- 论坛徽章:
- 0
|
5可用积分
系统: FC6+Sendmail+MailScanner+Spamassassin+ClamAV
现象描述:
公司内有用户A@ABC.COM,不论是内部还是外部的任何人发信给A,系统就会自动让A@ABC.COM 发一封邮件到固定的邮箱
XXX@163.COM;类似的同样还有用户B@ABC.COM对应到YYY@YAHOO.COM等等,这样的用户目前发现已有5-10个左右
,服务器有1K多用户. 这些信发到163,雅虎有时候会成功,有的会被当垃圾之类的退信.
日志 1:
[root@mail log]# cat maillog.5 |grep m5IARAWw020244
Jun 18 18:27:13 mail sendmail[20244]: m5IARAWw020244: from=<tequilatrouble@hotmail.com>, size=585, class=0, nrcpts=1, msgid=<[email=01c8d146$fa75d000$8a04705c@tequilatrouble]01c8d146$fa75d000$8a04705c@tequilatrouble[/email]>, proto=ESMTP, daemon=MTA, relay=138-4-112-92.pool.ukrtel.net [92.112.4.138] (may be forged)
Jun 18 18:27:19 mail sendmail[20289]: m5IARAWw020244: to=\\caddie, delay=00:00:07, xdelay=00:00:00, mailer=local, pri=120585, dsn=2.0.0, stat=Sent
Jun 18 18:27:20 mail sendmail[20289]: m5IARAWw020244: [email=to=caddie512@163.com]to=caddie512@163.com[/email], delay=00:00:08, xdelay=00:00:01, mailer=esmtp, pri=120585, relay=163.mxmail.netease.com. [220.181.12.73], dsn=5.0.0, stat=Service unavailable
Jun 18 18:27:20 mail sendmail[20289]: m5IARAWw020244: m5IARJYb020289: DSN: Service unavailable
[root@mail log]# cat maillog.5 |grep m5IARJYb020289
Jun 18 18:27:20 mail sendmail[20289]: m5IARAWw020244: m5IARJYb020289: DSN: Service unavailable
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: to=<tequilatrouble@hotmail.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=31953, relay=mx4.hotmail.com. [65.54.244.232], dsn=5.1.1, stat=User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: to=marc, ctladdr=root (8/0), delay=00:00:01, mailer=local, pri=31953, dsn=5.1.1, stat=User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: to=marc, ctladdr=root (8/0), delay=00:00:01, mailer=local, pri=31953, dsn=5.1.1, stat=User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: m5IARJYc020289: return to sender: User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: Losing ./qfm5IARJYb020289: savemail panic
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: SYSERR(root): savemail: cannot save rejected email anywhere
日志2:
Jun 17 16:26:49 mail sendmail[10903]: m5H8QnTw010903: from=<ivy7@ABC.COM>, size=249473, class=0, nrcpts=3, msgid=<[email=003701c8d053$8374ec00$860ca8c0@sdf]003701c8d053$8374ec00$860ca8c0@sdf[/email]>, proto=SMTP, daemon=MTA, relay=bogon [192.168.12.134] (may be forged)
Jun 17 16:27:33 mail sendmail[12414]: m5H8QnTw010903: to=<yuer@ABC.COM>, ctladdr=<ivy7@ABC.COM> (1820/12), delay=00:00:44, xdelay=00:00:01, mailer=local, pri=429473, dsn=2.0.0, stat=Sent
Jun 17 16:27:33 mail sendmail[12414]: m5H8QnTw010903: to=<lisalee@ABC.COM>, ctladdr=<ivy7@ABC.COM> (1820/12), delay=00:00:44, xdelay=00:00:00, mailer=local, pri=429473, dsn=2.0.0, stat=Sent
Jun 17 16:27:33 mail sendmail[12414]: m5H8QnTw010903: to=\\caddie, ctladdr=<ivy7@ABC.COM> (1820/12), delay=00:00:44, xdelay=00:00:00, mailer=local, pri=429473, dsn=2.0.0, stat=Sent
Jun 17 16:27:36 mail sendmail[12414]: m5H8QnTw010903: [email=to=caddie512@163.com]to=caddie512@163.com[/email], ctladdr=<ivy7@ABC.COM> (1820/12), delay=00:00:47, xdelay=00:00:03, mailer=esmtp, pri=429473, relay=163.mxmail.netease.com. [220.181.12.75], dsn=4.0.0, stat=Deferred: 451 DT:SPM mx25, S8CowLBLVgBndVdIamDyFw==.31838S2, please try again 1213691241 http://mail.163.com/help/help_spam_16.htm?ip=-770850491&hostid=mx25&time=1213691241
Jun 17 16:38:54 mail sendmail[30985]: m5H8QnTw010903: [email=to=caddie512@163.com]to=caddie512@163.com[/email], ctladdr=<ivy7@ABC.COM> (1820/12), delay=00:12:05, xdelay=00:00:09, mailer=esmtp, pri=519473, relay=163.mxmail.netease.com. [220.181.12.63], dsn=2.0.0, stat=Sent (Mail OK queued as mx13,P8CowLBbPwMBeFdI9jibFw==.2958S2 1213691914)
caddie是我服务器上的一个用户,它都是对应发送给caddie512@163.com,我问过用户本人,根本不知道caddie512是谁.
不知道为什么,caddie@abc.com会变成\\caddie.
是不是我的服务器被攻击了,当作垃圾邮件的中继了?
不过感觉又有点不像,因为所有出现的域名都是163,雅虎等大型的服务商,而且就几个用户,发到外部的也是固定的几个域名用户.
又不像客户端中毒,因为信还没到A的邮箱,就已经被夹带发信给第三方了.
系统没发现特别的进程和端口啊
各位大哥,我该咋办啊,该怎么查啊.
另1例:
Jun 21 08:23:37 mail sendmail[683]: m5L0NPe9000624: to=\\debby, ctladdr=<jerry@ABC.COM> (520/12), delay=00:00:10, xdelay=00:00:00, mailer=local, pri=487090, dsn=2.0.0, stat=Sent
Jun 21 08:35:55 mail sendmail[4278]: m5L0NPe9000624: [email=to=yangping5235@yahoo.com.tw]to=yangping5235@yahoo.com.tw[/email], ctladdr=<jerry@ABC.COM> (520/12), delay=00:12:28, xdelay=00:00:01, mailer=esmtp, pri=577090, relay=mx1.mail.tw.yahoo.com. [203.188.197.9], dsn=4.0.0, stat=Deferred: 421 Message from (我的IP) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html |
|
免费注册
发表于 2008-06-23 10:21
