擋不掉的垃圾信

liskenny

近來公司持續接收到垃圾信，觀察了一下似乎是來自同一個地方，但卻又是不同的Source

SMTP-in  log如下

Fri 2011-12-30 11:26:36: Session 3574;child 2; thread 4184

Fri 2011-12-30 11:26:31: Accepting SMTPconnection from [67.20.29.147 : 41493]

Fri 2011-12-30 11:26:31: --> 220 xxx.com.twESMTP MDaemon 8.1.1; Fri, 30 Dec 2011 11:26:31+0800

Fri 2011-12-30 11:26:32: <-- HELOcable.fidnet.com

Fri 2011-12-30 11:26:32: --> 250 xxx.com.twHello cable.fidnet.com, pleased to meet you

Fri 2011-12-30 11:26:32: <-- MAIL FROM:<[email protected]>

Fri 2011-12-30 11:26:32: --> 250<[email protected]>, Sender ok

Fri 2011-12-30 11:26:32: <-- RCPT TO:<[email protected]>

Fri 2011-12-30 11:26:32: Performing DNS-BLlookup (67.20.29.147 - connecting IP)

Fri 2011-12-30 11:26:33: *  sbl-xbl.spamhaus.org - failed

Fri 2011-12-30 11:26:33: *  opm.blitzed.org - passed

Fri 2011-12-30 11:26:33: *  relays.ordb.org - passed

Fri 2011-12-30 11:26:33: *  bl.spamcop.net - passed

Fri 2011-12-30 11:26:33: *  173.12.217.73 - passed

Fri 2011-12-30 11:26:34: *  naanet.dk - passed

Fri 2011-12-30 11:26:34: *  64.31.61.215 - passed

Fri 2011-12-30 11:26:34: *  [email protected] - passed

Fri 2011-12-30 11:26:34: *  yahoo.com - failed

Fri 2011-12-30 11:26:34: ---- End DNS-BLresults

Fri 2011-12-30 11:26:34: --> 250<[email protected]>, Recipient ok

Fri 2011-12-30 11:26:34: <-- DATA

Fri 2011-12-30 11:26:34: Creating temp file(SMTP): c:\mdaemon\queues\temp\md50000014166.tmp

Fri 2011-12-30 11:26:34: --> 354 Entermail, end with <CRLF>.<CRLF>

Fri 2011-12-30 11:26:35: Message size: 1622bytes

Fri 2011-12-30 11:26:35: Passing messagethrough AntiVirus (Size: 1622)...

Fri 2011-12-30 11:26:35: *  Message is clean (no viruses found)

Fri 2011-12-30 11:26:35: ---- End AntiVirusresults

Fri 2011-12-30 11:26:35: Passing messagethrough Spam Filter (Size: 1622)...

Fri 2011-12-30 11:26:36: *  3.0 MDAEMON_DNSBL MDaemon: marked byMDaemon's DNSBL

Fri 2011-12-30 11:26:36: *  0.1 RCVD_BY_IP Received by mail server withno name

Fri 2011-12-30 11:26:36: *  3.4 MIME_BOUND_DIGITS_15 Spam tool pattern inMIME boundary

Fri 2011-12-30 11:26:36: *  2.7 FORGED_YAHOO_RCVD 'From' yahoo.com doesnot match 'Received' headers

Fri 2011-12-30 11:26:36: *  2.9 SUBJ_ILLEGAL_CHARS Subject contains toomany raw illegal characters

Fri 2011-12-30 11:26:36: *  2.1 HEAD_ILLEGAL_CHARS Header contains toomany raw illegal characters

Fri 2011-12-30 11:26:36: *  0.0 FROM_ILLEGAL_CHARS From contains too manyraw illegal characters

Fri 2011-12-30 11:26:36: * -100USER_IN_WHITELIST_TO address is listed in 'whitelist_to'

Fri 2011-12-30 11:26:36: *  6.0 BAYES_80 BODY: Bayesian spam probabilityis 80 to 95%

Fri 2011-12-30 11:26:36: *      [score: 0.9457]

Fri 2011-12-30 11:26:36: *  0.1 MPART_ALT_DIFF BODY: HTML and text partsare different

Fri 2011-12-30 11:26:36: *  0.1 HTML_80_90 BODY: Message is 80% to 90%HTML

Fri 2011-12-30 11:26:36: *  0.0 HTML_MESSAGE BODY: HTML included inmessage

Fri 2011-12-30 11:26:36: *  0.1 HTML_FONT_BIG BODY: HTML tag for a bigfont size

Fri 2011-12-30 11:26:36: *  0.0 MIME_QP_LONG_LINE RAW: Quoted-printableline longer than 76 chars

Fri 2011-12-30 11:26:36: *  2.4 FORGED_MUA_IMS Forged mail pretending tobe from IMS

Fri 2011-12-30 11:26:36: *  2.4 FORGED_IMS_TAGS IMS mailers can't sendHTML in this format

Fri 2011-12-30 11:26:36: ---- EndSpamAssassin results

Fri 2011-12-30 11:26:36: Spam Filterscore/req: -74.65/12.0

Fri 2011-12-30 11:26:36: Message creationsuccessful: c:\mdaemon\queues\inbound\md50000396742.msg

Fri 2011-12-30 11:26:36: --> 250 Ok,message saved <Message-ID: <[email protected]>>

Fri 2011-12-30 11:26:36: <-- QUIT

Fri 2011-12-30 11:26:36: --> 221 See yain cyberspace

Fri 2011-12-30 11:26:36: SMTP sessionsuccessful (Bytes in/out: 1723/350)

Fri 2011-12-30 11:26:36: ----------

Fri 2011-12-30 13:22:03: ----------

Fri 2011-12-30 13:22:10: Session 3791;child 1; thread 4244

Fri 2011-12-30 13:22:05: Accepting SMTPconnection from [180.247.96.10 : 36465]

Fri 2011-12-30 13:22:05: Performing PTRlookup (10.96.247.180.IN-ADDR.ARPA)

Fri 2011-12-30 13:22:05: *  Error: The name server reports that it ishaving technical problems

Fri 2011-12-30 13:22:05: ---- End PTRresults

Fri 2011-12-30 13:22:05: --> 220 xxx.com.twESMTP MDaemon 8.1.1; Fri, 30 Dec 2011 13:22:05+0800

Fri 2011-12-30 13:22:06: <-- HELO220.130.205.224

Fri 2011-12-30 13:22:06: --> 250 xxx.com.twHello 220.130.205.224, pleased to meet you

Fri 2011-12-30 13:22:06: <-- MAIL FROM:<[email protected]>

Fri 2011-12-30 13:22:06: --> 250<[email protected]>, Sender ok

Fri 2011-12-30 13:22:06: <-- RCPT TO:<[email protected]>

Fri 2011-12-30 13:22:06: Performing DNS-BLlookup (180.247.96.10 - connecting IP)

Fri 2011-12-30 13:22:06: *  sbl-xbl.spamhaus.org - failed

Fri 2011-12-30 13:22:07: *  opm.blitzed.org - passed

Fri 2011-12-30 13:22:07: *  relays.ordb.org - passed

Fri 2011-12-30 13:22:07: *  bl.spamcop.net - failed

Fri 2011-12-30 13:22:07: *  173.12.217.73 - passed

Fri 2011-12-30 13:22:07: *  naanet.dk - passed

Fri 2011-12-30 13:22:07: *  64.31.61.215 - passed

Fri 2011-12-30 13:22:07: *  [email protected] - passed

Fri 2011-12-30 13:22:07: *  yahoo.com - failed

Fri 2011-12-30 13:22:07: ---- End DNS-BLresults

Fri 2011-12-30 13:22:07: --> 250<[email protected]>, Recipient ok

Fri 2011-12-30 13:22:08: <-- DATA

Fri 2011-12-30 13:22:08: Creating temp file(SMTP): c:\mdaemon\queues\temp\md50000014548.tmp

Fri 2011-12-30 13:22:08: --> 354 Entermail, end with <CRLF>.<CRLF>

Fri 2011-12-30 13:22:08: Message size: 2748bytes

Fri 2011-12-30 13:22:08: Passing messagethrough AntiVirus (Size: 2748)...

Fri 2011-12-30 13:22:08: *  Message is clean (no viruses found)

Fri 2011-12-30 13:22:08: ---- End AntiVirusresults

Fri 2011-12-30 13:22:08: Passing messagethrough Spam Filter (Size: 2748)...

Fri 2011-12-30 13:22:09: *  3.0 MDAEMON_DNSBL MDaemon: marked byMDaemon's DNSBL

Fri 2011-12-30 13:22:09: *  4.1 MIME_BOUND_DD_DIGITS Spam tool pattern inMIME boundary

Fri 2011-12-30 13:22:09: *  3.8 MSGID_SPAM_CAPS Spam tool Message-Idcaps variant)

Fri 2011-12-30 13:22:09: *  0.1 RCVD_BY_IP Received by mail server withno name

Fri 2011-12-30 13:22:09: *  2.9 SUBJ_ILLEGAL_CHARS Subject contains toomany raw illegal characters

Fri 2011-12-30 13:22:09: *  0.0 FROM_ILLEGAL_CHARS From contains too manyraw illegal characters

Fri 2011-12-30 13:22:09: * -100USER_IN_WHITELIST_TO address is listed in 'whitelist_to'

Fri 2011-12-30 13:22:09: *  1.6 BAYES_50 BODY: Bayesian spam probabilityis 40 to 60%

Fri 2011-12-30 13:22:09: *      [score: 0.5261]

Fri 2011-12-30 13:22:09: *  0.0 MIME_QP_LONG_LINE RAW: Quoted-printableline longer than 76 chars

Fri 2011-12-30 13:22:09: *  4.1 RCVD_DOUBLE_IP_SPAM Bulk emailfingerprint (double IP) found

Fri 2011-12-30 13:22:09: *  0.0 MISSING_MIMEOLE Message hasX-MSMail-Priority, but no X-MimeOLE

Fri 2011-12-30 13:22:09: *  0.0 UPPERCASE_50_75 message body is 50-75%uppercase

Fri 2011-12-30 13:22:09: ---- EndSpamAssassin results

Fri 2011-12-30 13:22:09: Spam Filterscore/req: -80.34/12.0

Fri 2011-12-30 13:22:09: Message creation successful:c:\mdaemon\queues\inbound\md50000396762.msg

Fri 2011-12-30 13:22:09: --> 250 Ok,message saved <Message-ID: <[email protected]>>

Fri 2011-12-30 13:22:10: <-- QUIT

Fri 2011-12-30 13:22:10: --> 221 See yain cyberspace

Fri 2011-12-30 13:22:10: SMTP sessionsuccessful (Bytes in/out: 2857/361)

Fri 2011-12-30 13:22:10: ----------

liskenny

Fri 2011-12-30 13:56:22: ----------
Fri 2011-12-30 13:58:57: Session 3850; child 1; thread 4224
Fri 2011-12-30 13:57:54: Accepting SMTP connection from [205.188.249.150 : 58923]
Fri 2011-12-30 13:57:54: Performing PTR lookup (150.249.188.205.IN-ADDR.ARPA)
Fri 2011-12-30 13:57:55: *  D=150.249.188.205.IN-ADDR.ARPA TTL=(60) PTR=[ims-d13.mx.aol.com]
Fri 2011-12-30 13:57:55: *  Gathering A records...
Fri 2011-12-30 13:57:55: *  D=ims-d13.mx.aol.com TTL=(60) A=[205.188.249.150]
Fri 2011-12-30 13:57:55: ---- End PTR results
Fri 2011-12-30 13:57:55: --> 220 xxx.com.tw ESMTP MDaemon 8.1.1; Fri, 30 Dec 2011 13:57:55 +0800
Fri 2011-12-30 13:57:55: <-- EHLO ims-d13.mx.aol.com
Fri 2011-12-30 13:57:55: Performing IP lookup (ims-d13.mx.aol.com)
Fri 2011-12-30 13:57:55: *  D=ims-d13.mx.aol.com TTL=(60) A=[205.188.249.150]
Fri 2011-12-30 13:57:55: ---- End IP lookup results
Fri 2011-12-30 13:57:55: --> 250-xxx.com.tw Hello ims-d13.mx.aol.com, pleased to meet you
Fri 2011-12-30 13:57:55: --> 250-ETRN
Fri 2011-12-30 13:57:55: --> 250-AUTH=LOGIN
Fri 2011-12-30 13:57:55: --> 250-AUTH LOGIN CRAM-MD5
Fri 2011-12-30 13:57:55: --> 250-8BITMIME
Fri 2011-12-30 13:57:55: --> 250 SIZE 0
Fri 2011-12-30 13:57:56: <-- MAIL From:<[email protected]> SIZE=6235
Fri 2011-12-30 13:57:56: Performing IP lookup (aim.com)
Fri 2011-12-30 13:57:56: *  D=aim.com TTL=(2) A=[207.200.74.38]
Fri 2011-12-30 13:57:56: *  P=015 D=aim.com TTL=(33) MX=[mailin-04.mx.aol.com]
Fri 2011-12-30 13:57:56: *  P=015 D=aim.com TTL=(33) MX=[mailin-03.mx.aol.com] {205.188.59.193}
Fri 2011-12-30 13:57:56: *  P=015 D=aim.com TTL=(33) MX=[mailin-02.mx.aol.com] {64.12.90.65}
Fri 2011-12-30 13:57:56: *  P=015 D=aim.com TTL=(33) MX=[mailin-01.mx.aol.com] {205.188.59.194}
Fri 2011-12-30 13:57:56: *  D=aim.com TTL=(2) A=[207.200.74.38]
Fri 2011-12-30 13:57:56: ---- End IP lookup results
Fri 2011-12-30 13:57:56: --> 250 <[email protected]>, Sender ok
Fri 2011-12-30 13:57:56: <-- RCPT To:<[email protected]>
Fri 2011-12-30 13:57:56: Performing DNS-BL lookup (205.188.249.150 - connecting IP)
Fri 2011-12-30 13:57:56: *  sbl-xbl.spamhaus.org - passed
Fri 2011-12-30 13:57:56: *  opm.blitzed.org - passed
Fri 2011-12-30 13:57:57: *  relays.ordb.org - passed
Fri 2011-12-30 13:57:57: *  bl.spamcop.net - passed
Fri 2011-12-30 13:57:57: *  173.12.217.73 - passed
Fri 2011-12-30 13:57:57: *  naanet.dk - passed
Fri 2011-12-30 13:58:57: *  64.31.61.215 - passed
Fri 2011-12-30 13:58:57: *  [email protected] - passed
Fri 2011-12-30 13:58:57: *  yahoo.com - failed
Fri 2011-12-30 13:58:57: ---- End DNS-BL results
Fri 2011-12-30 13:58:57: --> 250 <[email protected]>, Recipient ok
Fri 2011-12-30 13:58:57: Error reading from socket!
Fri 2011-12-30 13:58:57: Unexpected socket closure
Fri 2011-12-30 13:58:57: SMTP session terminated (Bytes in/out: 99/295)
Fri 2011-12-30 13:58:57: ----------

可看出[email protected]這個帳號是所有信件的共通性，但卻在源頭以看似合法的主機進來
實在是苦手ing...

有人有類似的攻防經驗嗎

MarchFun

先去查一下，[email protected] 這個信箱是放在哪個信頭裏面。是 Reply-to: 嗎還是？

liskenny

檢查過後，發現是自己耍笨了，
Sat 2011-12-31 06:16:49: Performing DNS-BL lookup (203.67.135.109 - connecting IP)
Sat 2011-12-31 06:16:49: * sbl-xbl.spamhaus.org - passed
Sat 2011-12-31 06:16:49: *  opm.blitzed.org - passed
Sat 2011-12-31 06:16:49: *  relays.ordb.org - passed
Sat 2011-12-31 06:16:49: *  bl.spamcop.net - passed
Sat 2011-12-31 06:16:49: * 173.12.217.73 - passed
Sat 2011-12-31 06:16:50: * naanet.dk - passed
Sat 2011-12-31 06:16:50: *  64.31.61.215 - passed
Sat 2011-12-31 06:16:50: * [email protected] - passed
Sat 2011-12-31 06:16:50: *  yahoo.com - failed
Sat 2011-12-31 06:16:50: ---- End DNS-BL results



綠色的部份是前禮拜被當成跳板時的名單，而我誤解了DNS-BL的HOST設定用意
應該是在開始lookup時，會到HOST中的名單去一一檢索是否該封信的來源有被這些紅字的機構列在黑名單內
，而不是直接把想擋掉的人加到HOST清單裡面，所以才會看似每封廣告信或垃圾信都有[email protected]
這個帳號出現....

MarchFun

原來是這樣，怪不得我一直覺得那個 email 出現的位置怪怪的。
你要擋 HOST，應該是加到 Security 中的 Host Screen 才對。