ORF反垃圾邮件系统

邮件服务器-邮件系统-邮件技术论坛(BBS)

 找回密码
 会员注册
查看: 9099|回复: 10
打印 上一主题 下一主题

[求助] 非典型退信-海量垃圾邮件退信爆发导致IP上黑名单!

[复制链接]
跳转到指定楼层
顶楼
发表于 2010-3-11 21:03:35 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这两天突然发现公司exchange 2003服务器的队列里有大量垃圾邮件导致的退信,1万封以上,我没开中继。请各位同行帮忙看看,如何彻底解决?
exchange管理器 - Mail Boxstore - Logons中有大量的登录名为EX01-{626CBB9B-45E0-A10E-41DE479D724}的会话,EX01-{626CBB9B-45E0-A10E-41DE479D724}对应的存储是SystemMailbox的。
好像垃圾邮件都来自82.128.83.11,一个尼日利亚的IP,被非洲老黑给黑了?TMD!

退信的发件人都是postmaster@xxxxglobal.cn
有几百封的退信的收件是同一个人,funshokupolo69@gmail.com <funshokupolo69@gmail.com> 另外几百封又是另一个人。
正文

退信的附件是垃圾邮件原件,原件的主题全都是:Truth of the matter,内容大意是他想让你帮他把钱从尼日利亚转移出来,要求你把一些证件信息和银行账户提供给他,他把会钱转到你的账户,显示是诈骗邮件。
原件的发件人应该都是伪造的外部地址,原件的收件人显示为None。
* 既然原件的收件人,发件人都和我无关,为什么会由我来退信呢?
例如一封退给funshokupolo69@gmail.com的正文是
This is an automatically generated Delivery Status Notification.
Unable to deliver message to the following recipients, due to being unable to connect successfully to the destination mail server.
       bertsi@cox.net
* 为什么退给funshokupolo69@gmail.com的信确在退信正文中显示不能到达bertsi@cox.net


按照经验我想应该检查下面几点:
1. 服务器是否中了木马或病毒?
结论:已检测,没有中马中毒。
2. 客户端是否中了木马或病毒?
结论:总部客户端较多,分公司又在外省,难以逐一排查,但根据垃圾邮件的邮件头信息,判断并非来自内部客户端。
3.是否某账户的密码被猜中?
结论:怀疑有很大这个可能,如何判断是哪个账户被猜中?我记得以前看到过通过系统日志来分析出哪个用户被利用,但是忘了具体方法,看了看日志也没看出所以然。
4.是否因他人在其他的服务器上伪造我的邮件地址外发垃圾邮件,退信弹回到我的服务器?
结论:根据邮件头信息判断,不是此类反弹行为。

退信的截图见附件(好像现在不能直接上传图片了,只好压缩了传到附件上)


垃圾退信的头信息:(蓝色字段是退信头信息,紫色字段是垃圾邮件原件的头信息,垃圾邮件原件为退信的附件)
From: postmaster@xxxxglobal.cn
To: funshokupolo69@gmail.com
Date: Thu, 11 Mar 2010 15:19:42 +0800
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01CAA320BD0636E40004F673ex01.xxxxglob"
X-DSNContext: 7ce717b1 - 1391 - 00000002 - C00402D1
Message-ID:
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.
Portions of this message may be unreadable without a MIME-capable mail program.

--9B095B5ADSN=_01CAA320BD0636E40004F673ex01.xxxxglob
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Unable to deliver message to the following recipients, due to being unable to connect successfully to the destination mail server.

pcat11@gmail.com




--9B095B5ADSN=_01CAA320BD0636E40004F673ex01.xxxxglob
Content-Type: message/delivery-status

Reporting-MTA: dns;ex01.xxxxglobal.cn
Received-From-MTA: dns;User
Arrival-Date: Thu, 11 Mar 2010 03:45:57 +0800

Final-Recipient: rfc822;pcat11@gmail.com
Action: failed
Status: 4.4.7

--9B095B5ADSN=_01CAA320BD0636E40004F673ex01.xxxxglob
Content-Type: message/rfc822

Received: from User ([82.128.83.11]) by ex01.xxxxglobal.cn with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 11 Mar 2010 03:45:57 +0800
Reply-To:
From: "funsho Kupolokun"
Subject: Truth of the matter
Date: Thu, 11 Mar 2010 20:49:58 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: funshokupolo69@gmail.com
Message-ID:
X-OriginalArrivalTime: 10 Mar 2010 19:45:58.0171 (UTC) FILETIME=[4E1836B0:01CAC08A]

DEAR CONTACTOR,

AFTER WAITING TO HEAR FROM YOU OR YOUR NIGERIAN PARTNER FOR A LONG TIME NOW, I DECIDED TO MAKE THIS DIRECT APPROACH TO YOU AS MY NEW RESOLUTION IN OTHER NOT TO LET IT BE AS IF I HAVE ANYTHING IN MIND AGAINST YOU. I DO NOT KNOW IF YOU HAVE ASKED YOURSELF WHY EACH TIME THE RELEASE OF THIS FUND IS
APPROVED, ALL OF A SUDDEN, THE PAYMENT WILL BE STOPPED OR ONE PROBLEM OR THE OTHER WILL COME UP IF YOU HAVE NOT ASKED THIS QUESTION OR YOU DO NOT KNOW, THE THIS IS AN OPPORTUNITY FOR ME TO TELL YOU.

SOME TIME AGO, YOUR NIGERIAN FRIENDS, I MEAN THE PEOPLE THAT INTRODUCED YOU TO THE PROJECT APPROACHED ME THROUGH MY DEAR WIFE WHO WORK WITH THE MINISTRY OF FINANCE AND REQUESTED ME TO ASSIST THEM CONCLUDE A MONEY
TRANSFER DEAL THEY HAD WITH YOU. THEY REQUESTED ME TO ASSIST THEM BY REMOVING THE ORIGINAL CONTRACTOR'S NAME,COMPANY'S NAME AND BANK PARTICULARS FROM THE NIGERIA NATIONAL PETROLEUM CORPORATION (NNPC) VETTING COMPUTER AND
REPLACING THEM WITH YOUR NAME AND BANK DETAILS IN ORDER TO MAKE YOU APPEAR AS THE RIGHTFUL BENEFICIARY OF THIS FUND.

I AGREED ON CONDITION THAT THEY WILL PAY ME US$3 MILLION AS SOON AS YOUR NAME APPEARS AS THE BENEFICIARY. I DID AS AGREED AND DEMANDED TO BE PAID,BUT YOUR FRIENDS STARTED TELLING ME STORIES, THEY EVEN TOLD ME YOU PROMISED TO SEND MONEY TO ME.DO YOU KNOW THAT UP TILL NOW, I HAVE NOT RECEIVED A SINGLE CENT FROM THEM AND HAVE NOT SET MY EYES ON ANY OF THEM?
BASED ON THEIR ATTITUDE, I DECIDED TO STOP THE FUND RELEASE MOVEMENT BECAUSE I CANNOT BE DENIED OF MY RIGHT IN MY OWN OFFICE CONSIDERING THE RISK AS IT MIGHT AFFECT MY JOB AND I KNOW THE SOURCE OF THE FUNDS THAT YOU DID NOT EXECUTE ANY CONTRACT IN NIGERIA, ALTHOUGH I AM THE ONLY PERSON PRIVILEGED TO KNOW THIS INFORMATION AND IT IS A FACT.

WHY I AM MAKING THIS CLEAR TO YOU IS THAT I CAN SEE THAT YOU ARE STILL MAKING EFFORTS IN ORDER TO CONCLUDE THIS PROJECT. NOW I AM READY TO FORGET THE PAST. I DO NOT NEED THE US$3 MILLION ANY LONGER FROM YOU BUT A GOOD COMPENSATION FROM YOUR MIND.I NEED YOUR ASSURANCE THAT THOSE COLLEAGUES WILL BE TOTALLY KEPT OUT OF THIS TRANSACTION AND I KNOW THAT NONE OF THEM
IS AWARE OF MY NEW APPROACH TO YOU.STOP SPENDING YOUR MONEY UNNECESSARILY TO CBN OFFICERS HERE BECAUSE YOU WILL NOT RECEIVE THIS MONEY WITHOUT MY HAND IN IT. I PERSONALLY DID THE WORK AT THE BEGINNING AND ONLY ME CAN CONCLUDE IT SUCESSFULLY.

FINALLY, I NEED YOUR PROMISE THAT NO OFFICIAL OF THE CENTRAL BANK OF NIGERIA WILL BE AWARE OF MY INVOLVEMENT IN THIS TRANSACTIONS BECAUSE OF MY POSITION.I WANT YOU TO REASSURE ME THAT YOU WILL BE WILLING TO COMPENSATE ME AND THAT YOU WILL ASSIST MY WIFE TO ESTABLISH A FOREIGN ACCOUNT IN
WHERE MY OWN PERCENTAGE WILL BE LODGED. IF YOU AGREE,I WILL SEND YOU A KTT FUND RELEASE APPROVAL DOCUMENTS FOR YOUR ENDORSEMENT AFTER WHICH YOUR BANK ACCOUNT SHALL BE CREDITED WITHIN 48 HOURS THROUGH GOVERNMENT OF NIGERIA CRUDE OIL RESERVE ACCOUNT.

I AM A MAN OF MY WORD AND IF YOU ARE READY TO CONCLUDE THIS BUSINESS WITH ME,CONTACT ME IMMEDIATELY SO THAT WE CAN HAVE A CHAT OVER THIS ISSUE BUT IF THE REVERSE IS THE CASE,DO NOT BOTHER YOURSELF TO REACH ME AND FORGET ABOUT THIS FULL PAYMENT OF $22.5 MILLION.NOTE THAT THE FUND WILL BE RELEASE
TO YOU THROUGH OUR CRUDE OIL RESERVE ACCOUNT IN THE UNITED KINDOM.

AWAITING YOUR PROMPT COMPLIANCE AND MY BEST REGARDS TO YOUR FAMILY.

YOUR SINCERELY
ENGR.FUNSHO KUPOLOKUN



--9B095B5ADSN=_01CAA320BD0636E40004F673ex01.xxxxglob--




[ 本帖最后由 dustsailor 于 2010-3-11 21:46 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?会员注册

x
沙发
发表于 2010-3-11 23:12:12 | 只看该作者
2003 不太懂
是你邮局向外退回的吗?
1 不知道2003能否支持spf,支持的话,加上
2 修改匿名提交安全权限  检查是否开了中继?
3 考虑用orf在前面档一下 看看效果(钉子有代理此软件)
试试看
藤椅
 楼主| 发表于 2010-3-11 23:44:59 | 只看该作者
谢谢tdk!!!
1 不知道2003能否支持spf,支持的话,加上
支持的,用了
2 修改匿名提交安全权限  检查是否开了中继?
没开中继啊,你指的匿名提交权限是如何配置呢?
3 考虑用orf在前面档一下 看看效果(钉子有代理此软件)
一时半会的还拿不到预算的,应该不依赖第三方软件可以找到问题根源。
再次感谢!
板凳
发表于 2010-3-12 11:48:20 | 只看该作者
别人利用您的服务器发送垃圾邮件,可以隐藏您的服务器嘛!
报纸
 楼主| 发表于 2010-3-15 11:13:20 | 只看该作者
请问如何隐藏呢?
地板
发表于 2010-3-16 19:43:43 | 只看该作者
我建议你从“3.是否某账户的密码被猜中?”为一点中出发找原因。
7
发表于 2010-3-17 14:06:29 | 只看该作者
有可能是邮件用户的密码设置的太简单了,被别人中继过来。我们公司也出现过这种情况,找出那个账号,把密码更改下,再删除队列里的垃圾邮件就可以了。
       “管理组”->“服务器”->右击“hostname”属性->“诊断日志记录”->“MSExchangeSA”->“OAL生成器”->“最高”。这样在日志里可以看出是哪个账号出了问题。
8
发表于 2010-3-17 15:00:55 | 只看该作者
有可能是邮件用户的密码设置的太简单了,被别人中继过来。我们公司也出现过这种情况,找出那个账号,把密码更改下,再删除队列里的垃圾邮件就可以了。
       “管理组”->“服务器”->右击“hostname”属性->“诊断日志记录”->“MSExchangeSA”->“OAL生成器”->“最高”。这样在日志里可以看出是哪个账号出了问题。
9
发表于 2010-3-17 15:02:05 | 只看该作者
汗 刚才点错了 ,cloud6688 老兄 你说的“管理组”->“服务器”->右击“hostname”属性->“诊断日志记录”->“
我怎么在exchange2003里找不到啊。。郁闷
10
发表于 2010-3-17 15:30:16 | 只看该作者
是“MSExchange Transport”-》“身份验证”
您需要登录后才可以回帖 登录 | 会员注册

本版积分规则

小黑屋|手机版|Archiver|邮件技术资讯网

GMT+8, 2024-12-23 22:01

Powered by Discuz! X3.2

© 2001-2016 Comsenz Inc.

本论坛为非盈利中立机构,所有言论属发表者个人意见,不代表本论坛立场。内容所涉及版权和法律相关事宜请参考各自所有者的条款。
如认定侵犯了您权利,请联系我们。本论坛原创内容请联系后再行转载并务必保留我站信息。此声明修改不另行通知,保留最终解释权。
*本论坛会员专属QQ群:邮件技术资讯网会员QQ群
*本论坛会员备用QQ群:邮件技术资讯网备用群

快速回复 返回顶部 返回列表