作者 主題: [求救]Postfix 被當垃圾信 要如何查那一個使用者被盜用  (閱讀 5195 次)

0 會員 與 1 訪客 正在閱讀本文。

mitch_lin

  • 可愛的小學生
  • *
  • 文章數: 28
    • 檢視個人資料
之前用Sendmail沒有問題,想說現在大家都用Postfix,故更換後就被當垃圾信中繼站
各位大大,麻煩告知如何查那一個使用者被盜用,謝謝你!
postfix設定檔 mail.cf 如下:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client sbl-xbl.spamhaus.org
        check_policy_service unix:/var/spool/postfix/postgrey/socket
smtpd_sender_restrictions =
        permit_mynetworks
        reject_unknown_client
smtpd_client_restrictions = check_client_access regexp:/etc/postfix/access



maillog 如下:
May  4 16:03:42 mail postfix/smtpd[1096]: NOQUEUE: reject: RCPT from unknown[125.110.119.29]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.119.29]; from=<hrlrgvks@yahoo.com> to=<gogogo205@yahoo.com.tw> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[2472]: NOQUEUE: reject: RCPT from unknown[125.110.97.151]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.97.151]; from=<rsjhcyacrfyc@yahoo.com> to=<hwang.kuenmig@msa.hinet.net> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[1691]: NOQUEUE: reject: RCPT from unknown[125.110.97.151]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.97.151]; from=<yyvtkbxtrwi@yahoo.com> to=<dragon06@pchome.com.tw> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[1035]: NOQUEUE: reject: RCPT from unknown[60.181.161.171]: 450 4.7.1 Client host rejected: cannot find your hostname, [60.181.161.171]; from=<ifafcterek@yahoo.com> to=<h12304@yahoo.com.tw> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[2391]: NOQUEUE: reject: RCPT from unknown[125.110.97.151]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.97.151]; from=<cfuiwxsobsc@yahoo.com> to=<hannahchen@compeq.com.tw> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[1691]: NOQUEUE: reject: RCPT from unknown[125.110.97.151]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.97.151]; from=<yyvtkbxtrwi@yahoo.com> to=<kthkaku@seed.net.tw> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[2391]: NOQUEUE: reject: RCPT from unknown[125.110.97.151]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.97.151]; from=<cfuiwxsobsc@yahoo.com> to=<seeng@cht.com.tw> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[1692]: 59E34B02BE: client=114-36-166-204.dynamic.hinet.net[114.36.166.204]
May  4 16:03:42 mail postfix/smtpd[819]: NOQUEUE: reject: RCPT from unknown[125.110.97.151]: 450 4.7.1 Client host rejected: cannot find your hostname, [125.110.97.151]; from=<ptaivthyyq@yahoo.com.tw> to=<hideko.liu@msa.hinet.net> proto=SMTP helo=<x.x.x.x>
May  4 16:03:42 mail postfix/smtpd[2352]: NOQUEUE: reject: RCPT from unknown[60.181.161.171]: 450 4.7.1 Client host rejected: cannot find your hostname, [60.181.161.171]; from=<elkmtjzognpq@yahoo.com.tw> to=<pierretsai@yahoo.com.tw> proto=SMTP helo=<x.x.x.x>


mailq 如下:
91E06B0338     4282 Wed May  4 16:08:24  bsu@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

9E599B0169     3862 Wed May  4 15:51:08  xbfjnr@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

95AC5B01FD     3836 Wed May  4 15:56:29  htxohy@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

944C9B0398     4850 Wed May  4 16:12:31  pjeorq@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

9B4CBB01C5     7515 Wed May  4 15:53:58  coq@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

9DB45B01F2     4826 Wed May  4 15:56:11  pjeorq@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
« 上次編輯: 2011-05-04 16:26 由 mitch_lin »

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5394
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
用上頭的 queue id 去查 mail log.

PS. 你的 log 那些是別人要透過你的 server relay 被擋下來, 跟你的問題沒什麼關係吧.

mitch_lin

  • 可愛的小學生
  • *
  • 文章數: 28
    • 檢視個人資料
原來是沒有問題的是不是?
但是為何我寄給Yahoo和pchome都收不到?
謝謝你!
« 上次編輯: 2011-05-05 08:11 由 mitch_lin »

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5394
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
上頭那些 queue 裡頭的訊息不就有寫原因, 還有一個網址可以看說明?

至於有沒有問題.... 如果 queue 那些發信者不是你的使用者, 那麼... 你的系統還是有問題. (或許是有人的密碼被猜到... 或內部有機器中毒發信吧)

mitch_lin

  • 可愛的小學生
  • *
  • 文章數: 28
    • 檢視個人資料
但是我看Head並不是我們裏面的帳號 如下
本人主機使用 CentOS 5.5
各位大大,麻煩告知如何問題在那裏,謝謝你!
不知是不是認證有問題?

postfix設定檔 mail.cf 如下:
引用
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client sbl-xbl.spamhaus.org
        check_policy_service unix:/var/spool/postfix/postgrey/socket
smtpd_sender_restrictions =
        permit_mynetworks
        reject_unknown_client
smtpd_client_restrictions = check_client_access regexp:/etc/postfix/access

access 如下:
引用
mycompany.com.tw         ACCEPT
# We can't allow dynamic IP to relay
dynamic.apol.com.tw     REJECT
dynamic.giga.net.tw     REJECT
dynamic.hinet.net       REJECT
dynamic.seed.net.tw     REJECT
dynamic.tfn.net.tw      REJECT
dynamic.ttn.net         REJECT
dynamic.lsc.net.tw      REJECT
dynamic.163data.com.cn  REJECT

maillog 如下:
引用
May  5 14:55:58 mail MailScanner[15920]: Requeue: 64AC5B00AA.ADA8D to 63044B00D4
May  5 14:55:58 mail postfix/qmgr[8037]: 63044B00D4: from=<uop@163.com>, size=4825, nrcpt=13 (queue active)
May  5 14:55:58 mail postfix/qmgr[8037]: 63044B00D4: to=<skyrain0617@yahoo.com.tw>, relay=none, delay=6.2, delays=6.2/0.01/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from 219.84.134.200 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

May  5 08:56:41 mail MailScanner[30705]: Requeue: 28A09B0085.A7283 to BC71EB007F
May  5 08:56:41 mail postfix/qmgr[8037]: BC71EB007F: from=<waeimq@163.com>, size=2106, nrcpt=31 (queue active)
May  5 08:56:43 mail postfix/smtp[453]: BC71EB007F: to=<mwotoo@yahoo.com.tw>, relay=mx1.mail.tw.yahoo.com[203.188.197.119]:25, delay=8.6, delays=8.1/0/0.48/0, dsn=4.7.0, status=deferred (host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

postqueue 如下:
引用
63044B00D4     4825 Thu May  5 14:55:52  uop@163.com
(delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from 219.84.134.200 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

BC71EB007F     2106 Thu May  5 08:56:33  waeimq@163.com
(host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Mail 如下:
引用
*** ENVELOPE RECORDS /var/spool/postfix/deferred/6/63044B00D4 ***
message_size:            4825            1796              13               0
message_arrival_time: Thu May  5 14:55:52 2011
sender: uop@163.com
create_time: Thu May  5 14:55:52 2011
named_attribute: rewrite_context=remote
named_attribute: log_client_name=118-167-10-63.dynamic.hinet.net
named_attribute: log_client_address=118.167.10.63
named_attribute: log_message_origin=118-167-10-63.dynamic.hinet.net[118.167.10.63]
named_attribute: log_helo_name=PC46
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=118-167-10-63.dynamic.hinet.net
named_attribute: reverse_client_name=118-167-10-63.dynamic.hinet.net
named_attribute: client_address=118.167.10.63
named_attribute: helo_name=PC46
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;skyrain0617@yahoo.com.tw
original_recipient: skyrain0617@yahoo.com.tw
recipient: skyrain0617@yahoo.com.tw
*** MESSAGE CONTENTS /var/spool/postfix/deferred/6/63044B00D4 ***
Received: from PC46 (118-167-10-63.dynamic.hinet.net [118.167.10.63])
   by host.mycomoany.com.tw (Postfix) with ESMTP id 64AC5B00AA;
   Thu,  5 May 2011 14:55:52 +0800 (CST)
From: =?BIG5?B?tlW02rHPrFA=?= <hall@ionosphere.info>
To: "skyrain0617" <skyrain0617@yahoo.com.tw>
Subject: {Spam?} {Disarmed}
 =?BIG5?B?obqxTa5hqPOnVbvIpua2VbTaobQvpL2lcaX4t34vqdCrzi+oVKiuL6R1vHQvpGem?=
 =?BIG5?B?YS/A57d+rbGpsS+t06RI?=
Date: Thu, 5 May 2011 14:55:44 +0800
MIME-Version: 1.0
Content-Type: text/html;
   charset="Big5"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-Id: <20110505065552.64AC5B00AA@host.mycomoany.com.tw>
X-MyCompany-MailScanner-Information: Please contact the ISP for more information
X-MyCompany-MailScanner-ID: 64AC5B00AA.ADA8D
X-MyCompany-MailScanner: Found to be clean
X-MyCompany-MailScanner-SpamCheck: spam, SpamAssassin (cached, score=20.754,
   required 6, autolearn=spam, BAYES_99 3.50, DOS_OE_TO_MX 2.75,
   DYN_RDNS_SHORT_HELO_HTML 0.50, FORGED_MUA_OUTLOOK 3.12,
   FORGED_OUTLOOK_HTML 0.00, HTML_FONT_SIZE_HUGE 0.06,
   HTML_IMAGE_ONLY_24 1.55, HTML_IMAGE_RATIO_08 0.00, HTML_MESSAGE 0.00,
   MIME_HTML_ONLY 1.46, RAZOR2_CF_RANGE_51_100 0.50,
   RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RDNS_DYNAMIC 0.10,
   TVD_SPACE_RATIO 2.22, URIBL_JP_SURBL 1.50, URIBL_WS_SURBL 1.50)
X-MyCompany-MailScanner-SpamScore: 20
X-MyCompany-MailScanner-From: uop@163.com
X-Spam-Status: Yes

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5394
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
看起來是 spam 沒錯.
你的 queued id  可能不是原始收信時的那一個 (也許是經由 mailscanner 又重新 queue 一次造成), 不然就是你沒列出來.

請找到 smtpd 那一個, 如:
代碼: [選擇]
May  6 13:48:56 mail postfix/smtpd[44858]: 39FB532030: client=unknown[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=tommy
May  6 13:48:57 mail postfix/qmgr[3906]: 39FB532030: from=<tommy@xxx.xxx.xxx>, size=1660, nrcpt=1 (queue active)

如果 queued id 不同, 就由 qmgr 那一筆往前找看看吧.
如果是因為密碼被猜到, 如上會有 sasl_username 就是用那一個使用者發的.

PS. 由 queue 裡頭的檔案也有 ip, 直接用那個 ip 查 log 會比較快.

mitch_lin

  • 可愛的小學生
  • *
  • 文章數: 28
    • 檢視個人資料
感謝Tommy兄的指導:

本人確定那些Queue ID沒有前面的  postfix/smtpd…sasl_method=LOGIN…的認證這一行,在下有用ID去搜尋過,本人有以下的問題,煩請Tommy指引一下:
1. 為何只有Yahoo的信會經由 mailscanner 又重新 queue 一次?
2. 如何設定不再經由 mailscanner 又重新 queue 一次,因不是經過我的主機認證過的?

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5394
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
如果沒有 smtpd 而 queue 裡頭有. 表示該信不經由 smtpd 進入.
也就是...  直接在 local 使用 sendmail 指令寄的.
這表示: 你的機器被入侵, 上頭放上某些程式在寄信. 通常來說, 以 web server (上頭跑的 script 寫法有問題) 的可能性最大.

至於 mailscanner, 我沒用過, 我不清楚.

mitch_lin

  • 可愛的小學生
  • *
  • 文章數: 28
    • 檢視個人資料
感謝Tommy兄的指導:

找到問題出在那裏了,是在 Access
拒絕的信他又回到Queue裏,把下面的拿掉就沒事了

# We can't allow dynamic IP to relay
dynamic.apol.com.tw     REJECT
dynamic.giga.net.tw     REJECT
dynamic.hinet.net       REJECT
dynamic.seed.net.tw     REJECT
dynamic.tfn.net.tw      REJECT
dynamic.ttn.net         REJECT
dynamic.lsc.net.tw      REJECT
dynamic.163data.com.cn  REJECT

感謝您!