今天我收到了很多垃圾邮件到我的邮箱,我看了exim4日志,发现了一些可疑的活动.
我想了解这次攻击的服务性,如果我收到垃圾邮件,我可以删除它们并添加一些规则,但我想确定我不是垃圾邮件发送者.
我读了很多这些日志:
2016-03-09 07:53:12 1adXzZ-0007sb-Pz <= info@mydomain.com H=([127.0.0.1]) [129.137.152.170] P=esmtpa A=plain: S=1298 id=E10ADF97.F4977D1149D4C689@mydomain.com 2016-03-09 07:53:12 1adXzZ-0007sb-Pz no immediate delivery: more than 10 messages received in one connection 2016-03-09 08:16:57 1adXzZ-0007sb-Pz => kamikaze_****@hotmail.co.uk R=dnslookup T=remote_smtp H=mx3.hotmail.com [207.46.8.167] X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 CV=no DN="CN=*.hotmail.com" C="250 <E10ADF97.F4977D1149D4C689@mydomain.com> Queued mail for delivery" 2016-03-09 08:16:57 1adXzZ-0007sb-Pz Completed
请考虑:
> kamikaze_****@hotmail.co.uk(我为隐私添加了一些星号)不是已知的收件人,这不是我服务器中的邮箱.
>真的应该只允许经过身份验证的用户,在这里我没有找到任何身份验证信息.
>在日志中有一个250和“已完成”,所以似乎没有抛出任何错误.日志的标志是“=>”这意味着传出消息……
这是我的配置:
accept_8bitmime acl_smtp_data = acl_check_data acl_smtp_data_prdr = accept acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt admin_groups = no_allow_domain_literals no_allow_mx_to_ip no_allow_utf8_domains auth_advertise_hosts = * auto_thaw = 0s av_scanner = sophie:/var/run/sophie bounce_return_body bounce_return_message bounce_return_size_limit = 100K callout_domain_negative_expire = 3h callout_domain_positive_expire = 1w callout_negative_expire = 2h callout_positive_expire = 1d callout_random_local_part = $primary_hostname-$tod_epoch-testing check_log_inodes = 0 check_log_space = 0 check_rfc2047_length check_spool_inodes = 0 check_spool_space = 0 daemon_smtp_ports = smtp daemon_startup_retries = 9 daemon_startup_sleep = 30s delay_warning = 1d delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}} no_deliver_drop_privilege deliver_queue_load_max = delivery_date_remove no_disable_ipv6 dkim_verify_signers = $dkim_signers dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$ dns_csa_search_limit = 5 dns_csa_use_reverse dns_dnssec_ok = -1 dns_retrans = 0s dns_retry = 0 dns_use_edns0 = -1 no_drop_cr dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain> envelope_to_remove exim_group = Debian-exim exim_path = /usr/sbin/exim4 exim_user = Debian-exim extract_addresses_remove_arguments finduser_retries = 0 freeze_tell = postmaster gecos_name = $1 gecos_pattern = ^([^,:]*) no_gnutls_allow_auto_pkcs11 no_gnutls_compat_mode header_line_maxsize = 0 header_maxsize = 1048576 headers_charset = UTF-8 helo_allow_chars = _ helo_lookup_domains = @ : @[] host_lookup = * host_lookup_order = bydns:byaddr ignore_bounce_errors_after = 2d no_ignore_fromline_local keep_malformed = 4d no_ldap_start_tls ldap_version = -1 no_local_from_check local_interfaces = <; ::0 ; 0.0.0.0 local_scan_timeout = 5m local_sender_retain log_file_path = /var/log/exim4/%slog log_selector = +smtp_protocol_error +smtp_Syntax_error +tls_certificate_verified +tls_peerdn no_log_timezone lookup_open_max = 25 max_username_length = 0 no_message_body_newlines message_body_visible = 500 message_logs message_size_limit = 50M no_move_frozen_messages no_mua_wrapper MysqL_servers = localhost/system/exim/mypassw never_users = no_perl_at_start pid_file_path = /var/run/exim4/exim.pid pipelining_advertise_hosts = * prdr_enable no_preserve_message_logs primary_hostname = srv1.mydomain.com no_print_topbitchars process_log_path = /var/spool/exim4/exim-process.info prod_requires_admin qualify_domain = mydomain.com qualify_recipient = mydomain.com queue_list_requires_admin no_queue_only queue_only_load = queue_only_load_latch queue_only_override no_queue_run_in_order queue_run_max = 5 receive_timeout = 0s received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}} received_headers_max = 30 recipients_max = 0 no_recipients_max_reject remote_max_parallel = 2 retry_data_expire = 1w retry_interval_max = 1d return_path_remove rfc1413_hosts = @[] rfc1413_query_timeout = 0s slow_lookup_log = 0 smtp_accept_keepalive smtp_accept_max = 20 smtp_accept_max_nonmail = 10 smtp_accept_max_nonmail_hosts = * smtp_accept_max_per_connection = 1000 smtp_accept_queue = 0 smtp_accept_queue_per_connection = 10 smtp_accept_reserve = 0 smtp_banner = $smtp_active_hostname ESMTP Exim $version_number Ubuntu $tod_full smtp_check_spool_space smtp_connect_backlog = 20 smtp_enforce_sync smtp_etrn_serialize smtp_load_reserve = smtp_max_synprot_errors = 3 smtp_max_unknown_commands = 3 no_smtp_return_error_details spamd_address = 127.0.0.1 783 no_split_spool_directory spool_directory = /var/spool/exim4 sqlite_lock_timeout = 5 no_strict_acl_vars no_strip_excess_angle_brackets no_strip_trailing_dot syslog_duplication syslog_processname = exim syslog_timestamp tcp_nodelay timeout_frozen_after = 1w tls_advertise_hosts = * tls_certificate = /etc/exim4/exim.crt tls_dh_max_bits = 2236 tls_eccurve = prime256v1 tls_on_connect_ports = 465 tls_privatekey = /etc/exim4/exim.key no_tls_remember_esmtp tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}} trusted_groups = trusted_users = uucp untrusted_set_sender = * uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d? uucp_from_sender = $1 write_rejectlog
这是PLAIN身份验证器:
plain: driver = plaintext public_name = PLAIN server_advertise_condition = yes server_condition = ${if eq{$3}{${lookup MysqL{ SELECT password FROM users WHERE CONCAT(username,'@',domain)='${quote_MysqL:$2}' AND smtp>0 }}}{yes}{no}} server_set_id = $2