <[email protected]> F=<[email protected]> R=central_filter T=**bypassed** S=0 QT=7s DT=0s 2014-10-24 15:03:31 [28778] 1Xhl52-0007U9-Ee Completed QT=7s 2014-10-24 15:03:31 [28777] SMTP connection from 212-129-52-85.rev.poneytelecom.eu (vpu.alliedunrolls.com) [212.129.52.85]:59165 I=[MY.IP]:25 closed by QUIT

我也有以下添加到我的php.ini文件 

 mail.add_x_header = On mail.log = /var/log/phpmail.log

但是,日志是空的。

我也跑了 

 find / -type f -name "*.php*" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log

我还将以下内容添加到Exim中: 

 log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

这取决于分配一点,但使用netstat。 我运行了一个telnet连接到一个Yahoo SMTP服务器,然后可以看到连接: telnet mta5.am0.yahoodns.net 25 sudo netstat -anp | grep ':25' sudo netstat -anp | grep ':25'

然后我收到这个输出,显示telnet打开连接:

tcp 0 0 192.168.1.25:35053 98.136.217.202:25 ESTABLISHED 31437 / telnet

这听起来像是你的系统正在发送垃圾邮件,但现在不发送垃圾邮件(在你看它的时刻)。 您已经将日志文件定位到/ var / log / exim_mainlog,所以现在要做的就是使用一个程序来分析所有的日志,看看发生了什么。

Exim附带一个名为eximstats的日志分析程序。 它会分析您告诉它的许多文件,并以html格式输出结果。 假设你在该服务器上运行apache,并且apache根目录是/ var / www / html,那么我可能会为每周的日志文件(假设你的logrotate被configuration为每周轮换一次)做一个网页,然后是一个大的总结。 这应该做的伎俩: 

 mkdir /var/www/html/exim/ cd /var/log for J in exim_mainlog*; do eximstats -h1 -html=/var/www/html/exim/$J.html $J done cd /var/www/html/exim/ # Now merge the weekly results into one big summary eximstats -merge exim_mainlog*.html > summary.html

最后一件事是确保Apache为此目录设置了+索引 ,以便在目录中显示文件,而不是查找index.html。 您可能需要添加一个.htaccess文件来为此目录进行设置。