有請麻吉幫我看一下,跳板啦
Mdaemon版本:9.6.1OS:Windows 2003
防毒已停止
狀況:我的Relay確定已關閉,也已啟動POP Before SMTP設定30分鐘
但是一樣有這些應該是被當跳板的狀況,來源的郵件位置(@dhl.com)是正常的,但找不到來源IP,無法封鎖
EHLO tyxuan.com.vn 是我的沒有錯,但郵件位置應該是@tyxuan.com.vn
有請麻吉幫我解析一下,是否有設定上的疏失,謝謝
out.log 訊息
Tue 2013-12-24 06:11:33: ----------
Tue 2013-12-24 06:17:39: Session 1957; child 1
Tue 2013-12-24 06:17:30: Parsing message <c:\mdaemon\queues\remote\pd50001240559.msg>
Tue 2013-12-24 06:17:30: *From: [email protected]
Tue 2013-12-24 06:17:30: *To: [email protected]
Tue 2013-12-24 06:17:30: *Subject: =?utf-8?B?QXdiIyA5MjEwOTI2MjIyOyAzIGtp4buHbjsgOS4wMCBLRy0g?= =?utf-8?B?TmfGsOG7nWkgZ+G7rWk6IEpBREVTVEFSIEhPTERJTkcgTFRE?=
Tue 2013-12-24 06:17:30: *Message-ID:
Tue 2013-12-24 06:17:30: Attempting SMTP connection to
Tue 2013-12-24 06:17:30: Resolving MX records for (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:30: *P=010 S=000 D=126.com TTL=(113) MX=
Tue 2013-12-24 06:17:30: *P=010 S=002 D=126.com TTL=(113) MX=
Tue 2013-12-24 06:17:30: *P=050 S=001 D=126.com TTL=(113) MX=
Tue 2013-12-24 06:17:30: Attempting SMTP connection to
Tue 2013-12-24 06:17:30: Resolving A record for (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:30: *D=126mx02.mxmail.netease.com TTL=(8) A=
Tue 2013-12-24 06:17:30: Attempting SMTP connection to
Tue 2013-12-24 06:17:30: Waiting for socket connection...
Tue 2013-12-24 06:17:31: *Connection established (192.168.23.6:4528 -> 220.181.14.133:25)
Tue 2013-12-24 06:17:31: Waiting for protocol to start...
Tue 2013-12-24 06:17:31: <-- 220 126.com Anti-spam GT for Coremail System (126com)
Tue 2013-12-24 06:17:31: --> EHLO tyxuan.com.vn
Tue 2013-12-24 06:17:32: <-- 250-mail
Tue 2013-12-24 06:17:32: <-- 250-PIPELINING
Tue 2013-12-24 06:17:32: <-- 250-AUTH LOGIN PLAIN
Tue 2013-12-24 06:17:32: <-- 250-AUTH=LOGIN PLAIN
Tue 2013-12-24 06:17:32: <-- 250-coremail 1Uxr2xKj7kG0xkI17xGrU7I0s8FY2U3Uj8Cz28x1UUUUU7Ic2I0Y2UrsSkQAUCa0xDrUUUUj
Tue 2013-12-24 06:17:32: <-- 250 8BITMIME
Tue 2013-12-24 06:17:32: --> MAIL From:<[email protected]>
Tue 2013-12-24 06:17:32: <-- 250 Mail OK
Tue 2013-12-24 06:17:32: --> RCPT To:<[email protected]>
Tue 2013-12-24 06:17:32: <-- 250 Mail OK
Tue 2013-12-24 06:17:32: --> DATA
Tue 2013-12-24 06:17:32: <-- 354 End data with <CR><LF>.<CR><LF>
Tue 2013-12-24 06:17:32: Sending <c:\mdaemon\queues\remote\pd50001240559.msg> to
Tue 2013-12-24 06:17:33: Transfer Complete
Tue 2013-12-24 06:17:34: <-- 451 DT:SPM mx2, IMmowECZpUaMxLhS3ZlsAQ--.16734S2, please try again 1387840655 http://mail.163.com/help/help_sp ... mx2&time=1387840655
Tue 2013-12-24 06:17:34: --> QUIT
Tue 2013-12-24 06:17:34: Attempting SMTP connection to
Tue 2013-12-24 06:17:34: Resolving A record for (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:34: *D=126mx01.mxmail.netease.com TTL=(8) A=
Tue 2013-12-24 06:17:34: Attempting SMTP connection to
Tue 2013-12-24 06:17:34: Waiting for socket connection...
Tue 2013-12-24 06:17:34: *Connection established (192.168.23.6:4529 -> 220.181.14.132:25)
Tue 2013-12-24 06:17:34: Waiting for protocol to start...
Tue 2013-12-24 06:17:34: <-- 220 126.com Anti-spam GT for Coremail System (126com)
Tue 2013-12-24 06:17:34: --> EHLO tyxuan.com.vn
Tue 2013-12-24 06:17:34: <-- 250-mail
Tue 2013-12-24 06:17:34: <-- 250-PIPELINING
Tue 2013-12-24 06:17:34: <-- 250-AUTH LOGIN PLAIN
Tue 2013-12-24 06:17:34: <-- 250-AUTH=LOGIN PLAIN
Tue 2013-12-24 06:17:34: <-- 250-coremail 1Uxr2xKj7kG0xkI17xGrU7I0s8FY2U3Uj8Cz28x1UUUUU7Ic2I0Y2UrXms3gUCa0xDrUUUUj
Tue 2013-12-24 06:17:34: <-- 250 8BITMIME
Tue 2013-12-24 06:17:34: --> MAIL From:<[email protected]>
Tue 2013-12-24 06:17:34: <-- 250 Mail OK
Tue 2013-12-24 06:17:34: --> RCPT To:<[email protected]>
Tue 2013-12-24 06:17:34: <-- 250 Mail OK
Tue 2013-12-24 06:17:34: --> DATA
Tue 2013-12-24 06:17:34: <-- 354 End data with <CR><LF>.<CR><LF>
Tue 2013-12-24 06:17:34: Sending <c:\mdaemon\queues\remote\pd50001240559.msg> to
Tue 2013-12-24 06:17:36: Transfer Complete
Tue 2013-12-24 06:17:36: <-- 451 DT:SPM mx30, LMmowEDp1laQxLhSVcOYAQ--.1728S2, please try again 1387840659 http://mail.163.com/help/help_sp ... x30&time=1387840659
Tue 2013-12-24 06:17:36: --> QUIT
Tue 2013-12-24 06:17:36: Attempting SMTP connection to
Tue 2013-12-24 06:17:36: Resolving A record for (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:37: *D=126mx00.mxmail.netease.com TTL=(0) A=
Tue 2013-12-24 06:17:37: Attempting SMTP connection to
Tue 2013-12-24 06:17:37: Waiting for socket connection...
Tue 2013-12-24 06:17:37: *Connection established (192.168.23.6:4531 -> 123.125.50.118:25)
Tue 2013-12-24 06:17:37: Waiting for protocol to start...
Tue 2013-12-24 06:17:37: <-- 220 126.com Anti-spam GT for Coremail System (126com)
Tue 2013-12-24 06:17:37: --> EHLO tyxuan.com.vn
Tue 2013-12-24 06:17:37: <-- 250-mail
Tue 2013-12-24 06:17:37: <-- 250-PIPELINING
Tue 2013-12-24 06:17:37: <-- 250-AUTH LOGIN PLAIN
Tue 2013-12-24 06:17:37: <-- 250-AUTH=LOGIN PLAIN
Tue 2013-12-24 06:17:37: <-- 250-coremail 1Uxr2xKj7kG0xkI17xGrU7I0s8FY2U3Uj8Cz28x1UUUUU7Ic2I0Y2UFBtZgPUCa0xDrUUUUj
Tue 2013-12-24 06:17:37: <-- 250 8BITMIME
Tue 2013-12-24 06:17:37: --> MAIL From:<[email protected]>
Tue 2013-12-24 06:17:37: <-- 250 Mail OK
Tue 2013-12-24 06:17:37: --> RCPT To:<[email protected]>
Tue 2013-12-24 06:17:37: <-- 250 Mail OK
Tue 2013-12-24 06:17:37: --> DATA
Tue 2013-12-24 06:17:37: <-- 354 End data with <CR><LF>.<CR><LF>
Tue 2013-12-24 06:17:37: Sending <c:\mdaemon\queues\remote\pd50001240559.msg> to
Tue 2013-12-24 06:17:38: Transfer Complete
Tue 2013-12-24 06:17:39: <-- 451 DT:SPM mx7, JcmowEC5TkKTxLhSFLxoAQ--.1959S2, please try again 1387840660 http://mail.163.com/help/help_sp ... mx7&time=1387840660
Tue 2013-12-24 06:17:39: --> QUIT
Tue 2013-12-24 06:17:39: <-- 221 Bye
Tue 2013-12-24 06:17:39: This message is 0 minutes old; it has 60 minutes left in this queue
Tue 2013-12-24 06:17:39: SMTP session terminated (Bytes in/out: 1401/294273)
Tue 2013-12-24 06:17:39: ----------
去找一下 SMTP IN 裏頭有沒有相應的記錄。要看 in 的才準確。 相對應的紀錄在這邊,但也看不出來有轉寄,是我自己SERVER的問題嗎?
如何防止非本地地址的郵件寄出呢?
Tue 2013-12-24 06:17:06: ----------
Tue 2013-12-24 06:17:25: Session 1954; child 1; thread 6136
Tue 2013-12-24 06:16:49: Accepting SMTP connection from
Tue 2013-12-24 06:16:49: --> 220 tyxuan.com.vn ESMTP MDaemon 9.6.1; Tue, 24 Dec 2013 06:16:49 +0700
Tue 2013-12-24 06:16:49: <-- EHLO gateway2e.dhl.com
Tue 2013-12-24 06:16:49: Performing IP lookup (gateway2e.dhl.com)
Tue 2013-12-24 06:16:49: *D=gateway2e.dhl.com TTL=(120) A=
Tue 2013-12-24 06:16:49: ---- End IP lookup results
Tue 2013-12-24 06:16:49: --> 250-tyxuan.com.vn Hello gateway2e.dhl.com, pleased to meet you
Tue 2013-12-24 06:16:49: --> 250-ETRN
Tue 2013-12-24 06:16:49: --> 250-AUTH=LOGIN
Tue 2013-12-24 06:16:49: --> 250-AUTH LOGIN CRAM-MD5
Tue 2013-12-24 06:16:49: --> 250-8BITMIME
Tue 2013-12-24 06:16:49: --> 250 SIZE 15000000
Tue 2013-12-24 06:16:50: <-- MAIL FROM:<[email protected]> SIZE=96297
Tue 2013-12-24 06:16:50: Performing PTR lookup (37.206.40.199.IN-ADDR.ARPA)
Tue 2013-12-24 06:16:50: *D=37.206.40.199.IN-ADDR.ARPA TTL=(97) PTR=
Tue 2013-12-24 06:16:50: *Gathering A records...
Tue 2013-12-24 06:16:50: *D=gateway2e.dhl.com TTL=(120) A=
Tue 2013-12-24 06:16:50: ---- End PTR results
Tue 2013-12-24 06:16:50: Performing IP lookup (dhl.com)
Tue 2013-12-24 06:16:51: *D=dhl.com TTL=(0) A=
Tue 2013-12-24 06:16:51: *P=005 S=001 D=dhl.com TTL=(5) MX=
Tue 2013-12-24 06:16:51: *P=010 S=000 D=dhl.com TTL=(5) MX=
Tue 2013-12-24 06:16:51: *D=dhl.com TTL=(0) A=
Tue 2013-12-24 06:16:51: *D=dhl.com TTL=(0) A=
Tue 2013-12-24 06:16:51: ---- End IP lookup results
Tue 2013-12-24 06:16:51: Performing SPF lookup (dhl.com / 199.40.206.37)
Tue 2013-12-24 06:16:51: *dhl.com 199.40.206.37; matched to SPF cache
Tue 2013-12-24 06:16:51: *Result: pass
Tue 2013-12-24 06:16:51: ---- End SPF results
Tue 2013-12-24 06:16:51: --> 250 <[email protected]>, Sender ok
Tue 2013-12-24 06:16:52: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:52: Performing DNS-BL lookup (199.40.206.37 - connecting IP)
Tue 2013-12-24 06:16:52: *zen.spamhaus.org - passed
Tue 2013-12-24 06:16:52: ---- End DNS-BL results
Tue 2013-12-24 06:16:52: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:16:52: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:52: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:16:53: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:53: Sender attempted to deliver message to unknown address
Tue 2013-12-24 06:16:53: --> 550 <[email protected]>, Recipient unknown
Tue 2013-12-24 06:16:53: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:53: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:16:54: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:54: More than 5 RCPT commands encountered; this session tarpitted with a 10 second initial delay scaling by 1.00
Tue 2013-12-24 06:16:54: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:17:04: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:17:04: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:17:14: <-- DATA
Tue 2013-12-24 06:17:14: Creating temp file (SMTP): c:\mdaemon\queues\temp\md50000077919.tmp
Tue 2013-12-24 06:17:14: --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-12-24 06:17:19: Message size: 96395 bytes
Tue 2013-12-24 06:17:19: Passing message through AntiVirus (Size: 96395)...
Tue 2013-12-24 06:17:19: *An error occured, message will be scanned again when queued
Tue 2013-12-24 06:17:19: ---- End AntiVirus results
Tue 2013-12-24 06:17:19: Message creation successful: c:\mdaemon\queues\inbound\md50003226771.msg
Tue 2013-12-24 06:17:19: --> 250 Ok, message saved <Message-ID: >
Tue 2013-12-24 06:17:25: <-- QUIT
Tue 2013-12-24 06:17:25: --> 221 See ya in cyberspace
Tue 2013-12-24 06:17:25: SMTP session successful (Bytes in/out: 96687/636)
Tue 2013-12-24 06:17:25: ----------
信件是來自 199.40.206.37 (gateway2e.dhl.com)
如果已關閉 Relay ,按理是不可能可以寄的。去檢查一下 Trust Domain 及 Trust IP 的內容。 Trust Domain & IP 我有設定一些企業重要來往的IP,但是dhl.com沒有設定給它
而重點不是在dhl.com,我發現,郵件使用者再寄信的時候,在SMTP(out)就會伴隨寄出一堆垃圾
最常發生的是不自主的寄給"[email protected]"這個郵箱
寄件者包含了自己的Domian,以及非Domain的寄件者
目前我的阻隔方式是,用防火牆將非Domain寄件者的信刪除
但是由自己Domain莫名寄出的除了檔已知的郵箱以外,我就沒有其他更好的方式了
而本次疑問重要的一點,就是為何我的伺服器會不自主地寄了這些郵件,很納悶
掃毒也掃了,掃墓馬也掃了,掃蠕蟲也掃了.....快投降了:Q 附一張截圖參考 目前也看不出個所以然來。
我暫時還是朝有權可以直接 Relay 的來源來檢查:你有設定區域網路的 IP 嗎? 也就是 LAN IPs,會不會是來自內部?
另外一個方法,將 Relay 設定中可以例外的全部取消勾選再試看看。 有設定LAN IPs
問題點:
1. 外來的信件一進來,馬上會轉發
2. 內部寄出的信件,馬上會轉發
. 但又不是每封信件一定會有轉發的動作
. 也不是固定寄件的信件會轉發
但轉發出去的信箱卻是固定的那一些
基於第1點,又不像是密碼被猜到的現象
所有被轉發出去的信件主機都是自己的主機
我現在的做法
1. 以防火牆擋掉非自己網域的寄信
2. 用Content Filter過濾轉出去的對象,全都丟到Bad Queue
但是我還是找不出這個怪現象的主因,用那麼多年了,第一次碰到,有點懊惱
麻吉耶
有興趣研究的話,我開teamviewer連近來幫我看看 如果可以,先把你設定的那兩個方式關掉,然後將 Relay 設定中可以例外的全部取消勾選試看看有沒有用。確定一下是不是有來自其中的可能性。 我的 Relay 沒有勾選任何的例外項目
但 Trusted Hosts 有設定domain & IP,要先拿掉嗎? Trusted Hosts內所有Domain&IP全部都拿掉了
還是一樣會自動轉發給[email protected]這個信箱
而且轉出的內容就是正常寄信的內容
例如:[email protected] to [email protected]
內容為 123
連帶自動轉發給[email protected]之內容一樣為123
這個有困擾,內部機密的文件也被轉出去了......
但又非[email protected]的每封信都會自動轉發,傷腦筋耶
太奇怪了~~~:L
看起來也不像是來自內部某個員工的電腦。
找個時間我再用 teamviwer 看一下。
我又重新看了一下,你提供的 SMTP IN 似乎不是正確的,因為那個內容看起來就只是 dhl 寄給你們網域內的使用者,並沒有看到它 Relay 給其他網域。 本文章最後由 tungwj 於 2013-12-30 11:21 PM 編輯
正是
我提供這段,就是dhl.com寄信過來,沒有reley給任何人,但是我的server就會自動的轉發出去
這正是我納悶的地方....
如果是中毒或中木馬,掃毒也應該會有所訊息,我用好幾款掃毒軟體,有掃掉幾個木馬,現在沒再出現病毒訊息,除非,有更高深的木馬存在...
我很想重新架設另一台server,重新設定
除了UserList.dat 跟 user目錄備份出來以外,還需要其他的檔案嗎? 這邊有相關的文章可參考:
http://www.suma.tw/misc.php?mod=tag&id=09
頁:
[1]