- 论坛徽章:
- 0
|
就像weizhishu 说的一样, 我们的一台 mail server 也频发邮件出去攻击其他的 mail server.
有些被攻击的域名是随机生成的,e.g aaa.com.
ps -aux 看到如下进程信息:
qmailr 31619 0.0 0.0 2532 748 ? S 13:41 0:00 qmail-remote 12563.com durio01@12563.com
qmailr 638 0.0 0.0 2532 744 ? S 13:46 0:00 qmail-remote tmnj7.mary66.net chgswb1@tmnj7.mary66.net
......................
.......................
用 qmail-remote 发送邮件的帐号 非本地帐号. 接受者也是假的.
先看看 qmail-remote:
qmail-remote - send mail via SMTP
SYNOPSIS
qmail-remote host sender recip [ recip ... ]
DESCRIPTION
qmail-remote reads a mail message from its input and sends
the message to one or more recipients at a remote host.
The remote host is qmail-remote's first argument, host.
qmail-remote sends the message to host, or to a mail
exchanger for host listed in the Domain Name System, via the
Simple Mail Transfer Protocol (SMTP). host can be either a
fully-qualified domain name:
silverton.berkeley.edu
or an IP address enclosed in brackets:
[128.32.183.163]
The envelope recipient addresses are listed as recip argu-
ments to qmail-remote. The envelope sender address is
listed as sender.
Note that qmail-remote does not take options and does not
follow the getopt standard.
################################################
我采取了的措施:
给 /etc/tcp.smtp 添加设置,阻止非本地域邮件转发.
但我觉得似乎邮件就是本机直接发出的.
1: 大不分发送帐号所属域不存在.
2:只有接受域,没有接受帐号,(很明显为了攻击该域mail server)
不知道大家有什么好的思路没有........ |
|