廣告信假冒本地信箱
昨晚我的系統smtp(in).log 出現這個訊息<BR><BR>Wed 2005-08-17 02:28:19: ---------- <BR>Wed 2005-08-17 02:33:37: Session 5004; child 1; thread 33176 <BR>Wed 2005-08-17 02:33:36: Accepting SMTP connection from <BR>Wed 2005-08-17 02:33:36: Performing PTR lookup (228.196.43.202.IN-ADDR.ARPA) <BR>Wed 2005-08-17 02:33:36: * D=228.196.43.202.IN-ADDR.ARPA TTL=(3) PTR= <BR>Wed 2005-08-17 02:33:36: * Gathering A records... <BR>Wed 2005-08-17 02:33:36: * D=n3.bulk.tpe.yahoo.com TTL=(0) A= <BR>Wed 2005-08-17 02:33:36: ---- End PTR results <BR>Wed 2005-08-17 02:33:36: --> 220 compayn.com.tw ESMTP MDaemon 8.0.4; Wed, 17 Aug 2005 02:33:36 +0800 <BR>Wed 2005-08-17 02:33:36: <-- HELO n3.bulk.tpe.yahoo.com <BR>Wed 2005-08-17 02:33:36: Performing DNS-BL lookup (202.43.196.228 - connecting IP) <BR>Wed 2005-08-17 02:33:36: * sbl-xbl.spamhaus.org - passed <BR>Wed 2005-08-17 02:33:36: * opm.blitzed.org - passed <BR>Wed 2005-08-17 02:33:37: * relays.ordb.org - passed <BR>Wed 2005-08-17 02:33:37: * bl.spamcop.net - passed <BR>Wed 2005-08-17 02:33:37: ---- End DNS-BL results <BR>Wed 2005-08-17 02:33:37: Performing IP lookup (n3.bulk.tpe.yahoo.com) <BR>Wed 2005-08-17 02:33:37: * D=n3.bulk.tpe.yahoo.com TTL=(7) A= <BR>Wed 2005-08-17 02:33:37: ---- End IP lookup results <BR>Wed 2005-08-17 02:33:37: --> 250 cfwater.com.tw Hello n3.bulk.tpe.yahoo.com, pleased to meet you <BR>Wed 2005-08-17 02:33:37: <-- MAIL FROM:<[email protected]> <BR>Wed 2005-08-17 02:33:37: Performing IP lookup (company.com.tw) <BR>Wed 2005-08-17 02:33:37: * D=company.com.tw TTL=(1440) A= <BR>Wed 2005-08-17 02:33:37: * P=010 D=company.com.tw TTL=(60) MX= {1.2.3.4} <BR>Wed 2005-08-17 02:33:37: ---- End IP lookup results <BR>Wed 2005-08-17 02:33:37: --> 250 <[email protected]>, Sender ok <BR>Wed 2005-08-17 02:33:37: <-- RCPT TO:<[email protected]> <BR>Wed 2005-08-17 02:33:37: --> 250 <[email protected]>, Recipient ok <BR>Wed 2005-08-17 02:33:37: <-- DATA <BR>Wed 2005-08-17 02:33:37: Creating temp file (SMTP): c:\mdaemon\queues\temp\md50000001309.tmp <BR>Wed 2005-08-17 02:33:37: --> 354 Enter mail, end with <CRLF>.<CRLF> <BR>Wed 2005-08-17 02:33:37: Message size: 9242 bytes <BR>Wed 2005-08-17 02:33:37: Performing DomainKeys lookup (Sender: [email protected]) <BR>Wed 2005-08-17 02:33:37: * Message-ID: <BR>Wed 2005-08-17 02:33:37: * Querying for policy: yahoo-inc.com <BR>Wed 2005-08-17 02:33:37: * Querying: _domainkey.yahoo-inc.com ... <BR>Wed 2005-08-17 02:33:37: * Policy record: t=y; n=http://antispam.yahoo.com/domainkeys <BR>Wed 2005-08-17 02:33:37: * Result: pass <BR>Wed 2005-08-17 02:33:37: ---- End DomainKeys results <BR>Wed 2005-08-17 02:33:37: Passing message through AntiVirus (Size: 9242)... <BR>Wed 2005-08-17 02:33:37: * Message is clean (no viruses found) <BR>Wed 2005-08-17 02:33:37: ---- End AntiVirus results <BR>Wed 2005-08-17 02:33:37: Message creation successful: c:\mdaemon\queues\inbound\md50000000302.msg <BR>Wed 2005-08-17 02:33:37: --> 250 Ok, message saved <Message-ID: > <BR>Wed 2005-08-17 02:33:37: <-- QUIT <BR>Wed 2005-08-17 02:33:37: --> 221 See ya in cyberspace <BR>Wed 2005-08-17 02:33:37: SMTP session successful (Bytes in/out: 9353/329) <BR>Wed 2005-08-17 02:33:37: ---------- <BR><BR>約略看出有個廣告信商藉由YAHOO信箱,然後再以收件者信箱為他自已寄件者的郵件名稱,來到處發信,感覺上一切都符合規定,而且信件內容評分也未超過,這種信件不知站上先進有何妙招擋信。<BR><BR>不過奇怪的是由下面這行可看出<BR><BR>Wed 2005-08-17 02:33:37: --> 250 Ok, message saved <Message-ID: > <BR><BR>信件已被儲存,但是收件者卻收不到這封信,我猜測原因是mdaemon的antivirus未測到病毒,但是NV測到病毒把它給殺掉了。<BR>[ 本文最後由 隨風浮雲 於 2008-4-10 05:01 PM 編輯 ] 防止別人假冒帳號,最好的方法就是「POP Before SMTP」:<br><a href='http://www.suma.tw/modules/ipboard/index.php?showtopic=881' target='_blank'>http://www.suma.tw/modules/ipboar...p?showtopic=881</a> 可是這封廣告信,不是由我的信箱發信給別人(我把轉址發信關掉),而是由YAHOO信箱假冒本地郵件位址,然後再發給本地郵件,這跟POP Before SMTP有關嗎? 當然有關,他是假冒你的內部信箱不是嗎?如果他通不過 POP Before SMTP,就無法假冒了。 可是它的發信地點是在yahoo<br>Wed 2005-08-17 02:33:36: Accepting SMTP connection from <br>Wed 2005-08-17 02:33:36: Performing PTR lookup (228.196.43.202.IN-ADDR.ARPA) <br>Wed 2005-08-17 02:33:36: * D=228.196.43.202.IN-ADDR.ARPA TTL=(3) PTR=<br>,這跟郵件伺服器設 POP Before SMTP,好像搭不上,除非yahoo是架設mdaemon,<br><br>我想大家都有好幾個免費信箱,在免費信箱中也許只會設定一個專屬回信信箱,例如我有hotmail yahoo gmail,但是我只設一個[email protected]是我的回信信箱,所以當我寄信給別人時,如果我的發信地點在hotmail yahoo gmail,當smtp出去時一定是顯示hotmail yahoo gmail的smtp,可是因為寄信email設定[email protected],所以像mdaemon這類的軟體,會先檢查 hotmail yahoo gmail是否是一個合法發信位置(利用正解、反解dns去查),然後再檢查[email protected]是否為正確email(利用查詢 company.com.tw主機是否有abc這個人),當然其它如spf或是信件內容查詢,那就是後續評分的事了。<br><br>所以除了是非company.com.tw mdaemon郵件伺服器上使用者,要使用company.com.tw mdaemon郵件伺服器寄信和"POP Before SMTP"有關外,我真的想不通由外部寄信箱寄給自己怎麼會和POP Before SMTP有關。<br><br>對不起,小弟才疏學殘提了那麼多問題! 那跟發信的地點無關,也不管是寄給誰。只要是使用你伺服器的帳號發信到你的伺服器或從你的伺服器寄出,通不過 POP Before SMTP 就是不給寄。<br><br>會架郵件伺服器,通常就是會從另一部電腦來收發伺服器的信件。那問題來了,請問這裏說的「另一部電腦」,你自己公司中的其他電腦是「另一部電腦」, yahoo 的伺服器是不是也是「另一部電腦」呢? POP Before SMTP 就是用來防止任何人從「另一部電腦」冒用你伺服器中的帳號透過你的伺服器來寄信。 假如我設了company.com.tw 的Mdaemon郵件伺服器POP Before SMTP功能 ,我用hotmail yahoo gmail寄信,寄件人郵件地址也不能用[email protected],是這樣子嗎? 是啊!沒錯!除非能先通過 POP Before SMTP 的檢查。 經查清楚上面信件來源(看log看得好累),<br>Fri 2005-08-19 02:17:08: ---------- <br>Fri 2005-08-19 02:47:14: Content Filter processing c:\mdaemon\queues\local\md50000000759.msg... <br>Fri 2005-08-19 02:47:14: > Message return-path: [email protected] <br>Fri 2005-08-19 02:47:14: > Message from: [email protected] <br>Fri 2005-08-19 02:47:14: > Message to: [email protected] <br>Fri 2005-08-19 02:47:14: > Message subject: Yahoo!奇摩交友推薦給LeeEdward活潑美麗的教育/研究女生 <br>Fri 2005-08-19 02:47:14: > Message ID: <br>Fri 2005-08-19 02:47:14: Start Content Filter results <br>Fri 2005-08-19 02:47:14: * Matched 0 of 2 active rules <br>Fri 2005-08-19 02:47:14: End of Content Filter results <br>Fri 2005-08-19 02:47:14: ----------<br><br>原來是yahoo自已就是一個大廣告商,他用我上面所說的,因為在使用YAHOO GMAIL HOTMAIL,都會用一個專屬信箱,他就利用這個專屬信箱為發信人,然後再寄信給這個發信人。 <P> </P>
<P>最近有注意到一種垃圾信 , 重點是他仿冒 我公司的 Email Address , 寄信給自己 , </P>
<P>觀看上述的說明, 開 POP Before SMTP 就不會被仿冒 ! 但我確定已經是打開的 !!!</P>
<P>會是一種新的技術 ? 或 我公司的密碼 被解 ? 可以從那裡看出 他有 pop before SMTP ??</P>
<P> 或 其他 ?</P>
<P> </P>
<P> </P>
<P>ps: 也因為是 Local user , AntiSpam 跟本不會 動作</P>
<P> </P>
<P> </P>
<P><A href="mailto:[email protected]">[email protected]</A> 是我公司的 Email </P>
<P> </P>
<P> </P>
<P>垃圾信的內容 :</P>
<P>=================================================</P>
<P>-----Original Message-----<BR>From: <A href="mailto:[email protected]">[email protected]</A> <BR>Sent: 無<BR>To: <A href="mailto:[email protected]">[email protected]</A><BR>Subject: 各行各業馬上業績double!!</P>
<P> </P>
<P><FONT color=#1d4489><A href="http://work.xxx/">http://work.xxx</A></FONT></P>
<P>貴公司xxxxxxxx</P>
<P>xxxxxxxxxxxxxxxxxxxxxxxxx<BR></P>
<P>電洽0922-177-yyy<BR>本公司網站<BR><A href="http://work.xxx/">http://work.xxx</A></P>
<P><BR>=========================================</P>
<P> </P>
<P>Smtp in 的 Log ...</P>
<P>=========================================</P>
<P>----------<BR>Wed 2008-04-09 13:44:51: Session 5279; child 1; thread 2488<BR>Wed 2008-04-09 13:44:49: Accepting SMTP connection from <BR>Wed 2008-04-09 13:44:49: Performing PTR lookup (39.106.131.220.IN-ADDR.ARPA)<BR>Wed 2008-04-09 13:44:49: * D=39.106.131.220.IN-ADDR.ARPA TTL=(1440) PTR=<BR>Wed 2008-04-09 13:44:49: * Gathering A records...<BR>Wed 2008-04-09 13:44:49: * D=220-131-106-39.HINET-IP.hinet.net TTL=(1440) A=<BR>Wed 2008-04-09 13:44:49: ---- End PTR results<BR>Wed 2008-04-09 13:44:49: --> 220 xxxxxx.com.tw ESMTP MDaemon 9.6.5; Wed, 09 Apr 2008 13:44:49 +0800<BR>Wed 2008-04-09 13:44:50: <-- HELO Lxlouisa.COM<BR>Wed 2008-04-09 13:44:50: --> 250 xxxxxx.com.tw Hello 220-131-106-39.HINET-IP.hinet.net, pleased to meet you<BR>Wed 2008-04-09 13:44:50: <-- mail from: <<A href="mailto:[email protected]">[email protected]</A>><BR>Wed 2008-04-09 13:44:50: --> 250 <<A href="mailto:[email protected]">[email protected]</A>>, Sender ok<BR>Wed 2008-04-09 13:44:50: <-- RCPT TO:<<A href="mailto:[email protected]">[email protected]</A>><BR>Wed 2008-04-09 13:44:50: Performing DNS-BL lookup (220.131.106.39 - connecting IP)<BR>Wed 2008-04-09 13:44:50: * zen.spamhaus.org - failed<BR>Wed 2008-04-09 13:44:50: ---- End DNS-BL results<BR>Wed 2008-04-09 13:44:50: --> 250 <<A href="mailto:[email protected]">[email protected]</A>>, Recipient ok<BR>Wed 2008-04-09 13:44:50: <-- data<BR>Wed 2008-04-09 13:44:50: Creating temp file (SMTP): c:\mdaemon\temp\md50000016499.tmp<BR>Wed 2008-04-09 13:44:50: --> 354 Enter mail, end with <CRLF>.<CRLF><BR>Wed 2008-04-09 13:44:50: Message size: 699 bytes<BR>Wed 2008-04-09 13:44:50: Performing DomainKeys lookup (Sender: <A href="mailto:[email protected]">[email protected]</A>)<BR>Wed 2008-04-09 13:44:50: * File: c:\mdaemon\temp\md50000016499.tmp<BR>Wed 2008-04-09 13:44:50: * Message-ID: n/a<BR>Wed 2008-04-09 13:44:50: * Querying for policy: xxxxxx.com.tw<BR>Wed 2008-04-09 13:44:50: * Querying: _domainkey.xxxxxx.com.tw ...<BR>Wed 2008-04-09 13:44:51: * DNS: * Name server reports domain name unknown<BR>Wed 2008-04-09 13:44:51: * Result: neutral<BR>Wed 2008-04-09 13:44:51: ---- End DomainKeys results<BR>Wed 2008-04-09 13:44:51: Passing message through AntiVirus (Size: 699)...<BR>Wed 2008-04-09 13:44:51: * Message is clean (no viruses found)<BR>Wed 2008-04-09 13:44:51: ---- End AntiVirus results<BR>Wed 2008-04-09 13:44:51: Passing message through Outbreak Protection...<BR>Wed 2008-04-09 13:44:51: * Message-ID: <BR>Wed 2008-04-09 13:44:51: * Reference-ID: str=0001.0A150202.47FC57D3.001E,ss=1,fgs=0<BR>Wed 2008-04-09 13:44:51: * Virus result: 0 - Clean<BR>Wed 2008-04-09 13:44:51: * Spam result: 1 - Clean<BR>Wed 2008-04-09 13:44:51: * IWF result: 0 - Clean<BR>Wed 2008-04-09 13:44:51: ---- End Outbreak Protection results<BR>Wed 2008-04-09 13:44:51: Message creation successful: c:\mdaemon\inbound\md50000469950.msg<BR>Wed 2008-04-09 13:44:51: --> 250 Ok, message saved <Message-ID: ><BR>Wed 2008-04-09 13:44:51: <-- quit<BR>Wed 2008-04-09 13:44:51: --> 221 See ya in cyberspace<BR>Wed 2008-04-09 13:44:51: SMTP session successful (Bytes in/out: 796/333)</P>
[ 本文最後由 shem888 於 2008-4-9 05:16 PM 編輯 ] 這應該不會是你們公司的ip吧 : 220-131-106-39.HINET-IP.hinet.net<br><br>只要反查位址是否正確,就可以阻檔此類信件了。<br> <P>我們公司不是 220-131-106-39.HINET-IP.hinet.net , 這是垃圾信的 .....</P>
<P> </P>
<P>=================================</P>
<P> </P>
<P> ps: 之前更新Mdaemon ( DNS-BL 被自動打開 ) 有些信收不到 .. </P>
<P> </P>
<P>以為是 reverse lookup 的問題就把 Refuse to accept mail if a lookup returns "domain not found" 給取消了....</P>
<P> </P>
<P>現在趕快恢復設定 !!!!</P>
<P> </P>
<P>=================================</P>
<P> </P>
<P>這次主要是他 可以 仿冒我公司的Email 地址 , 想查一下原因 !!! 我想開reverse lookup 應該就無法仿冒了吧 !</P>
<P> </P>
[ 本文最後由 shem888 於 2008-4-10 09:40 AM 編輯 ] <P>現在的廣告信發信軟體,除了ip位置不能假冒以外,其它的都可以假冒。</P>
<P> </P>
<P>不過假冒ip位址也不是什麼難事,只不過發信速度會比較慢,所以沒有廣告商愛用。</P> <P>試試看囉~~希望有用</P>
<P> </P> 使用 POP Before SMTP,然後將內部 IP 加入Trusted IP addresses讓區網內部或來自信任的 IP 免除這項限制 受信任的 IP 便可不必遵守這個約定 即可免除 POP Before SMTP 若人員從外部使用WebClinet是否可以收發信件? WorldClient 是使用伺服器上的網頁,除非是你的防火牆阻擋了,不然一定可以收發信。<br> <P>看得有點混亂</P>
<P>我再練習一下好了</P>
頁:
[1]