postfix疯狂外发垃圾邮件之分析与解决(上)
2012-10-28 04:42
579 查看
本周二上班有人反应公司邮箱无法外发邮件,后来登录到服务器查看原因,不看不知道,一看吓一跳,服务器日志疯狂滚动!一看全是被其它邮件服务器拒绝的信息!由于这台服务器以前不是我管,连配置文件都find了好久,最终从十多个main.cf中找到了真正的配置文件......
下面开始分析问题与解决问题!
寻找配置文件看看配置文件怎么样吧。
localhost# find / -name main.cf
.......
/usr/local/etc/postfix/main.cf
/usr/opt/software/postfix-2.8.9/conf/main.cf
/etc/postfix/main.cf
这么多配置文件也不知道具体是哪个,但根据常理,最有可能的便是/etc/postfix/main.cf了。
打开/etc/postfix/main.cf来看看。
localhost# cat /etc/postfix/main.cf | grep -v # | grep -v ^$
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
message_size_limit = 512000000
virtual_mailbox_limit = 1024000000
readme_directory = /usr/local/share/doc/postfix
virtual_mailbox_base = /usr/opt/home/domains
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
virtual_alias_maps = $alias_maps, mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
dspam_destination_recipient_limit = 1
mydestination =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_client_restrictions =
reject_rbl_client cblless.anti-spam.org.cn,
reject_rbl_client cdl.anti-spam.org.cn,
reject_rbl_client opm.blitzed.org,
reject_rbl_client bl.spamcop.net
localhost# vi /etc/postfix/sender_access
carr.chee@aol.com REJECT
Henry.bny5@hotmail.com REJECT
pmck.hsr69@yahoo.com REJECT
........
由以上配置文件可以看到,我们对发信者的检测仅限于sender_access。仅仅只是拒绝了sender_access中拒绝的用户。而没有其它任何限制。限制条件很宽松。
截取部分日志分析
localhost# tail /var/log/maillog
Oct 22 16:36:01 localhost postfix/error[18675]: 42263221CA: to=<altoact@verizon.net>, relay=none, delay=111421, delays=105070/6348/0/2.6, dsn=4.0.0, status=deferred (delivery temporarily suspended: host relay.verizon.net[206.46.232.11] refused to talk to me: 571 Email from 124.172.224.76 is currently blocked by Verizon Online's anti-spam system. The email sender or Email Service Provider may visit http://www.verizon.net/whitelist and request removal of the block. 121022)
Oct 22 16:36:01 localhost postfix/qmgr[32357]: 184F627BF64: from=<lindawatts338@yahoo.com.hk>, size=2338, nrcpt=50 (queue active)
Oct 22 16:36:01 localhost postfix/smtp[18300]: 1C34F26235C: to=<andrew.rawson@honeywell.com>, relay=mail2.honeywell.com[199.61.24.28]:25, delay=110287, delays=110274/11/2.4/0, dsn=4.0.0, status=deferred (host mail2.honeywell.com[199.61.24.28] refused to talk to me: 554 mail2.honeywell.com)
Oct 22 16:36:01 localhost postfix/smtp[18288]: connect to news-daily.com.inbound15.mxlogicmx.net[208.65.144.12]:25: Connection refused
发现全是一些被defferred的信息。其它邮件服务器已经拒绝我们投递。
那么再用mailq命令来查看一下队列文件。
结果发现mailq刷屏刷得没完没了了。太多缓存的邮件!
localhost# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
5D1477C0D* 2333 Mon Oct 22 18:36:47 jrobert299@yahoo.com.hk
(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
n_jhenderson@cox.net
截取其中一个例子来分析,可分为五部分来看。
1,5D1477C0D* 是指缓存邮件的ID
2,2333 是指邮件的大小。
3,jrobert299@yahoo.com.hk 是指发件人。
4,(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通过第4段信息我们可以得到如下信息:
delivery temporarily suspended告诉我们邮件投递被延迟。
host mx.west.cox.net[68.6.19.3] refused to talk to me 告诉我们投递给mx.west.cox.net[68.6.19.3] 的邮件服务器拒收我们的信件。
124.172.224.76 我们邮件服务器的Ip地址。
Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通过http://postmaster.cox.net/confluence/display/postmaster/Error+Codes 上查看更多拒收的原因。
5,n_jhenderson@cox.net 收件人地址!
由上面的日志我们可以知道
1,我们的邮件服务器的发件人地址被伪造了!
2,我们邮件服务器已经被很多其它邮件服务器列入了黑名单
3,收件人并非我们认识的人
结论,这个邮件服务器很可能被入侵,且被当作垃圾邮件的中继者。
那么,谁会是这个入侵者呢?倒底是什么漏洞导致的?
下面来让找到事件的源头。
首先,根据上面的分析,我们知道发件人和收件人都不是邮件服务器所在域的成员。那么我们就得考虑我们的邮件服务器是不是一个开放的中继(open relay)。
验证:
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo aa@bb.com
250 mail.example.com
mail from:aa@bb.com
250 2.1.0 Ok
rcpt to:445335413@qq.com
554 5.7.1 <445335413@qq.com>: Relay access denied
可以看到,我们不经过认证发送邮件给qq邮箱并没有成功。所以,这并不是一个open relay的服务器!既然如此,那别人想用我的邮件服务器外发邮件,那么就必需要通过认证才可以。那么让我们用认证的方式登录并偿试伪造发信人地址外发邮件!
先将用户名和密码经过base64编码。
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('123456');"
MTIzNDU2
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('test1@example.com');"
dGVzdDFAZXhhbXBsZS5jb20=
验证:
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
auth login
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:test@yahoo.com
250 2.1.0 Ok
rcpt to:445335413@qq.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hello inveracious test!
.
250 2.0.0 Ok: queued as 99F4C23F008
quit
221 2.0.0 Bye
Connection closed by foreign host.
上面我用认证用户test1@example.com登录后,伪造成test@yahoo.com来发信。结果显示成功!我们再回到服务器端看看有什么日志产生!
localhost# tail /var/log/maillog
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: from=<test@yahoo.com>, size=197, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/smtp[41094]: 99F4C23F008: to=<445335413@qq.com>, relay=mx3.qq.com[119.147.192.199]:25, delay=110, delays=109/0/0.04/0.1, dsn=5.0.0, status=bounced (host mx3.qq.com[119.147.192.199] said: 550 Mail content denied. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 (in reply to end of DATA command))
Oct 26 02:54:27 localhost postfix/cleanup[41089]: 69EA423F027: message-id=<20121025185427.69EA423F027@mail.example.com>
Oct 26 02:54:27 localhost postfix/bounce[41095]: 99F4C23F008: sender non-delivery notification: 69EA423F027
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 69EA423F027: from=<>, size=2203, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: removed
日志显示邮件ID为99F4C23F008的邮件,发件人是test@yahoo.com。接收服务器是mx3.qq.com的25端口。状态是被退回。通过http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 可以查看到拒绝原因。
经过认证登录后的用户,可以伪造发件人随意外发邮件!
由以上信息我们可以推断,很可能是由于别人盗用了我们的账号,然后利用我们的账号伪造其它发信人,疯狂外发邮件!那么,我们现在需要从三方面着手。
1,找出真正的发件人是哪个合法用户并马上修改密码。
2,阻止邮件继续疯狂外发。
3,禁止认证用户伪造发件人外发邮件。
postfix疯狂外发垃圾邮件之分析与解决(下)
本文出自 “小子无名” 博客,请务必保留此出处http://linuxroad.blog.51cto.com/765922/1039676
下面开始分析问题与解决问题!
寻找配置文件看看配置文件怎么样吧。
localhost# find / -name main.cf
.......
/usr/local/etc/postfix/main.cf
/usr/opt/software/postfix-2.8.9/conf/main.cf
/etc/postfix/main.cf
这么多配置文件也不知道具体是哪个,但根据常理,最有可能的便是/etc/postfix/main.cf了。
打开/etc/postfix/main.cf来看看。
localhost# cat /etc/postfix/main.cf | grep -v # | grep -v ^$
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
message_size_limit = 512000000
virtual_mailbox_limit = 1024000000
readme_directory = /usr/local/share/doc/postfix
virtual_mailbox_base = /usr/opt/home/domains
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
virtual_alias_maps = $alias_maps, mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
dspam_destination_recipient_limit = 1
mydestination =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_client_restrictions =
reject_rbl_client cblless.anti-spam.org.cn,
reject_rbl_client cdl.anti-spam.org.cn,
reject_rbl_client opm.blitzed.org,
reject_rbl_client bl.spamcop.net
localhost# vi /etc/postfix/sender_access
carr.chee@aol.com REJECT
Henry.bny5@hotmail.com REJECT
pmck.hsr69@yahoo.com REJECT
........
由以上配置文件可以看到,我们对发信者的检测仅限于sender_access。仅仅只是拒绝了sender_access中拒绝的用户。而没有其它任何限制。限制条件很宽松。
截取部分日志分析
localhost# tail /var/log/maillog
Oct 22 16:36:01 localhost postfix/error[18675]: 42263221CA: to=<altoact@verizon.net>, relay=none, delay=111421, delays=105070/6348/0/2.6, dsn=4.0.0, status=deferred (delivery temporarily suspended: host relay.verizon.net[206.46.232.11] refused to talk to me: 571 Email from 124.172.224.76 is currently blocked by Verizon Online's anti-spam system. The email sender or Email Service Provider may visit http://www.verizon.net/whitelist and request removal of the block. 121022)
Oct 22 16:36:01 localhost postfix/qmgr[32357]: 184F627BF64: from=<lindawatts338@yahoo.com.hk>, size=2338, nrcpt=50 (queue active)
Oct 22 16:36:01 localhost postfix/smtp[18300]: 1C34F26235C: to=<andrew.rawson@honeywell.com>, relay=mail2.honeywell.com[199.61.24.28]:25, delay=110287, delays=110274/11/2.4/0, dsn=4.0.0, status=deferred (host mail2.honeywell.com[199.61.24.28] refused to talk to me: 554 mail2.honeywell.com)
Oct 22 16:36:01 localhost postfix/smtp[18288]: connect to news-daily.com.inbound15.mxlogicmx.net[208.65.144.12]:25: Connection refused
发现全是一些被defferred的信息。其它邮件服务器已经拒绝我们投递。
那么再用mailq命令来查看一下队列文件。
结果发现mailq刷屏刷得没完没了了。太多缓存的邮件!
localhost# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
5D1477C0D* 2333 Mon Oct 22 18:36:47 jrobert299@yahoo.com.hk
(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
n_jhenderson@cox.net
截取其中一个例子来分析,可分为五部分来看。
1,5D1477C0D* 是指缓存邮件的ID
2,2333 是指邮件的大小。
3,jrobert299@yahoo.com.hk 是指发件人。
4,(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通过第4段信息我们可以得到如下信息:
delivery temporarily suspended告诉我们邮件投递被延迟。
host mx.west.cox.net[68.6.19.3] refused to talk to me 告诉我们投递给mx.west.cox.net[68.6.19.3] 的邮件服务器拒收我们的信件。
124.172.224.76 我们邮件服务器的Ip地址。
Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通过http://postmaster.cox.net/confluence/display/postmaster/Error+Codes 上查看更多拒收的原因。
5,n_jhenderson@cox.net 收件人地址!
由上面的日志我们可以知道
1,我们的邮件服务器的发件人地址被伪造了!
2,我们邮件服务器已经被很多其它邮件服务器列入了黑名单
3,收件人并非我们认识的人
结论,这个邮件服务器很可能被入侵,且被当作垃圾邮件的中继者。
那么,谁会是这个入侵者呢?倒底是什么漏洞导致的?
下面来让找到事件的源头。
首先,根据上面的分析,我们知道发件人和收件人都不是邮件服务器所在域的成员。那么我们就得考虑我们的邮件服务器是不是一个开放的中继(open relay)。
验证:
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo aa@bb.com
250 mail.example.com
mail from:aa@bb.com
250 2.1.0 Ok
rcpt to:445335413@qq.com
554 5.7.1 <445335413@qq.com>: Relay access denied
可以看到,我们不经过认证发送邮件给qq邮箱并没有成功。所以,这并不是一个open relay的服务器!既然如此,那别人想用我的邮件服务器外发邮件,那么就必需要通过认证才可以。那么让我们用认证的方式登录并偿试伪造发信人地址外发邮件!
先将用户名和密码经过base64编码。
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('123456');"
MTIzNDU2
[root@mail ~]# perl -MMIME::Base64 -e "print encode_base64('test1@example.com');"
dGVzdDFAZXhhbXBsZS5jb20=
验证:
[root@mail ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
auth login
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:test@yahoo.com
250 2.1.0 Ok
rcpt to:445335413@qq.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hello inveracious test!
.
250 2.0.0 Ok: queued as 99F4C23F008
quit
221 2.0.0 Bye
Connection closed by foreign host.
上面我用认证用户test1@example.com登录后,伪造成test@yahoo.com来发信。结果显示成功!我们再回到服务器端看看有什么日志产生!
localhost# tail /var/log/maillog
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: from=<test@yahoo.com>, size=197, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/smtp[41094]: 99F4C23F008: to=<445335413@qq.com>, relay=mx3.qq.com[119.147.192.199]:25, delay=110, delays=109/0/0.04/0.1, dsn=5.0.0, status=bounced (host mx3.qq.com[119.147.192.199] said: 550 Mail content denied. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 (in reply to end of DATA command))
Oct 26 02:54:27 localhost postfix/cleanup[41089]: 69EA423F027: message-id=<20121025185427.69EA423F027@mail.example.com>
Oct 26 02:54:27 localhost postfix/bounce[41095]: 99F4C23F008: sender non-delivery notification: 69EA423F027
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 69EA423F027: from=<>, size=2203, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: removed
日志显示邮件ID为99F4C23F008的邮件,发件人是test@yahoo.com。接收服务器是mx3.qq.com的25端口。状态是被退回。通过http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 可以查看到拒绝原因。
经过认证登录后的用户,可以伪造发件人随意外发邮件!
由以上信息我们可以推断,很可能是由于别人盗用了我们的账号,然后利用我们的账号伪造其它发信人,疯狂外发邮件!那么,我们现在需要从三方面着手。
1,找出真正的发件人是哪个合法用户并马上修改密码。
2,阻止邮件继续疯狂外发。
3,禁止认证用户伪造发件人外发邮件。
postfix疯狂外发垃圾邮件之分析与解决(下)
本文出自 “小子无名” 博客,请务必保留此出处http://linuxroad.blog.51cto.com/765922/1039676
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Postfix疯狂外发垃圾邮件之分析与解决
- postfix疯狂外发垃圾邮件之分析与解决
- postfix疯狂外发垃圾邮件之分析与解决
- postfix疯狂外发垃圾邮件之分析与解决
- postfix疯狂外发垃圾邮件之分析与解决(下)
- Postfix疯狂外发垃圾邮件之分析与解决
- postfix疯狂外发垃圾邮件之分析与解决,思路分析与解决办法
- postfix疯狂外发垃圾邮件
- postfix各类故障详细分析与解决
- 前后端分离。前端POST请求参数过长,导致400错误解决办法及分析
- postfix + dovecot + mutt 搭建邮件服务器( 失败原因初步分析 )
- DICOM:fo-dicom之C-STORE再分析‘解决System.ObjectDisposedException异常’
- 数据库死锁分析与解决
- MyBatis MapperProvider MessageFormat拼接批量SQL语句执行报错的原因分析及解决办法
- jQuery.form.js插件不能解决连接超时(timeout)的原因分析及解决方法
- PHP正则替换函数preg_replace()报错:Notice Use of undefined constant的解决方法分析
- Android 触摸屏(TP)问题现象分析和解决方法汇总
- Win10系统下IE11浏览器提示没有安装Flash Player的原因分析及解决教程
- Selenium语法、解决frame问题以及速度分析
- ORACLE常见错误代码的分析与解决(三)