數碼中文坊

 取回密碼
 我要註冊
檢視: 3468|回覆: 16

[討論中] 有請麻吉幫我看一下,跳板啦

[複製連結]
發表於 2013-12-25 12:46:25 | 顯示全部樓層 |閱讀模式

馬上註冊,結交更多好友,享用更多功能,讓你輕鬆瀏覽論壇。

你需要 登入 才可以下載或檢視,沒有帳號?我要註冊

x
Mdaemon版本:9.6.1
OS:Windows 2003
防毒已停止

狀況:我的Relay確定已關閉,也已啟動POP Before SMTP設定30分鐘
但是一樣有這些應該是被當跳板的狀況,來源的郵件位置(@dhl.com)是正常的,但找不到來源IP,無法封鎖
EHLO tyxuan.com.vn 是我的沒有錯,但郵件位置應該是@tyxuan.com.vn
有請麻吉幫我解析一下,是否有設定上的疏失,謝謝

out.log 訊息

Tue 2013-12-24 06:11:33: ----------
Tue 2013-12-24 06:17:39: Session 1957; child 1
Tue 2013-12-24 06:17:30: Parsing message <c:\mdaemon\queues\remote\pd50001240559.msg>
Tue 2013-12-24 06:17:30: *  From: [email protected]
Tue 2013-12-24 06:17:30: *  To: [email protected]
Tue 2013-12-24 06:17:30: *  Subject: =?utf-8?B?QXdiIyA5MjEwOTI2MjIyOyAzIGtp4buHbjsgOS4wMCBLRy0g?= =?utf-8?B?TmfGsOG7nWkgZ+G7rWk6IEpBREVTVEFSIEhPTERJTkcgTFRE?=
Tue 2013-12-24 06:17:30: *  Message-ID:
Tue 2013-12-24 06:17:30: Attempting SMTP connection to [126.com]
Tue 2013-12-24 06:17:30: Resolving MX records for [126.com] (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:30: *  P=010 S=000 D=126.com TTL=(113) MX=[126mx02.mxmail.netease.com]
Tue 2013-12-24 06:17:30: *  P=010 S=002 D=126.com TTL=(113) MX=[126mx01.mxmail.netease.com]
Tue 2013-12-24 06:17:30: *  P=050 S=001 D=126.com TTL=(113) MX=[126mx00.mxmail.netease.com]
Tue 2013-12-24 06:17:30: Attempting SMTP connection to [126mx02.mxmail.netease.com:25]
Tue 2013-12-24 06:17:30: Resolving A record for [126mx02.mxmail.netease.com] (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:30: *  D=126mx02.mxmail.netease.com TTL=(8) A=[220.181.14.133]
Tue 2013-12-24 06:17:30: Attempting SMTP connection to [220.181.14.133:25]
Tue 2013-12-24 06:17:30: Waiting for socket connection...
Tue 2013-12-24 06:17:31: *  Connection established (192.168.23.6:4528 -> 220.181.14.133:25)
Tue 2013-12-24 06:17:31: Waiting for protocol to start...
Tue 2013-12-24 06:17:31: <-- 220 126.com Anti-spam GT for Coremail System (126com[20121016])
Tue 2013-12-24 06:17:31: --> EHLO tyxuan.com.vn
Tue 2013-12-24 06:17:32: <-- 250-mail
Tue 2013-12-24 06:17:32: <-- 250-PIPELINING
Tue 2013-12-24 06:17:32: <-- 250-AUTH LOGIN PLAIN
Tue 2013-12-24 06:17:32: <-- 250-AUTH=LOGIN PLAIN
Tue 2013-12-24 06:17:32: <-- 250-coremail 1Uxr2xKj7kG0xkI17xGrU7I0s8FY2U3Uj8Cz28x1UUUUU7Ic2I0Y2UrsSkQAUCa0xDrUUUUj
Tue 2013-12-24 06:17:32: <-- 250 8BITMIME
Tue 2013-12-24 06:17:32: --> MAIL From:<[email protected]>
Tue 2013-12-24 06:17:32: <-- 250 Mail OK
Tue 2013-12-24 06:17:32: --> RCPT To:<[email protected]>
Tue 2013-12-24 06:17:32: <-- 250 Mail OK
Tue 2013-12-24 06:17:32: --> DATA
Tue 2013-12-24 06:17:32: <-- 354 End data with <CR><LF>.<CR><LF>
Tue 2013-12-24 06:17:32: Sending <c:\mdaemon\queues\remote\pd50001240559.msg> to [220.181.14.133]
Tue 2013-12-24 06:17:33: Transfer Complete
Tue 2013-12-24 06:17:34: <-- 451 DT:SPM mx2, IMmowECZpUaMxLhS3ZlsAQ--.16734S2, please try again 1387840655 http://mail.163.com/help/help_sp ... mx2&time=1387840655
Tue 2013-12-24 06:17:34: --> QUIT
Tue 2013-12-24 06:17:34: Attempting SMTP connection to [126mx01.mxmail.netease.com:25]
Tue 2013-12-24 06:17:34: Resolving A record for [126mx01.mxmail.netease.com] (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:34: *  D=126mx01.mxmail.netease.com TTL=(8) A=[220.181.14.132]
Tue 2013-12-24 06:17:34: Attempting SMTP connection to [220.181.14.132:25]
Tue 2013-12-24 06:17:34: Waiting for socket connection...
Tue 2013-12-24 06:17:34: *  Connection established (192.168.23.6:4529 -> 220.181.14.132:25)
Tue 2013-12-24 06:17:34: Waiting for protocol to start...
Tue 2013-12-24 06:17:34: <-- 220 126.com Anti-spam GT for Coremail System (126com[20121016])
Tue 2013-12-24 06:17:34: --> EHLO tyxuan.com.vn
Tue 2013-12-24 06:17:34: <-- 250-mail
Tue 2013-12-24 06:17:34: <-- 250-PIPELINING
Tue 2013-12-24 06:17:34: <-- 250-AUTH LOGIN PLAIN
Tue 2013-12-24 06:17:34: <-- 250-AUTH=LOGIN PLAIN
Tue 2013-12-24 06:17:34: <-- 250-coremail 1Uxr2xKj7kG0xkI17xGrU7I0s8FY2U3Uj8Cz28x1UUUUU7Ic2I0Y2UrXms3gUCa0xDrUUUUj
Tue 2013-12-24 06:17:34: <-- 250 8BITMIME
Tue 2013-12-24 06:17:34: --> MAIL From:<[email protected]>
Tue 2013-12-24 06:17:34: <-- 250 Mail OK
Tue 2013-12-24 06:17:34: --> RCPT To:<[email protected]>
Tue 2013-12-24 06:17:34: <-- 250 Mail OK
Tue 2013-12-24 06:17:34: --> DATA
Tue 2013-12-24 06:17:34: <-- 354 End data with <CR><LF>.<CR><LF>
Tue 2013-12-24 06:17:34: Sending <c:\mdaemon\queues\remote\pd50001240559.msg> to [220.181.14.132]
Tue 2013-12-24 06:17:36: Transfer Complete
Tue 2013-12-24 06:17:36: <-- 451 DT:SPM mx30, LMmowEDp1laQxLhSVcOYAQ--.1728S2, please try again 1387840659 http://mail.163.com/help/help_sp ... x30&time=1387840659
Tue 2013-12-24 06:17:36: --> QUIT
Tue 2013-12-24 06:17:36: Attempting SMTP connection to [126mx00.mxmail.netease.com:25]
Tue 2013-12-24 06:17:36: Resolving A record for [126mx00.mxmail.netease.com] (DNS Server: 168.95.1.1)...
Tue 2013-12-24 06:17:37: *  D=126mx00.mxmail.netease.com TTL=(0) A=[123.125.50.118]
Tue 2013-12-24 06:17:37: Attempting SMTP connection to [123.125.50.118:25]
Tue 2013-12-24 06:17:37: Waiting for socket connection...
Tue 2013-12-24 06:17:37: *  Connection established (192.168.23.6:4531 -> 123.125.50.118:25)
Tue 2013-12-24 06:17:37: Waiting for protocol to start...
Tue 2013-12-24 06:17:37: <-- 220 126.com Anti-spam GT for Coremail System (126com[20121016])
Tue 2013-12-24 06:17:37: --> EHLO tyxuan.com.vn
Tue 2013-12-24 06:17:37: <-- 250-mail
Tue 2013-12-24 06:17:37: <-- 250-PIPELINING
Tue 2013-12-24 06:17:37: <-- 250-AUTH LOGIN PLAIN
Tue 2013-12-24 06:17:37: <-- 250-AUTH=LOGIN PLAIN
Tue 2013-12-24 06:17:37: <-- 250-coremail 1Uxr2xKj7kG0xkI17xGrU7I0s8FY2U3Uj8Cz28x1UUUUU7Ic2I0Y2UFBtZgPUCa0xDrUUUUj
Tue 2013-12-24 06:17:37: <-- 250 8BITMIME
Tue 2013-12-24 06:17:37: --> MAIL From:<[email protected]>
Tue 2013-12-24 06:17:37: <-- 250 Mail OK
Tue 2013-12-24 06:17:37: --> RCPT To:<[email protected]>
Tue 2013-12-24 06:17:37: <-- 250 Mail OK
Tue 2013-12-24 06:17:37: --> DATA
Tue 2013-12-24 06:17:37: <-- 354 End data with <CR><LF>.<CR><LF>
Tue 2013-12-24 06:17:37: Sending <c:\mdaemon\queues\remote\pd50001240559.msg> to [123.125.50.118]
Tue 2013-12-24 06:17:38: Transfer Complete
Tue 2013-12-24 06:17:39: <-- 451 DT:SPM mx7, JcmowEC5TkKTxLhSFLxoAQ--.1959S2, please try again 1387840660 http://mail.163.com/help/help_sp ... mx7&time=1387840660
Tue 2013-12-24 06:17:39: --> QUIT
Tue 2013-12-24 06:17:39: <-- 221 Bye
Tue 2013-12-24 06:17:39: This message is 0 minutes old; it has 60 minutes left in this queue
Tue 2013-12-24 06:17:39: SMTP session terminated (Bytes in/out: 1401/294273)
Tue 2013-12-24 06:17:39: ----------



發表於 2013-12-25 17:24:15 | 顯示全部樓層
去找一下 SMTP IN 裏頭有沒有相應的記錄。要看 in 的才準確。
 樓主| 發表於 2013-12-25 17:39:28 | 顯示全部樓層
相對應的紀錄在這邊,但也看不出來有轉寄,是我自己SERVER的問題嗎?
如何防止非本地地址的郵件寄出呢?

Tue 2013-12-24 06:17:06: ----------
Tue 2013-12-24 06:17:25: Session 1954; child 1; thread 6136
Tue 2013-12-24 06:16:49: Accepting SMTP connection from [199.40.206.37:27309]
Tue 2013-12-24 06:16:49: --> 220 tyxuan.com.vn ESMTP MDaemon 9.6.1; Tue, 24 Dec 2013 06:16:49 +0700
Tue 2013-12-24 06:16:49: <-- EHLO gateway2e.dhl.com
Tue 2013-12-24 06:16:49: Performing IP lookup (gateway2e.dhl.com)
Tue 2013-12-24 06:16:49: *  D=gateway2e.dhl.com TTL=(120) A=[199.40.206.37]
Tue 2013-12-24 06:16:49: ---- End IP lookup results
Tue 2013-12-24 06:16:49: --> 250-tyxuan.com.vn Hello gateway2e.dhl.com, pleased to meet you
Tue 2013-12-24 06:16:49: --> 250-ETRN
Tue 2013-12-24 06:16:49: --> 250-AUTH=LOGIN
Tue 2013-12-24 06:16:49: --> 250-AUTH LOGIN CRAM-MD5
Tue 2013-12-24 06:16:49: --> 250-8BITMIME
Tue 2013-12-24 06:16:49: --> 250 SIZE 15000000
Tue 2013-12-24 06:16:50: <-- MAIL FROM:<[email protected]> SIZE=96297
Tue 2013-12-24 06:16:50: Performing PTR lookup (37.206.40.199.IN-ADDR.ARPA)
Tue 2013-12-24 06:16:50: *  D=37.206.40.199.IN-ADDR.ARPA TTL=(97) PTR=[gateway2e.dhl.com]
Tue 2013-12-24 06:16:50: *  Gathering A records...
Tue 2013-12-24 06:16:50: *  D=gateway2e.dhl.com TTL=(120) A=[199.40.206.37]
Tue 2013-12-24 06:16:50: ---- End PTR results
Tue 2013-12-24 06:16:50: Performing IP lookup (dhl.com)
Tue 2013-12-24 06:16:51: *  D=dhl.com TTL=(0) A=[199.40.254.85]
Tue 2013-12-24 06:16:51: *  P=005 S=001 D=dhl.com TTL=(5) MX=[mx1.dhl.iphmx.com]
Tue 2013-12-24 06:16:51: *  P=010 S=000 D=dhl.com TTL=(5) MX=[mx2.dhl.iphmx.com]
Tue 2013-12-24 06:16:51: *  D=dhl.com TTL=(0) A=[165.72.192.235]
Tue 2013-12-24 06:16:51: *  D=dhl.com TTL=(0) A=[165.72.192.235]
Tue 2013-12-24 06:16:51: ---- End IP lookup results
Tue 2013-12-24 06:16:51: Performing SPF lookup (dhl.com / 199.40.206.37)
Tue 2013-12-24 06:16:51: *  dhl.com 199.40.206.37; matched to SPF cache
Tue 2013-12-24 06:16:51: *  Result: pass
Tue 2013-12-24 06:16:51: ---- End SPF results
Tue 2013-12-24 06:16:51: --> 250 <[email protected]>, Sender ok
Tue 2013-12-24 06:16:52: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:52: Performing DNS-BL lookup (199.40.206.37 - connecting IP)
Tue 2013-12-24 06:16:52: *  zen.spamhaus.org - passed
Tue 2013-12-24 06:16:52: ---- End DNS-BL results
Tue 2013-12-24 06:16:52: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:16:52: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:52: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:16:53: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:53: Sender attempted to deliver message to unknown address
Tue 2013-12-24 06:16:53: --> 550 <[email protected]>, Recipient unknown
Tue 2013-12-24 06:16:53: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:53: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:16:54: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:16:54: More than 5 RCPT commands encountered; this session tarpitted with a 10 second initial delay scaling by 1.00
Tue 2013-12-24 06:16:54: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:17:04: <-- RCPT TO:<[email protected]>
Tue 2013-12-24 06:17:04: --> 250 <[email protected]>, Recipient ok
Tue 2013-12-24 06:17:14: <-- DATA
Tue 2013-12-24 06:17:14: Creating temp file (SMTP): c:\mdaemon\queues\temp\md50000077919.tmp
Tue 2013-12-24 06:17:14: --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-12-24 06:17:19: Message size: 96395 bytes
Tue 2013-12-24 06:17:19: Passing message through AntiVirus (Size: 96395)...
Tue 2013-12-24 06:17:19: *  An error occured, message will be scanned again when queued
Tue 2013-12-24 06:17:19: ---- End AntiVirus results
Tue 2013-12-24 06:17:19: Message creation successful: c:\mdaemon\queues\inbound\md50003226771.msg
Tue 2013-12-24 06:17:19: --> 250 Ok, message saved <Message-ID: >
Tue 2013-12-24 06:17:25: <-- QUIT
Tue 2013-12-24 06:17:25: --> 221 See ya in cyberspace
Tue 2013-12-24 06:17:25: SMTP session successful (Bytes in/out: 96687/636)
Tue 2013-12-24 06:17:25: ----------
發表於 2013-12-26 11:35:30 | 顯示全部樓層
信件是來自 199.40.206.37 (gateway2e.dhl.com)
如果已關閉 Relay ,按理是不可能可以寄的。去檢查一下 Trust Domain 及 Trust IP 的內容。
 樓主| 發表於 2013-12-26 12:05:58 | 顯示全部樓層
Trust Domain & IP 我有設定一些企業重要來往的IP,但是dhl.com沒有設定給它
而重點不是在dhl.com,我發現,郵件使用者再寄信的時候,在SMTP(out)就會伴隨寄出一堆垃圾
最常發生的是不自主的寄給"[email protected]"這個郵箱
寄件者包含了自己的Domian,以及非Domain的寄件者
目前我的阻隔方式是,用防火牆將非Domain寄件者的信刪除
但是由自己Domain莫名寄出的除了檔已知的郵箱以外,我就沒有其他更好的方式了

而本次疑問重要的一點,就是為何我的伺服器會不自主地寄了這些郵件,很納悶
掃毒也掃了,掃墓馬也掃了,掃蠕蟲也掃了.....快投降了
 樓主| 發表於 2013-12-26 12:12:37 | 顯示全部樓層
附一張截圖參考
11.jpg
發表於 2013-12-26 13:57:34 | 顯示全部樓層
目前也看不出個所以然來。
我暫時還是朝有權可以直接 Relay 的來源來檢查:你有設定區域網路的 IP 嗎? 也就是 LAN IPs,會不會是來自內部?

另外一個方法,將 Relay 設定中可以例外的全部取消勾選再試看看。
 樓主| 發表於 2013-12-26 15:16:27 | 顯示全部樓層
有設定LAN IPs

問題點:
1. 外來的信件一進來,馬上會轉發
2. 內部寄出的信件,馬上會轉發
. 但又不是每封信件一定會有轉發的動作
. 也不是固定寄件的信件會轉發
但轉發出去的信箱卻是固定的那一些
基於第1點,又不像是密碼被猜到的現象
所有被轉發出去的信件主機都是自己的主機

我現在的做法
1. 以防火牆擋掉非自己網域的寄信
2. 用Content Filter過濾轉出去的對象,全都丟到Bad Queue

但是我還是找不出這個怪現象的主因,用那麼多年了,第一次碰到,有點懊惱
 樓主| 發表於 2013-12-26 15:19:45 | 顯示全部樓層
麻吉耶
有興趣研究的話,我開teamviewer連近來幫我看看
發表於 2013-12-26 20:45:42 | 顯示全部樓層
如果可以,先把你設定的那兩個方式關掉,然後將 Relay 設定中可以例外的全部取消勾選試看看有沒有用。確定一下是不是有來自其中的可能性。
 樓主| 發表於 2013-12-27 08:27:39 | 顯示全部樓層
我的 Relay 沒有勾選任何的例外項目
但 Trusted Hosts 有設定domain & IP,要先拿掉嗎?
 樓主| 發表於 2013-12-30 10:33:21 | 顯示全部樓層
Trusted Hosts內所有Domain&IP全部都拿掉了
還是一樣會自動轉發給[email protected]這個信箱
而且轉出的內容就是正常寄信的內容
例如:[email protected] to [email protected]
內容為 123
連帶自動轉發給[email protected]之內容一樣為123
這個有困擾,內部機密的文件也被轉出去了......
但又非[email protected]的每封信都會自動轉發,傷腦筋耶

發表於 2013-12-30 17:50:24 | 顯示全部樓層
太奇怪了~~~
看起來也不像是來自內部某個員工的電腦。
找個時間我再用 teamviwer 看一下。
發表於 2013-12-30 17:55:34 | 顯示全部樓層
我又重新看了一下,你提供的 SMTP IN 似乎不是正確的,因為那個內容看起來就只是 dhl 寄給你們網域內的使用者,並沒有看到它 Relay 給其他網域。
 樓主| 發表於 2013-12-30 23:14:28 | 顯示全部樓層
本文章最後由 tungwj 於 2013-12-30 11:21 PM 編輯

正是
我提供這段,就是dhl.com寄信過來,沒有reley給任何人,但是我的server就會自動的轉發出去
這正是我納悶的地方....
如果是中毒或中木馬,掃毒也應該會有所訊息,我用好幾款掃毒軟體,有掃掉幾個木馬,現在沒再出現病毒訊息,除非,有更高深的木馬存在...
 樓主| 發表於 2013-12-30 23:24:44 | 顯示全部樓層
我很想重新架設另一台server,重新設定
除了UserList.dat 跟 user目錄備份出來以外,還需要其他的檔案嗎?
發表於 2013-12-31 11:32:12 | 顯示全部樓層
這邊有相關的文章可參考:

http://www.suma.tw/misc.php?mod=tag&id=09
你需要登入後才可以回覆 登入 | 我要註冊

本版積分規則

Archiver|禁閉室|手機版|數碼中文坊

GMT+8, 2024-3-29 10:52 PM

Powered by Discuz! X3.4 Licensed

© 2001-2023 Discuz! Team.

快速回覆 返回頂端 返回清單