Ik heb mijn post even verdeeld in 3 gedeeltes:
- De headers van de specifieke Chineze spam mails.
- De screenshot van een overzicht van de uitgaande e-mail queue.
- De logs van qmail.
1) De headers van de specifieke Chineze spam mails.- Mijn hostname in deze: server05.hosting.nl
- Mijn ip-adres is deze: 182.182.215.13
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| Received: (qmail 5959 invoked by uid 10428); 25 Oct 2008 16:56:26 +0200
Received: from 143.186.18.218.broad.sz.gd.dynamic.163data.com.cn by server05.hosting.nl (envelope-from <bgmsyek@182.182.215.13>, uid 2020) with qmail-scanner-2.02st
(clamdscan: 0.94/8487. spamassassin: 3.2.5. perlscan: 2.02st.
Clear:RC:0(218.18.186.143):SA:1(22.2/5.0):.
Processed in 0.197901 secs); 25 Oct 2008 14:56:26 -0000
X-Spam-Status: Yes, hits=22.2 required=5.0
X-Spam-Level: ++++++++++++++++++++++
Received: from 143.186.18.218.broad.sz.gd.dynamic.163data.com.cn (HELO rwbgmrv) (218.18.186.143)
by 182.182.215.13 with SMTP; 25 Oct 2008 16:56:23 +0200
From: "xciouagm" <bgmsyek@182.182.215.13>
To: "tianyun" <tianyun@tianyun-cn.com>
Subject: ****SPAM**** HIGH * =?GB2312?B?MjDQ0NX+udzA7cjLhlTI1bOj31zX97K980U=?=
Date: Sat, 25 Oct 2008 22:56:21 +0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=ins966_8494_337610642.61347"
X-Priority: 3
Message-ID: <122494658510235942@server05.hosting.nl> |
Momenteel is de queue 150. De afzenders zijn allemaal bgmsyek@182.182.215.13 (mijn ip)
3) De logs van qmail.
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| Oct 25 17:04:29 server05 qmail-scanner[32187]: Clear:RC:0(218.18.186.143):SA:1(22.2/5.0): 0.109395 4385 bgmsyek@182.182.215.13 thou@lexmark.com 2054ÐÐÕþ¹ÜÀíÈËTÈÕ³£ß\×÷²½óE <1224947068102332187@server05.hosting.nl> Xbglri8925.jpg:1668 1224947069.32233-0.server05.hosting.nl:144 orig-server05.hosting.nl122494706779132187:4385 1224947069.32233-1.server05.hosting.nl:573
Oct 25 17:04:29 server05 relaylock: /var/qmail/bin/relaylock: mail from 78.183.20.141:54935 (not defined)
Oct 25 17:04:29 server05 greylist[32247]: IP 78.183.20.141 OK - accepting
Oct 25 17:04:30 server05 qmail: 1224947070.063185 delivery 218: deferral: 61.136.62.87_does_not_like_recipient./Remote_host_said:_450_mailbox_unavailable._(______________)/Giving_up_on_61.136.62.87./
Oct 25 17:04:30 server05 qmail: 1224947070.063222 status: local 0/10 remote 19/20
Oct 25 17:04:30 server05 qmail: 1224947070.063236 starting delivery 224: msg 38601324 to remote tianjg@btamail.net.cn
Oct 25 17:04:30 server05 qmail: 1224947070.063247 status: local 0/10 remote 20/20
Oct 25 17:04:30 server05 qmail-remote-handlers[32248]: Handlers Filter before-remote for qmail started ...
Oct 25 17:04:30 server05 qmail-remote-handlers[32248]: from=bgmsyek@182.182.215.13
Oct 25 17:04:30 server05 qmail-remote-handlers[32248]: to=tianjg@btamail.net.cn
Oct 25 17:04:31 server05 imapd: Connection, ip=[127.0.0.1]
Oct 25 17:04:31 server05 imapd: IMAP connect from @ [127.0.0.1]INFO: LOGIN, user=j.hesse, ip=[127.0.0.1], protocol=IMAP
Oct 25 17:04:31 server05 imapd: 1224947071.541804 LOGOUT, user=j.hesse, ip=[127.0.0.1], headers=0, body=0, rcvd=61, sent=507, maildir=/var/qmail/mailnames/hst-europe.com/j.hesse/Maildir
Oct 25 17:04:31 server05 relaylock: /var/qmail/bin/relaylock: mail from 84.13.130.239:51967 (server05.hosting.nl)
Oct 25 17:04:31 server05 greylist[26957]: IP 84.13.130.239 new - temp error
Oct 25 17:04:31 server05 greylist[26957]: SMTP: connection closed
Oct 25 17:04:32 server05 relaylock: /var/qmail/bin/relaylock: mail from 83.10.44.7:3676 (aciu7.neoplus.adsl.tpnet.pl)
Oct 25 17:04:32 server05 relaylock: /var/qmail/bin/relaylock: mail from 92.81.69.74:60752 (not defined)
Oct 25 17:04:32 server05 greylist[32256]: IP 83.10.44.7 OK - accepting
Oct 25 17:04:32 server05 greylist[32257]: IP 92.81.69.74 back too soon - temp error again
Oct 25 17:04:32 server05 qmail-scanner[32251]: Clear:RC:1(127.0.0.1): 0 1100 root@server05.hosting.nl <> virus_found_in_sent_message_"MSG_ID:42081_I_am_Julia,_27_y.o._Russia_(dating)" server05.hosting.nl122494707279132251-root@server05.hosting.nl quarantine-event.txt:1000
Oct 25 17:04:33 server05 qmail-scanner[32251]: Clear:RC:1(127.0.0.1): 0 1100 root@server05.hosting.nl <> virus_found_in_sent_message_"MSG_ID:42081_I_am_Julia,_27_y.o._Russia_(dating)" server05.hosting.nl122494707279132251-root@server05.hosting.nl quarantine-event.txt:1000
Oct 25 17:04:33 server05 qmail-scanner[32251]: CLAMDSCAN:MSRBL-Images/0-0-wxY:RC:0(78.183.20.141): 0.19995 6979 hdlsteinn@caffarena.cl innerchildr@uea-clan.com MSG_ID:42081_I_am_Julia,_27_y.o._Russia_(dating) <000a01c936b3$01ee9a89$688f728c@srear> 49266_44444.jpg
Oct 25 17:04:33 server05 qmail-scanner[32259]: CLAMDSCAN:Sanesecurity.Spam.88:RC:0(83.10.44.7): 0.108366 1588 snehcrik_1963@tkkt.ru gavriel@superiemand.com Order_online_and_save <111bd3615221433c5beb3e25656dff8e@newsletter.TKKT.ru> server05.hosting.nl122494707279132259-unpacked:1588
Oct 25 17:04:33 server05 qmail: 1224947073.140557 delivery 221: failure: Connected_to_218.30.111.181_but_sender_was_rejected./Remote_host_said:_550_CoremailSys:Domain_in_Mail_from_user_is_illegal./
Oct 25 17:04:33 server05 qmail: 1224947073.140599 status: local 0/10 remote 19/20
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: Handlers Filter before-queue for qmail started ...
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: from=
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: to=bgmsyek@182.182.215.13
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: hook_dir = '/var/qmail//handlers/before-queue'
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: recipient[3] = 'bgmsyek@182.182.215.13'
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: handlers dir = '/var/qmail//handlers/before-queue/recipient/bgmsyek@182.182.215.13'
Oct 25 17:04:33 server05 qmail-queue-handlers[32291]: starter: submitter[32292] exited normally
Oct 25 17:04:33 server05 qmail-scanner[32284]: Clear:RC:1(127.0.0.1): 0.033765 5517 <> bgmsyek@182.182.215.13 failure_notice <1224947073102332284@server05.hosting.nl> orig-server05.hosting.nl122494707379132284:5517 1224947073.32286-0.server05.hosting.nl:5342
Oct 25 17:04:33 server05 qmail: 1224947073.274718 bounce msg 38601322 qp 32284
Oct 25 17:04:33 server05 qmail: 1224947073.274762 end msg 38601322
Oct 25 17:04:33 server05 qmail: 1224947073.274896 starting delivery 225: msg 38601325 to remote tianhuibing@163.com
Oct 25 17:04:33 server05 qmail: 1224947073.274950 status: local 0/10 remote 20/20
Oct 25 17:04:33 server05 qmail: 1224947073.275104 new msg 38601317
Oct 25 17:04:33 server05 qmail: 1224947073.275190 info msg 38601317: bytes 5831 from <> qp 32292 uid 10428
Oct 25 17:04:33 server05 qmail-remote-handlers[32294]: Handlers Filter before-remote for qmail started ...
Oct 25 17:04:33 server05 qmail-remote-handlers[32294]: from=bgmsyek@182.182.215.13
Oct 25 17:04:33 server05 qmail-remote-handlers[32294]: to=tianhuibing@163.com
Oct 25 17:04:33 server05 qmail-queue-handlers[32306]: Handlers Filter before-queue for qmail started ...
Oct 25 17:04:33 server05 qmail-queue-handlers[32306]: from=bgmsyek@182.182.215.13
Oct 25 17:04:33 server05 qmail-queue-handlers[32306]: to=thomson_xu@tom.com
Oct 25 17:04:33 server05 qmail-queue-handlers[32306]: hook_dir = '/var/qmail//handlers/before-queue'
Oct 25 17:04:33 server05 qmail-queue-handlers[32306]: recipient[3] = 'thomson_xu@tom.com'
Oct 25 17:04:33 server05 qmail-queue-handlers[32306]: handlers dir = '/var/qmail//handlers/before-queue/recipient/thomson_xu@tom.com' |
Spire_tm: Het gaat inderdaad om uitgaande e-mail vanaf mijn Linux webserver.
Het blokkeren van uitgaande poort 25 helpt natuurlijk niet. Dan kunnen klanten niet meer e-mailen via mijn server. Daarbij is het niet eens zeker dat de spam via poort 25, SMTP aangeleverd wordt.
Aan de anderen: Het is geen open relay server, dit is natuurlijk getest.
Het lijkt erop dat de e-mail geaccepteerd wordt aangezien het afzender e-mail adres de check doorkomt. Dit is nog niet helemaal zeker.
Ik ben op zoek naar een structureel betere oplossing, zodat mijn server niet steeds misbruikt wordt door spammers. Er wordt ook te veel backscatter in de vorm van failure notices gestuurd.
[
Voor 80% gewijzigd door
Verwijderd op 25-10-2008 17:12
]
/u/93683/hadoop_med.png?f=community)
/u/63969/img.png?f=community)
:strip_icc():strip_exif()/u/17313/_IGP1526kl2.jpg?f=community)
:strip_icc():strip_exif()/u/141265/soulrider.jpg?f=community)
:strip_icc():strip_exif()/u/25814/camus_small.jpg?f=community)
:strip_icc():strip_exif()/u/32068/kanarie_klein.jpg?f=community)
:strip_icc():strip_exif()/u/1508/sax_k.jpg?f=community)
/u/97359/crop64803232ade4a_cropped.png?f=community)