postfix瘋狂外發垃圾郵件之分析與解決
本週二上班有人反應公司郵箱無法外發郵件,後來登入到伺服器檢視原因,不看不知道,一看嚇一跳,伺服器日誌瘋狂滾動!一看全是被其它郵件伺服器拒絕的資訊!由於這臺伺服器以前不是我管,連配置檔案都find了好久,最終從十多個main.cf中找到了真正的配置檔案......
下面開始分析問題與解決問題!
分析
localhost# find / -name main.cf
.......
/usr/local/etc/postfix/main.cf
/usr/opt/software/postfix-2.8.9/conf/main.cf
/etc/postfix/main.cf
這麼多配置檔案也不知道具體是哪個,但根據常理,最有可能的便是/etc/postfix/main.cf了。
開啟/etc/postfix/main.cf來看看。
localhost# cat /etc/postfix/main.cf | grep -v # | grep -v ^$
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
message_size_limit = 512000000
virtual_mailbox_limit = 1024000000
readme_directory = /usr/local/share/doc/postfix
virtual_mailbox_base = /usr/opt/home/domains
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
virtual_alias_maps = $alias_maps, MySQL:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
dspam_destination_recipient_limit = 1
mydestination =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_client_restrictions =
reject_rbl_client cblless.anti-spam.org.cn,
reject_rbl_client cdl.anti-spam.org.cn,
reject_rbl_client opm.blitzed.org,
reject_rbl_client bl.spamcop.NET
localhost# vi /etc/postfix/sender_access
[email protected] REJECT
[email protected] REJECT
[email protected] REJECT
........
由以上配置檔案可以看到,我們對發信者的檢測僅限於sender_access。僅僅只是拒絕了sender_access中拒絕的使用者。而沒有其它任何限制。限制條件很寬鬆。
擷取部分日誌分析
localhost# tail /var/log/maillog
Oct 22 16:36:01 localhost postfix/error[18675]: 42263221CA: to=< [email protected]>, relay=none, delay=111421, delays=105070/6348/0/2.6, dsn=4.0.0, status=deferred (delivery temporarily suspended: host relay.verizon.net[206.46.232.11] refused to talk to me: 571 Email from 124.172.224.76 is currently blocked by Verizon Online's anti-spam system. The email sender or Email Service Provider may visit http://www.verizon.net/whitelist and request removal of the block. 121022)
Oct 22 16:36:01 localhost postfix/qmgr[32357]: 184F627BF64: from=<[email protected]>, size=2338, nrcpt=50 (queue active)
Oct 22 16:36:01 localhost postfix/smtp[18300]: 1C34F26235C: to=<[email protected]>, relay=mail2.honeywell.com[199.61.24.28]:25, delay=110287, delays=110274/11/2.4/0, dsn=4.0.0, status=deferred (host mail2.honeywell.com[199.61.24.28] refused to talk to me: 554 mail2.honeywell.com)
Oct 22 16:36:01 localhost postfix/smtp[18288]: connect to news-daily.com.inbound15.mxlogicmx.net[208.65.144.12]:25: Connection refused
發現全是一些被defferred的資訊。其它郵件伺服器已經拒絕我們投遞。
那麼再用mailq命令來檢視一下佇列檔案。
結果發現mailq刷屏刷得沒完沒了了。太多快取的郵件!
localhost# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
5D1477C0D* 2333 Mon Oct 22 18:36:47 [email protected]
(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
[email protected]
擷取其中一個例子來分析,可分為五部分來看。
1,5D1477C0D* 是指快取郵件的ID
2,2333 是指郵件的大小。
3,[email protected] 是指發件人。
4,(delivery temporarily suspended: host mx.west.cox.net[68.6.19.3] refused to talk to me: 554 fed1rmimpi210 cox 124.172.224.76 blocked. Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通過第4段資訊我們可以得到如下資訊:
delivery temporarily suspended告訴我們郵件投遞被延遲。
host mx.west.cox.net[68.6.19.3] refused to talk to me 告訴我們投遞給mx.west.cox.net[68.6.19.3] 的郵件伺服器拒收我們的信件。
124.172.224.76 我們郵件伺服器的Ip地址。
Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
通過http://postmaster.cox.net/confluence/display/postmaster/Error+Codes 上檢視更多拒收的原因。
5,[email protected] 收件人地址!
由上面的日誌我們可以知道
1,我們的郵件伺服器的發件人地址被偽造了!
2,我們郵件伺服器已經被很多其它郵件伺服器列入了黑名單
3,收件人並非我們認識的人
結論,這個郵件伺服器很可能被入侵,且被當作垃圾郵件的中繼者。
那麼,誰會是這個入侵者呢?倒底是什麼漏洞導致的?
下面來讓找到事件的源頭。
首先,根據上面的分析,我們知道發件人和收件人都不是郵件伺服器所在域的成員。那麼我們就得考慮我們的郵件伺服器是不是一個開放的中繼(open relay)。
驗證:
[[email protected] ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo [email protected]
250 mail.example.com
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
554 5.7.1 <[email protected]>: Relay access denied
可以看到,我們不經過認證傳送郵件給qq郵箱並沒有成功。所以,這並不是一個open relay的伺服器!既然如此,那別人想用我的郵件伺服器外發郵件,那麼就必需要通過認證才可以。那麼讓我們用認證的方式登入並償試偽造發信人地址外發郵件!
先將使用者名稱和密碼經過base64編碼。
[[email protected] ~]# perl -MMIME::Base64 -e "print encode_base64('123456');"
MTIzNDU2
[[email protected] ~]# perl -MMIME::Base64 -e "print encode_base64('[email protected]');"
dGVzdDFAZXhhbXBsZS5jb20=
驗證:
[[email protected] ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
auth login
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hello inveracious test!
.
250 2.0.0 Ok: queued as 99F4C23F008
quit
221 2.0.0 Bye
Connection closed by foreign host.
上面我用認證使用者[email protected]登入後,偽造成[email protected]來發信。結果顯示成功!我們再回到伺服器端看看有什麼日誌產生!
localhost# tail /var/log/maillog
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: from=<[email protected]>, size=197, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/smtp[41094]: 99F4C23F008: to=<[email protected]>, relay=mx3.qq.com[119.147.192.199]:25, delay=110, delays=109/0/0.04/0.1, dsn=5.0.0, status=bounced (host mx3.qq.com[119.147.192.199] said: 550 Mail content denied. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 (in reply to end of DATA command))
Oct 26 02:54:27 localhost postfix/cleanup[41089]: 69EA423F027: message-id=<[email protected]>
Oct 26 02:54:27 localhost postfix/bounce[41095]: 99F4C23F008: sender non-delivery notification: 69EA423F027
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 69EA423F027: from=<>, size=2203, nrcpt=1 (queue active)
Oct 26 02:54:27 localhost postfix/qmgr[40723]: 99F4C23F008: removed
日誌顯示郵件ID為99F4C23F008的郵件,發件人是[email protected]。接收伺服器是mx3.qq.com的25埠。狀態是被退回。通過http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 可以檢視到拒絕原因。
經過認證登入後的使用者,可以偽造發件人隨意外發郵件!
由以上資訊我們可以推斷,很可能是由於別人盜用了我們的賬號,然後利用我們的賬號偽造其它發信人,瘋狂外發郵件!那麼,我們現在需要從三方面著手。
1,找出真正的發件人是哪個合法使用者並馬上修改密碼。
2,阻止郵件繼續瘋狂外發。
3,禁止認證使用者偽造發件人外發郵件。
解決
1,找出可能被盜號的使用者!
通過maillog雖然看不到被拒絕郵件到底是誰發出的,但可以看到被拒絕投遞的郵件ID.就比如下面兩封郵件的ID分別為45C4E130CB 4728312BBA。這時候,我們可以查詢到一些收信地址比較可疑的郵件來分析。
localhost# tail /var/log/maillog
Oct 22 16:41:38 localhost postfix/error[18801]: 45C4E130CB: to=<[email protected]>, relay=none, delay=101364, delays=95002/6357/0/5.3, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-124.172.224.76 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks)
Oct 22 16:41:38 localhost postfix/error[18103]: 4728312BBA: to=<[email protected]>, relay=none, delay=102971, delays=96576/6386/0/9.8, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[66.94.237.139] refused to talk to me: 421 4.7.1 [TS03] All messages from 124.172.224.76 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
.....
我們可以通過postcat -q命令來檢視指定ID郵件的詳細內容。比如我覺得ID為2FDF423FA50的郵件很可疑,那麼讓我們詳細看看郵件:
localhost# postcat -q 2FDF423FA50
*** ENVELOPE RECORDS deferred/2/2FDF423FA50 ***
message_size: 2428 4714 50 0 2428
message_arrival_time: Wed Oct 24 06:18:07 2012
create_time: Wed Oct 24 06:18:08 2012
named_attribute: log_ident=2FDF423FA50
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN <-----sasl認證通過
named_attribute: [email protected] <-------認證使用者名稱
sender: [email protected] <-----偽造的發信者
named_attribute: log_client_name=unknown
named_attribute: log_client_address=68.167.29.196 <----登入客戶端的ip
named_attribute: log_client_port=1464
named_attribute: log_message_origin=unknown[68.167.29.196]
named_attribute: log_helo_name=User
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=h-68-167-29-196.mclnva23.static.covad.net
named_attribute: client_address=68.167.29.196
named_attribute: client_port=1464
named_attribute: helo_name=User
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected] <------收件人1
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected] <------收件人2
recipient: [email protected]
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected] <------收件人3
recipient: [email protected]
.........
通過上面的這封郵件,我們可以知道,這封郵件是由[email protected]這個使用者來認證登入的。登入者IP 68.167.29.196。該使用者將發信人偽造成:[email protected]。並且同時傳送很多封郵件出去! 如果真存在[email protected]這個使用者的話,那這個使用者信箱估計也被塞滿了無數退信郵件.
很顯然,上面這封郵件並不是一封正常郵件!通過這封郵件很快就可以確定這個使用者的密碼很可能是被別人破解了!或者郵件系統有其它漏洞,入侵者親自建立了該使用者用來群發郵件。
搜尋/var/spool/postfix/defrred目錄下面的ip 68.167.29.196,發現有5600郵件被阻塞著。而且還在不斷增加。且使用者均為[email protected]。可以確定,IP 68.167.29.196為入侵者。
localhost# cd /var/spool/postfix/defrred
localhost# find . -exec grep "68.167.29.196" {} \; | wc -l
5625
登入資料庫檢視[email protected]這個使用者的建立情況。這個在webman管理後臺上面是看不到的。
localhost# /usr/opt/local/mysql-5.1.47/bin/mysql -uextmail -pextmail
mysql> select * from mailbox where username='[email protected]'\G;
*************************** 1. row ***************************
username: [email protected]
uid: info
password: $1$RpyMEokE$CK31uufL9uNk6PjqSorXa1
clearpwd:
name:
mailhost:
maildir: example.com/info/Maildir/
homedir: example.com/info
quota: 524288000S
netdiskquota: 524288000S
domain: example.com
uidnumber: 1000
gidnumber: 1000
createdate: 2012-04-25 15:35:54 <-----建立日期
expiredate: 0000-00-00
active: 1
disablepwdchange: 0
disablesmtpd: 0
disablesmtp: 0
disablewebmail: 0
disablenetdisk: 0
disableimap: 1
disablepop3: 0
question:
answer:
1 row in set (0.00 sec)
mysql> select * from manager;
+------------------+------------------------------------+-------+------+------------+-------------+-----------+------------------+---------------------+------------+--------+
| username | password | type | uid | name | question | answer | disablepwdchange | createdate | expiredate | active |
+------------------+------------------------------------+-------+------+------------+-------------+-----------+------------------+---------------------+------------+--------+
| [email protected] | $1$ZwYBBBz1$mh.Uwro5vqXMwYum0eprq/ | admin | root | Super User | my question | my answer | 0 | 2007-02-14 15:10:04 | 2010-11-08 | 1 |
+------------------+------------------------------------+-------+------+------------+-------------+-----------+------------------+---------------------+------------+--------+
管理員賬號只有一個,[email protected]也不是新建的。那應該是[email protected]的使用者密碼被破解了。
來看看[email protected]這個使用者的登入日誌。發現全是由68.167.29.196的主機登入的。
localhost# cat /var/log/maillog | grep [email protected]
Oct 24 00:32:10 localhost postfix/smtpd[4202]: 8F005249014: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
Oct 24 00:32:16 localhost postfix/smtpd[5029]: 11044249024: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
Oct 24 00:32:17 localhost postfix/smtpd[4626]: 930FB249028: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
Oct 24 00:32:17 localhost postfix/smtpd[4765]: A890624902B: client=unknown[68.167.29.196], sasl_method=LOGIN, [email protected]
登入extman,將[email protected]這個使用者的密碼改掉。
我們登入[email protected]來看看使用者情況。結果發現有一萬多封退信資訊,由於這個賬號沒人用,所以一直未發現這個問題。
2,清除所有快取垃圾郵件,阻止郵件伺服器繼續償試外發!
清除defer和deferred目錄下的快取郵件
我們來瞧瞧郵件快取目錄
localhost# du -sh /var/spool/postfix/*
2.1G /var/spool/postfix/defer
2.7G /var/spool/postfix/deferred
可以看到,被延遲傳送的郵件佔用了5個g的空間!
清除郵件中的所有佇列
localhost# postsuper -d ALL
postsuper: Deleted: 292551 messages
共清除了將近30萬封快取的郵件。
如果快取郵件裡面有重要郵件,不能刪除所有郵件,那麼也可以寫一個指令碼,只清除所有屬於68.167.29.196的快取郵件。
localhost# vi deldefer.sh
#刪除defferred中的快取
cd /var/spool/postfix/deferred/
find . -exec grep 68.167.29.196 {} \; | awk '{print $3}' | cut -d/ -f3 >/tmp/del.txt
for i in `cat /tmp/del.txt`
do
postsuper -d "$i"
done
rm -rf /tmp/del.txt
#刪除deffer中的快取
cd /var/spool/postfix/defer
for i in `find .|cut -d/ -f3`
do
postcat -q $i |grep 68.167.29.196
if [ $? -eq 0 ];
then
echo $i >> /tmp/defer.txt
postsuper -d $i
fi
done
rm -rf /tmp/defer.txt
指令碼說明:
在刪除deffer和defferred下面的快取郵件的指令碼是不同的。由於defer下的快取郵件用cat直接檢視是看不到發件人及登入ip等詳細資訊的,需要用postcat來檢視才能顯示出詳細的資訊。所以deffer目錄裡的清除指令碼寫法和上面defferred的有些不同。注意:在刪除了deferred下面的快取後,如果不刪除defer的快取,defer下的郵件仍然會被不停的投遞出去,直到最後變為deferred之後才會放棄。所以,如果只刪除deferred下面的郵件而不刪除defer下面的郵件的話,過不了多久,deferred下面又會出現大量郵件,而這個郵件是由defer目錄下的快取引起的。
-------------------------------------------------------
再次檢視快取目錄,容量終於恢復正常值。
localhost# du -sh /var/spool/postfix/*
162K /var/spool/postfix/defer
46K /var/spool/postfix/deferred
刪除[email protected]使用者郵箱的退信郵件
下面該刪除[email protected]使用者的所有退信郵件了.通過檢視郵件發現所有的垃圾郵件均是今天一天生成的。到伺服器端查詢並刪除今天的所有郵件。
進入到info使用者的郵件目錄
localhost# cd /usr/opt/home/domains/example.com/info/Maildir/
可以看到有12779封郵件。
localhost# ls -l cur/ |wc -l
12779
查詢今天生成的郵件,共11589封
localhost# find cur/ -ctime -1 | wc -l
11589
刪除所有今天的郵件
localhost# find cur/ -ctime -1 -exec rm -f {} \;
刪除完畢!
注意find cur/ -ctime -1 -exec rm -f {} \; 中是rm -f !不要寫成了rm -rf。否則一執行就把cur目錄給刪掉了。那麼使用者以前的郵件也全帶著一起刪除了!
至此,郵件伺服器終於恢復了正常執行。再次用tail -f 來檢視日誌,不會再出現那恐怖的瘋狂刷屏日誌了!瘋狂的伺服器終於恢復了原來的悠閒狀態!
3,禁止認證使用者假冒發信人外發
修改main.cf配置檔案,增加發信人限制功能!
localhost# vi main.cf
mynetworks = 127.0.0.0/8
smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
reject_non_fqdn_sender,
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/sender_access
smtpd_sender_login_maps =
mysql:/etc/postfix/mysql_virtual_sender_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf
localhost# postfix reload
在客戶端測試效果:
客戶端偽造發信人測試,[email protected]偽造成發件人[email protected]未成功!
[[email protected] ~]# perl -MMIME::Base64 -e "print encode_base64('123456');"
MTIzNDU2
[[email protected] ~]# perl -MMIME::Base64 -e "print encode_base64('[email protected]');"
dGVzdDFAZXhhbXBsZS5jb20=
[[email protected] ~]# telnet mail.example.com 25
Trying 124.172.224.76...
Connected to mail.example.com (124.172.224.76).
Escape character is '^]'.
auth login
220 mail.example.com ESMTP Postfix
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]
客戶端用真實的地址發信測試成功
[[email protected] ~]# telnet mail.example.com 25
Trying 124.172.224.76...
auConnected to mail.example.com (124.172.224.76).
Escape character is '^]'. 220 mail.example.com ESMTP Postfix
auth login
334 VXNlcm5hbWU6
dGVzdDFAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.7.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
Ok,測試成功!
關於郵件伺服器被yahoo,gmail,hotmail等郵件伺服器列入黑名單問題,這個最好是換個ip地址吧。一個個申訴太麻煩了!