數碼中文坊

 取回密碼
 我要註冊
檢視: 2512|回覆: 1

[討論中] 被偽裝域名攻擊

[複製連結]
發表於 2014-12-25 10:31:08 | 顯示全部樓層 |閱讀模式

馬上註冊,結交更多好友,享用更多功能,讓你輕鬆瀏覽論壇。

你需要 登入 才可以下載或檢視,沒有帳號?我要註冊

x
大家好,我又來發問了
最近小弟又架了一台mail server,版大教學區的防制垃圾信設定也都去設定了
但是最近好像出現偽裝成我的域名的攻擊
我的domain是ABCD.tw,但是寄過來的帳號都不是我再使用的
想問這樣我有把他檔下來嗎?

LOG如下

Tue 2014-12-23 05:55:32.551: Session 000175; child 0001
Tue 2014-12-23 05:55:32.551: Accepting SMTP connection from [194.63.140.115:40465] to [192.168.61.5:25]
Tue 2014-12-23 05:55:32.556: --> 220 ABCD.tw ESMTP MDaemon 14.5.2; Tue, 23 Dec 2014 05:55:32 +0800
Tue 2014-12-23 05:55:32.868: <-- EHLO User
Tue 2014-12-23 05:55:32.869: --> 250-ABCD.tw Hello User, pleased to meet you
Tue 2014-12-23 05:55:32.869: --> 250-ETRN
Tue 2014-12-23 05:55:32.869: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Tue 2014-12-23 05:55:32.869: --> 250-8BITMIME
Tue 2014-12-23 05:55:32.869: --> 250-ENHANCEDSTATUSCODES
Tue 2014-12-23 05:55:32.869: --> 250 SIZE
Tue 2014-12-23 05:55:33.185: <-- RSET
Tue 2014-12-23 05:55:33.185: --> 250 2.0.0 RSET? Well, OK
Tue 2014-12-23 05:55:33.500: <-- AUTH LOGIN
Tue 2014-12-23 05:55:33.500: --> 334 VXNlcm5hbWU6
Tue 2014-12-23 05:55:33.813: <-- YXNkaGFAamluZ3hpbi50dw==
Tue 2014-12-23 05:55:33.813: --> 334 UGFzc3dvcmQ6
Tue 2014-12-23 05:55:34.126: <-- ******
Tue 2014-12-23 05:55:34.126: Failed SMTP authentication attempt from 194.63.140.115 for "asdha@ABCD.tw"
Tue 2014-12-23 05:55:34.126: --> 535 5.7.8 Authentication failed
Tue 2014-12-23 05:55:34.438: <-- QUIT
Tue 2014-12-23 05:55:34.438: --> 221 2.0.0 See ya in cyberspace
Tue 2014-12-23 05:55:34.438: SMTP session terminated (Bytes in/out: 71/335)
Tue 2014-12-23 05:55:34.439: ----------
Tue 2014-12-23 06:19:17.007: Session 000176; child 0001
Tue 2014-12-23 06:19:17.007: Accepting SMTP connection from [194.63.140.115:5126] to [192.168.61.5:25]
Tue 2014-12-23 06:19:17.009: --> 220 ABCD.tw ESMTP MDaemon 14.5.2; Tue, 23 Dec 2014 06:19:17 +0800
Tue 2014-12-23 06:19:17.341: <-- EHLO User
Tue 2014-12-23 06:19:17.341: --> 250-ABCD.tw Hello User, pleased to meet you
Tue 2014-12-23 06:19:17.341: --> 250-ETRN
Tue 2014-12-23 06:19:17.341: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Tue 2014-12-23 06:19:17.341: --> 250-8BITMIME
Tue 2014-12-23 06:19:17.341: --> 250-ENHANCEDSTATUSCODES
Tue 2014-12-23 06:19:17.341: --> 250 SIZE
Tue 2014-12-23 06:19:17.672: <-- RSET
Tue 2014-12-23 06:19:17.672: --> 250 2.0.0 RSET? Well, OK
Tue 2014-12-23 06:19:18.003: <-- AUTH LOGIN
Tue 2014-12-23 06:19:18.003: --> 334 VXNlcm5hbWU6
Tue 2014-12-23 06:19:18.334: <-- dGVzdEBqaW5neGluLnR3
Tue 2014-12-23 06:19:18.334: --> 334 UGFzc3dvcmQ6
Tue 2014-12-23 06:19:18.667: <-- ******
Tue 2014-12-23 06:19:18.667: Failed SMTP authentication attempt from 194.63.140.115 for "test@ABCD.tw"
Tue 2014-12-23 06:19:18.667: --> 535 5.7.8 Authentication failed
Tue 2014-12-23 06:19:18.997: <-- RSET
Tue 2014-12-23 06:19:18.997: --> 250 2.0.0 RSET? Well, OK
Tue 2014-12-23 06:19:19.328: <-- AUTH LOGIN
Tue 2014-12-23 06:19:19.328: --> 334 VXNlcm5hbWU6
Tue 2014-12-23 06:19:19.656: <-- dGVzdEBqaW5neGluLnR3
Tue 2014-12-23 06:19:19.656: --> 334 UGFzc3dvcmQ6
Tue 2014-12-23 06:19:19.987: <-- ******
Tue 2014-12-23 06:19:19.987: Failed SMTP authentication attempt from 194.63.140.115 for "test@ABCD.tw"
Tue 2014-12-23 06:19:19.987: --> 535 5.7.8 Authentication failed
Tue 2014-12-23 06:19:19.988: SMTP session terminated (Bytes in/out: 115/398)
Tue 2014-12-23 06:19:19.988: ----------
Tue 2014-12-23 06:38:13.131: Session 000177; child 0001
Tue 2014-12-23 06:38:13.131: Accepting SMTP connection from [194.63.140.115:12023] to [192.168.61.5:25]
Tue 2014-12-23 06:38:13.133: --> 220 ABCD.tw ESMTP MDaemon 14.5.2; Tue, 23 Dec 2014 06:38:13 +0800
Tue 2014-12-23 06:38:13.453: <-- EHLO User
Tue 2014-12-23 06:38:13.453: --> 250-ABCD.tw Hello User, pleased to meet you
Tue 2014-12-23 06:38:13.453: --> 250-ETRN
Tue 2014-12-23 06:38:13.453: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Tue 2014-12-23 06:38:13.453: --> 250-8BITMIME
Tue 2014-12-23 06:38:13.453: --> 250-ENHANCEDSTATUSCODES
Tue 2014-12-23 06:38:13.453: --> 250 SIZE
Tue 2014-12-23 06:38:13.773: <-- RSET
Tue 2014-12-23 06:38:13.773: --> 250 2.0.0 RSET? Well, OK
Tue 2014-12-23 06:38:14.093: <-- AUTH LOGIN
Tue 2014-12-23 06:38:14.093: --> 334 VXNlcm5hbWU6
Tue 2014-12-23 06:38:14.413: <-- aW5mb0BqaW5neGluLnR3
Tue 2014-12-23 06:38:14.413: --> 334 UGFzc3dvcmQ6
Tue 2014-12-23 06:38:14.732: <-- ******
Tue 2014-12-23 06:38:14.733: Failed SMTP authentication attempt from 194.63.140.115 for "info@ABCD.tw"
Tue 2014-12-23 06:38:14.733: --> 535 5.7.8 Authentication failed
Tue 2014-12-23 06:38:15.053: <-- RSET
Tue 2014-12-23 06:38:15.053: --> 250 2.0.0 RSET? Well, OK
Tue 2014-12-23 06:38:15.373: <-- AUTH LOGIN
Tue 2014-12-23 06:38:15.373: --> 334 VXNlcm5hbWU6
Tue 2014-12-23 06:38:15.693: <-- aW5mb0BqaW5neGluLnR3
Tue 2014-12-23 06:38:15.693: --> 334 UGFzc3dvcmQ6
Tue 2014-12-23 06:38:16.013: <-- ******
Tue 2014-12-23 06:38:16.013: Failed SMTP authentication attempt from 194.63.140.115 for "info@ABCD.tw"
Tue 2014-12-23 06:38:16.013: --> 535 5.7.8 Authentication failed
Tue 2014-12-23 06:38:16.333: <-- RSET
Tue 2014-12-23 06:38:16.333: --> 250 2.0.0 RSET? Well, OK
Tue 2014-12-23 06:38:16.653: <-- AUTH LOGIN
Tue 2014-12-23 06:38:16.653: --> 334 VXNlcm5hbWU6
Tue 2014-12-23 06:38:16.972: <-- aW5mb0BqaW5neGluLnR3
Tue 2014-12-23 06:38:16.972: --> 334 UGFzc3dvcmQ6
Tue 2014-12-23 06:38:17.292: <-- ******
Tue 2014-12-23 06:38:17.292: Failed SMTP authentication attempt from 194.63.140.115 for "info@ABCD.tw"
Tue 2014-12-23 06:38:17.292: --> 535 5.7.8 Authentication failed
Tue 2014-12-23 06:38:17.293: SMTP session terminated (Bytes in/out: 165/493)
Tue 2014-12-23 06:38:17.294: ----------


最後想在問一下有關LOG訊息有相關的網站教學或書籍嗎,因為實在是看不太懂LOG的資訊。
麻煩了 謝謝
發表於 2014-12-25 11:14:46 | 顯示全部樓層
這種隨機 IP 攻擊的沒有有效的方法,只能看到一個就封它的 IP。
以你的例子,它都使用叫 user 的主機名稱,那麼你也可以將這個名稱在 Host Screen 中封鎖。
你需要登入後才可以回覆 登入 | 我要註冊

本版積分規則

Archiver|禁閉室|手機版|數碼中文坊

GMT+8, 2024-3-29 08:39 PM

Powered by Discuz! X3.4 Licensed

© 2001-2023 Discuz! Team.

快速回覆 返回頂端 返回清單