一个骗子正在使用我的邮件服务器发送他的骗局,有什么办法可以阻止他?
我在Debian Stable distrib上使用Exim4和Dovecot。
这是我收到的邮件传递:
------ This is a copy of the message, including all the headers. ------ Return-path: <[email protected]> Received: from [210.83.81.189] (helo=User) by server.hotconference.com with esmtpa (Exim 4.69) (envelope-from <[email protected]>) id 1Mh7A5-0008Lz-Vo; Fri, 28 Aug 2009 15:31:03 -0400 Reply-To: <[email protected]> From: "Mr. Frank Bell"<[email protected]> Subject: Western Union Payment Center® Date: Fri, 28 Aug 2009 12:30:54 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 <HTML><HEAD><TITLE></TITLE> </HEAD> <BODY bgcolor=#FFFFFF leftmargin=5 topin=5 rightmargin=5 bottommargin=5> <FONT size=2 color=#000000 face="Arial"> <DIV> </DIV> <DIV> Attn: Beneficiary,</DIV> <DIV> </DIV> <DIV> There is an issue with the WESTERN UNION MONEY TRANSFER NIGERIA in the amount of $500.000.00 USD directed in cash credited to file KTU/9023118308/03, at the owner of this email address. The INTERNATIONAL MONETARY FUND contacted us for your compensation a couple of hours ago due to your allocated security code.</DIV> <DIV> They said that they choose to send it to an email address instead of a name. We are unable to complete a transfer directed at an email address, so we require some more information in order to complete this transfer.</DIV> <DIV> </DIV> <DIV> FULL NAME:</DIV> <DIV> FULL CONTACT ADDRESS:</DIV> <DIV> MOBILE PHONE NUMBER:</DIV> <DIV> OCCUPATION:</DIV> <DIV> MARITAL STATUS AND AGE:</DIV> <DIV> </DIV> <DIV> In order to resolve this problem, please email via Western Union Solicitors Fund Verification Department: [email protected]</DIV> <DIV> As soon as this information is received, and you have complied with the requirements of our payment of the western union charges which is $420, payment will be made to your nominated bank account or at the counter directly from The Western Union Transferring Bank.</DIV> <DIV> Note: That this is directly from the Management of Western Union Money Transfer NIGERIA Head Office and our Motto is (To Serve You Better).</DIV> <DIV> Also note that you would be responsible for any payment that is needed for the transfer of your funds into your nominated bank account or at the counter directly from the Western Union Transferring Bank.</DIV> <DIV> THE MANAGEMENT OF WESTERN UNION MONEY TRANSFER, DISPATCHED THIS DAY.</DIV> <DIV> </DIV> <DIV> Call this number for verification +2348032263275</DIV> <DIV> Sincerely,</DIV> <DIV> Mr. Frank Bell.</DIV> </FONT> </BODY></HTML> 和这个:
Return-Path: <> Delivered-To: [email protected] Received: (qmail 5451 invoked from network); 14 Sep 2009 13:46:51 -0000 Received: from mx24-g26.free.fr (HELO server.hotconference.com) (212.27.42.86) by mrelay6-g25.free.fr with SMTP; 14 Sep 2009 13:46:51 -0000 Received: from server.hotconference.com ([12.68.137.174]) by mx2-g20.free.fr (MXproxy) for [email protected] ; Mon, 14 Sep 2009 15:46:51 +0200 (CEST) X-ProXaD-SC: state=HAM score=10 Received: from mailnull by server.hotconference.com with local (Exim 4.69) id 1MnBtK-0001Qr-Le for [email protected]; Mon, 14 Sep 2009 09:46:50 -0400 Auto-Submitted: auto-replied From: Mail Delivery System <[email protected]> To: [email protected] Subject: Warning: message 1Mh72E-0007Zk-0r delayed 384 hours Message-Id: <[email protected]> Date: Mon, 14 Sep 2009 09:46:50 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.hotconference.com X-AntiAbuse: Original Domain - free.fr X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - X-Source: X-Source-Args: X-Source-Dir: This message was created automatically by mail delivery software. A message that you sent has not yet been delivered to one or more of its recipients after more than 384 hours on the queue on server.hotconference.com. The message identifier is: 1Mh72E-0007Zk-0r The subject of the message is: Western Union Payment Center® The date of the message is: Fri, 28 Aug 2009 12:22:46 -0700 The addresses to which the message has not yet been delivered are: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you.
除非210.83.81.189属于你,否则我看不到任何人使用你的服务器发送邮件的证据。
更新:好的,根据您9月14日的编辑,您的服务器可能被用来发送垃圾邮件,或者可能不是。 唯一的办法是看看你的外发邮件队列和你的邮件日志,看看是否应该发送的邮件。
首先,检查你的邮件服务器上的日志。 如果头文件被伪造,那么你实际上并没有将你的邮件服务器作为中介。 你的邮件服务器上的日志应该告诉你邮件从哪里进出。 请注意,如果您的系统遭到黑客入侵,尽pipe日志可能被伪造或更改。
其次,find将testing你的系统是否是开放中继的网站。
第三,请检查并重新检查您的系统是否configuration为仅为授权的IP中继邮件。
第四,运行rootkit检查器来检查你的系统是否有exception。 像rkhunter和chkrootkit程序。
第五,查找有关强化邮件服务器特定于您的邮件服务器软件的教程,然后重新检查configuration。
第六,查看你的路由器是否有任何可疑的连接到你的networking或从你的networking连接的奇怪的连接信息。 如果你可以通过协议来分解它,你就可以看到networking中发生了什么,而不受潜在的危害系统的影响。
如果你的系统受到了威胁,你应该强烈的考虑重新安装操作系统,就好像被黑客攻击一样,你也不能确定二进制文件没有被replace,而是隐藏了其他恶意软件。 甚至用来检测活动的可执行文件也可能被改变(例如,PS隐藏了特定的进程)。
另外,如果您的系统作为开放式中继受到威胁,则有可能您已被其他邮件服务器和列表阻止。 你可以查看一些打开的列表,看看你的域名是否被列出。
仍然不像你已经妥协 – 210.83.81.189发送给你一个伪造的返回path和答复的电子邮件。 这是你的邮件服务器的唯一原因是因为它是给你的。
检查服务器日志以查看邮件服务器是否实际上将欺诈邮件发送给其他计算机,然后再报告。