简体繁体 English

进出口垃圾邮件中心，我该如何检测源

[英]Exim spam centos, how can i detect the source

原文 2012-10-03 07:51:22 0 1 centos/ spam/ exim

i have a lot of message like this 我有很多这样的信息

2012-10-03 06:53:36 1TJGxf-0006kG-F0 ** * 2012-10-03 06:53:36 1TJGxf-0006kG-F0 ** * @yahoo.com.tw F=< @ yahoo.com.tw F = < *@* * @ * . 。 *> R=enforce_mail_permissions: Domain *> R = enforce_mail_permissions：域 . 。 * has exceeded the max emails per hour (250/200 (125%)) allowed. *已超过每小时允许的最大电子邮件数量（250/200（125％））。 Message discarded. 邮件已丢弃。

I have never seen the yahoo mail of course, and there is approximately 10 messages like this every 5-10 seconds... 我从未见过yahoo邮件，每5-10秒大约有10条这样的邮件...

How could i detect the source ? 我如何发现来源？

How could i stop it ? 我怎么能阻止它？

1 个解决方案

In your example, the mail queue id is 1TJGxf-0006kG-F0. 在您的示例中，邮件队列ID为1TJGxf-0006kG-F0。 The first thing you want to do is look at the logs for that email. 您要做的第一件事是查看该电子邮件的日志。 There are two possible ways, depending upon how exim is configured. 有两种可能的方式，具体取决于exim的配置方式。 Try this first: 首先尝试：

exim -Mvl 1TJGxf-0006kG-F0

It will print out the logs for that email, including what IP address it came from, if there was any user who authenticated, etc. Exim can be configured not to track this individual message information and we don't know how your exim is configured, so if that doesn't work, then run this instead: 它将打印出该电子邮件的日志，包括它来自哪个IP地址，是否有经过身份验证的用户等。Exim可以配置为不跟踪此单个消息信息，并且我们不知道您的exim是如何配置的，因此，如果这不起作用，请改为运行以下命令：

exigrep 1TJGxf-0006kG-F0 /var/log/exim/main.log

You may have to find which log file your exim is logging to. 您可能必须找到您的exim要记录到哪个日志文件。 Here is how I would find that on my system: 这是我在系统上发现的方式：

# exim -bP | grep log_file_path log_file_path = /var/log/exim/%s.log

Then use that result to figure out where your logfile is. 然后使用该结果找出您的日志文件在哪里。

Having given you those tools to dig and find your info, I strongly suspect that you are running some website that has a submission form that is insecure. 为您提供了用于挖掘和查找信息的工具后，我强烈怀疑您正在运行的某个网站提交表单不安全。 By "insecure", I mean that some web bot is able to submit a sender, a recipient, and a message body and is using that form to send out massive amounts of spam. 我所说的“不安全”是指某个网络机器人能够提交发件人，收件人和邮件正文，并使用该表格发送大量垃圾邮件。 The logs above will probably confirm that it's originating from your web server and not from somewhere outside. 上面的日志可能会确认它源自您的Web服务器，而不是来自外部某个地方。 Of course, it could also be some user account that is compromised because they used a spectacularly simple password of "12345" or "secret" and spam bots are connecting to that account from all over the world and using it to send out spam. 当然，也可能是某些用户帐户遭到了入侵，因为他们使用了非常简单的密码“ 12345”或“秘密”，并且垃圾邮件机器人正从世界各地连接到该帐户，并使用它来发送垃圾邮件。

The first step is identifying the source of the spam (local web form, compromised account, etc) and then blocking that. 第一步是确定垃圾邮件的来源（本地Web表单，受感染的帐户等），然后将其阻止。