qmail 被黑 (可以一起探讨)

csxtu

就像weizhishu 说的一样, 我们的一台 mail server 也频发邮件出去攻击其他的 mail server.
有些被攻击的域名是随机生成的,e.g aaa.com.
ps -aux 看到如下进程信息:
qmailr   31619  0.0  0.0  2532  748 ?        S    13:41   0:00 qmail-remote 12563.com  durio01@12563.com
qmailr     638  0.0  0.0  2532  744 ?        S    13:46   0:00 qmail-remote tmnj7.mary66.net  chgswb1@tmnj7.mary66.net
......................
.......................


用 qmail-remote 发送邮件的帐号 非本地帐号. 接受者也是假的.

先看看 qmail-remote:
qmail-remote - send mail via SMTP

SYNOPSIS
     qmail-remote host sender recip [ recip ... ]

DESCRIPTION
     qmail-remote reads a mail message from its input  and  sends
     the message to one or more recipients at a remote host.

     The remote host  is  qmail-remote's  first  argument,  host.
     qmail-remote  sends  the  message  to  host,  or  to  a mail
     exchanger for host listed in the Domain Name System, via the
     Simple  Mail Transfer Protocol (SMTP).  host can be either a
     fully-qualified domain name:

          silverton.berkeley.edu

     or an IP address enclosed in brackets:

          [128.32.183.163]

     The envelope recipient addresses are listed as  recip  argu-
     ments  to  qmail-remote.   The  envelope  sender  address is
     listed as sender.

     Note that qmail-remote does not take options  and  does  not
     follow the getopt standard.
################################################

我采取了的措施:
给 /etc/tcp.smtp 添加设置,阻止非本地域邮件转发.

但我觉得似乎邮件就是本机直接发出的.
1: 大不分发送帐号所属域不存在.
2:只有接受域,没有接受帐号,(很明显为了攻击该域mail server)

不知道大家有什么好的思路没有........

csxtu

一段qmail的log:

@4000000043a9b631178cb59c starting delivery 18652: msg 3555756 to remote gsgsgsg@ss.com
@4000000043a9b631178cc924 status: local 0/20 remote 2/40
@4000000043a9b6311c802674 delivery 18652: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@4000000043a9b6311c803614 status: local 0/20 remote 1/40
@4000000043a9b6331c6b3ee4 starting delivery 18653: msg 3556183 to remote xbdwjqdpdawgloju@pchome.net
@4000000043a9b6331c6b4e84 status: local 0/20 remote 2/40
@4000000043a9b63c3145b36c delivery 18653: deferral: 202.43.216.28_failed_after_I_sent_the_message./Remote_host_said:_451_mta110.mail
.cnb.yahoo.com_Resources_temporarily_unavailable._Please_try_again_later_[#4.16.5]./
@4000000043a9b63c3145cadc status: local 0/20 remote 1/40
@4000000043a9b645318ca394 starting delivery 18654: msg 3556170 to remote avicer@epatra.com
@4000000043a9b645318cb334 status: local 0/20 remote 2/40

思一克

用qmail-qread结果贴出来我看

csxtu

21 Dec 2005 03:05:06 GMT  #3555606  8390  <>
        remote  gcnetcn@gmail.com
21 Dec 2005 02:21:19 GMT  #3556158  3459  <>
        remote  78g522565@17pop.com
21 Dec 2005 14:11:08 GMT  #3555652  11848  <>
        remote  cslktre6@hyui7.eicp.net
21 Dec 2005 19:33:11 GMT  #3555698  3828  <>
        remote  11@11.net
22 Dec 2005 01:12:49 GMT  #3555721  8569  <>
        remote  gcnetcn@gmail.com
18 Dec 2005 03:45:41 GMT  #3555767  11665  <>
        remote  coreylin@liveq.net
18 Dec 2005 10:35:51 GMT  #3555813  2168  <>
        remote  aa@ss.com
18 Dec 2005 17:22:00 GMT  #3555859  7353  <>
        remote  icxit8@ggrri.88ip.net
19 Dec 2005 11:24:56 GMT  #3555951  17741  <>
        remote  xosjcdzeqtwosoqw@eachnet.com
19 Dec 2005 22:27:09 GMT  #3555997  3417  <>
        remote  56562222fg@esimart.com
20 Dec 2005 04:58:26 GMT  #3556043  3859  <>
        remote  nanw7@pan188.vicp.net
20 Dec 2005 19:40:04 GMT  #3556112  4276  <>
        remote  jetadpro@yahoo.com.cn
20 Dec 2005 10:44:12 GMT  #3556066  5727  <>
        remote  fanny.jnkun@gtvbs.com
20 Dec 2005 23:21:03 GMT  #3556135  8402  <>
        remote  gcnetcn@gmail.com
21 Dec 2005 22:13:37 GMT  #3556181  8390  <>
        remote  gcnetcn@gmail.com

csxtu

remote  yfmj@sina100.com
21 Dec 2005 09:34:32 GMT  #3556182  4377  <>
        remote  zzlx@fjzz-flower.com
21 Dec 2005 13:00:44 GMT  #3555584  2915  <>
        remote  baoyue@ohshit.3322.org
22 Dec 2005 06:06:23 GMT  #3555745  2187  <>
        remote  aaa@aaa.com
20 Dec 2005 21:15:33 GMT  #3556045  6767  <>
        remote  oujyidoqt8@21stone1.eicp.net
18 Dec 2005 11:26:16 GMT  #3555815  4759  <>
        remote  tttttttttt@tttt.com
21 Dec 2005 12:40:02 GMT  #3555631  590000  <>
        remote  pyjj@6h.com.cn
19 Dec 2005 09:13:56 GMT  #3555930  10578  <>
        remote  MING@BESTTEACHER.VICP.NET
18 Dec 2005 14:20:44 GMT  #3555838  3190  <>
        remote  lbcc7@shnn.com
18 Dec 2005 17:42:26 GMT  #3555861  8068  <>
        remote  kigmyx9@ff99.dipns.com
19 Dec 2005 12:52:10 GMT  #3555953  7298  <>
        remote  765jh22gjh@pingtandao.com
20 Dec 2005 14:50:28 GMT  #3555999  13460  <>
        remote  yzzutc12@inhe.net
20 Dec 2005 13:13:46 GMT  #3556091  2223  <>
        remote  baoyue@ohshit.3322.org
21 Dec 2005 06:00:21 GMT  #3556160  10164  <>
        remote  gwtaiwan@lifeq.biz
20 Dec 2005 18:26:30 GMT  #3556022  8240  <>
        remote  ovm3@hyui7.eicp.net
20 Dec 2005 20:11:26 GMT  #3556114  11145  <>
        remote  vhjpbz2@ufmn6.mary66.net
20 Dec 2005 23:44:26 GMT  #3556137  7826  <>
        remote  cnhuange@bxemail.com
21 Dec 2005 19:54:24 GMT  #3555700  12751  <>
        remote  652255@mypufa.com
21 Dec 2005 10:17:36 GMT  #3555654  2082  <>
        remote  1212@12.com

思一克

那是“被黑”吗？

所以你不要自己想当然下结论。

是BOUNCE。关掉无主信BOUNCE。DELETE THEM ALL。

csxtu

请您把原由和解决方法说得清楚点好吗?

来这里,我就是本着学习的态度.

思一克

那你还“一起探讨”？

在QMAILADMIN 中设置delete所有无主信件。

思一克

或者
vi
/home/vpopmail/domains/DOM.COM/.qmail-default
| /home/vpopmail/bin/vdelilvermail '' delete

也可以

xueyan

修改之后，重起qmail，qmail的队列中还是有无头邮件，怎么将他们删除？？？