iRedMail 技术交流 QQ 群：296792359。

brucemioo · 2010-10-20 17:49:02

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

主题: 系统被黑了吗？还是iRedMail有漏洞呢？

最近域内的很多用户反映他们的邮件帐户经常收到邮件服务器发“发送失败”的邮件，邮件的主题基本都是“发送给hao的金蛋”，但实际用户根本没有发送过那些邮件，发送日志和历史记录中也没有发送到任何记录。

下面是其中一封失败邮件的内容：
This is the mail system at host rojao.cn.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<ouchaoyi@21cn.com>: host mta.21cn.com[59.36.102.50] said: 550
(ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on
Inbound SMTP server 233! (in reply to RCPT TO command)

很多类似的邮件，只是收件人不同。

各位大侠，这是怎么回事呢？系统被黑了吗？

ZhangHuangbin · 2010-10-20 17:58:59

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

先检查邮件日志（/var/log/maillog），追踪一下线索。以及是否有用户用来发垃圾邮件。
最好贴一下 "postconf -n" 命令的输出。

brucemioo · 2010-10-21 09:13:32

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

邮件主要都是公司内部使用，而且人也不多，所以没有人会用来发垃圾邮件，系统安全日志上看到很多不同的ip地址尝试登录系统，还没看到登录成功的记录。现在感觉我的邮件服务器被“劫持”用来发送垃圾邮件了。

附件是最近的maillog，下面是postconf -n的输出内容：

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_name = iRedMail
mail_owner = postfix
mail_version = 0.6.0
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_size_limit = 15728640
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 104857600
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = rojao.cn
myhostname = rojao.cn
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = rojao.cn
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql_recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql_recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql_transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql_transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql_domain_alias_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /opt/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500

Post's attachments

maillog.1.bz2 1.85 mb, 4 downloads since 2010-10-21

You don't have the permssions to download the attachments of this post.

ZhangHuangbin · 2010-10-21 09:39:20

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

没有附件？

brucemioo · 2010-10-21 10:49:56

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

刚操作错了，现在有附件了。

ZhangHuangbin · 2010-10-21 11:07:26

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

你能否直接贴几段你认为有问题的日志？让别人在25M的邮件里帮你分析太累了

brucemioo · 2010-10-21 11:52:14

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

我还真没看出日志中有什么异常，下面是我觉得可不太正常的地方，其中“hyujrf@rojao.cn”帐号在我的邮件服务器中是不存在的，部分垃圾邮件的相关地址：
ouchaoyi@21cn.com
tzjohnson@ketaili.com
anlonchen@linpotech.com
jwdx@zhandou8.com
tzjohnson@ketaili.com
mail.mcit.com.hk
ghetht@telegoal.com.cn
danielkellynr@aol.com
jingchi@vkuw.com
.....
很多。

Oct 20 14:19:38 rojao postfix/smtpd[7054]: connect from unknown[218.27.126.73]
Oct 20 14:19:38 rojao postfix/trivial-rewrite[7057]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:19:44 rojao postfix/smtpd[7054]: NOQUEUE: reject: RCPT from unknown[218.27.126.73]: 550 5.1.1 <hyujrf@rojao.cn>: Recipient address rejected: User unknown in local recipient table; from=<postmaster@mail.jl.cn> to=<hyujrf@rojao.cn> proto=SMTP helo=<aimc.com>
Oct 20 14:19:44 rojao postfix/smtpd[7054]: lost connection after RCPT from unknown[218.27.126.73]
Oct 20 14:19:44 rojao postfix/smtpd[7054]: disconnect from unknown[218.27.126.73]
Oct 20 14:20:05 rojao postfix/smtpd[7054]: connect from unknown[218.249.27.69]
Oct 20 14:20:06 rojao postfix/trivial-rewrite[7058]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:20:11 rojao postfix/smtpd[7054]: 33D779A59E4: client=unknown[218.249.27.69], sasl_method=login, sasl_username=mj@rojao.cn
Oct 20 14:20:11 rojao postfix/cleanup[7060]: 33D779A59E4: message-id=<20101020062011.33D779A59E4@rojao.cn>
Oct 20 14:20:11 rojao postfix/qmgr[2892]: 33D779A59E4: from=<mj@rojao.cn>, size=865, nrcpt=1 (queue active)
Oct 20 14:20:11 rojao postfix/smtpd[7067]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:20:11 rojao postfix/trivial-rewrite[7058]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:20:11 rojao postfix/smtpd[7067]: F08BC9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:20:11 rojao postfix/cleanup[7060]: F08BC9A59E5: message-id=<20101020062011.33D779A59E4@rojao.cn>
Oct 20 14:20:11 rojao postfix/qmgr[2892]: F08BC9A59E5: from=<mj@rojao.cn>, size=1275, nrcpt=1 (queue active)
Oct 20 14:20:11 rojao postfix/smtpd[7067]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:20:11 rojao amavis[6904]: (06904-02) Passed CLEAN, LOCAL [218.249.27.69] [218.249.27.69] <mj@rojao.cn> -> <ouchaoyi@21cn.com>, Message-ID: <20101020062011.33D779A59E4@rojao.cn>, mail_id: ewImxlGWxTMx, Hits: 5.966, size: 864, queued_as: F08BC9A59E5, 670 ms
Oct 20 14:20:12 rojao postfix/smtp[7064]: 33D779A59E4: to=<ouchaoyi@21cn.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.9, delays=5.2/0.01/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06904-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F08BC9A59E5)
Oct 20 14:20:12 rojao postfix/qmgr[2892]: 33D779A59E4: removed
Oct 20 14:20:19 rojao postfix/smtp[7068]: F08BC9A59E5: to=<ouchaoyi@21cn.com>, relay=mta.21cn.com[59.36.102.50]:25, delay=7.8, delays=0/0.01/3.6/4.2, dsn=5.0.0, status=bounced (host mta.21cn.com[59.36.102.50] said: 550 (ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on Inbound SMTP server 233! (in reply to RCPT TO command))
Oct 20 14:20:19 rojao postfix/cleanup[7060]: CC41E9A59E6: message-id=<20101020062019.CC41E9A59E6@rojao.cn>
Oct 20 14:20:19 rojao postfix/bounce[7071]: F08BC9A59E5: sender non-delivery notification: CC41E9A59E6
Oct 20 14:20:19 rojao postfix/qmgr[2892]: CC41E9A59E6: from=<>, size=3245, nrcpt=1 (queue active)
Oct 20 14:20:19 rojao postfix/trivial-rewrite[7058]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:20:19 rojao postfix/qmgr[2892]: F08BC9A59E5: removed
Oct 20 14:20:19 rojao postfix/pipe[7072]: CC41E9A59E6: to=<mj@rojao.cn>, relay=dovecot, delay=0.02, delays=0/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:20:19 rojao postfix/qmgr[2892]: CC41E9A59E6: removed
Oct 20 14:21:01 rojao postfix/smtpd[7054]: disconnect from unknown[218.249.27.69]
Oct 20 14:22:17 rojao postfix/smtpd[7054]: connect from unknown[203.198.177.23]
Oct 20 14:22:17 rojao postfix/trivial-rewrite[7084]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:22:23 rojao policyd: connection from: 127.0.0.1 port: 35808 slots: 0 of 2044 used
Oct 20 06:22:23 rojao policyd: rcpt=4221, greylist=new, host=203.198.177.23 (unknown), from=tzjohnson@ketaili.com, to=mcj@rojao.cn, size=1118
Oct 20 14:22:23 rojao postfix/smtpd[7054]: NOQUEUE: reject: RCPT from unknown[203.198.177.23]: 450 4.7.1 <mcj@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<tzjohnson@ketaili.com> to=<mcj@rojao.cn> proto=ESMTP helo=<mail.mcit.com.hk>
Oct 20 14:22:23 rojao postfix/smtpd[7054]: disconnect from unknown[203.198.177.23]
Oct 20 14:22:44 rojao postfix/smtpd[7054]: connect from unknown[124.42.91.132]
Oct 20 14:22:44 rojao postfix/trivial-rewrite[7123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:22:50 rojao postfix/smtpd[7054]: 3D9549A59E4: client=unknown[124.42.91.132], sasl_method=login, sasl_username=yan@rojao.cn
Oct 20 14:22:50 rojao postfix/cleanup[7125]: 3D9549A59E4: message-id=<20101020062250.3D9549A59E4@rojao.cn>
Oct 20 14:22:50 rojao postfix/qmgr[2892]: 3D9549A59E4: from=<yan@rojao.cn>, size=896, nrcpt=1 (queue active)
Oct 20 14:22:50 rojao postfix/smtpd[7132]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:22:50 rojao postfix/trivial-rewrite[7123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:22:50 rojao postfix/smtpd[7132]: EACBC9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:22:50 rojao postfix/cleanup[7125]: EACBC9A59E5: message-id=<20101020062250.3D9549A59E4@rojao.cn>
Oct 20 14:22:50 rojao postfix/qmgr[2892]: EACBC9A59E5: from=<yan@rojao.cn>, size=1318, nrcpt=1 (queue active)
Oct 20 14:22:50 rojao amavis[6949]: (06949-02) Passed CLEAN, LOCAL [124.42.91.132] [124.42.91.132] <yan@rojao.cn> -> <anlonchen@linpotech.com>, Message-ID: <20101020062250.3D9549A59E4@rojao.cn>, mail_id: oWYiqJ0WyxxS, Hits: 5.798, size: 895, queued_as: EACBC9A59E5, 527 ms
Oct 20 14:22:50 rojao postfix/smtpd[7132]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:22:50 rojao postfix/smtp[7129]: 3D9549A59E4: to=<anlonchen@linpotech.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.1, delays=5.5/0.01/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06949-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EACBC9A59E5)
Oct 20 14:22:50 rojao postfix/qmgr[2892]: 3D9549A59E4: removed
Oct 20 14:22:52 rojao postfix/smtp[7133]: EACBC9A59E5: to=<anlonchen@linpotech.com>, relay=mxwcom.263xmail.com[211.150.64.36]:25, delay=1.1, delays=0.01/0.01/0.12/0.97, dsn=2.0.0, status=sent (250 Ok: queued as 41585458)
Oct 20 14:22:52 rojao postfix/qmgr[2892]: EACBC9A59E5: removed
Oct 20 14:24:19 rojao postfix/anvil[6990]: statistics: max connection rate 1/60s for (smtp:211.150.67.12) at Oct 20 14:14:19
Oct 20 14:24:19 rojao postfix/anvil[6990]: statistics: max connection count 1 for (smtp:211.150.67.12) at Oct 20 14:14:19
Oct 20 14:24:19 rojao postfix/anvil[6990]: statistics: max cache size 2 at Oct 20 14:14:30
Oct 20 14:24:39 rojao postfix/smtpd[7151]: connect from unknown[210.72.13.75]
Oct 20 14:24:39 rojao postfix/trivial-rewrite[7123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:24:39 rojao postfix/smtpd[7151]: NOQUEUE: reject: RCPT from unknown[210.72.13.75]: 550 5.1.1 <hyujrf@rojao.cn>: Recipient address rejected: User unknown in local recipient table; from=<> to=<hyujrf@rojao.cn> proto=ESMTP helo=<mail.sfn.cn>
Oct 20 14:24:39 rojao postfix/smtpd[7151]: disconnect from unknown[210.72.13.75]
Oct 20 14:27:50 rojao postfix/smtpd[7054]: timeout after END-OF-MESSAGE from unknown[124.42.91.132]
Oct 20 14:27:50 rojao postfix/smtpd[7054]: disconnect from unknown[124.42.91.132]
Oct 20 14:29:05 rojao postfix/smtpd[7054]: connect from unknown[60.22.220.40]
Oct 20 14:29:06 rojao postfix/trivial-rewrite[7188]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:29:21 rojao policyd: connection from: 127.0.0.1 port: 33795 slots: 0 of 2044 used
Oct 20 06:29:21 rojao policyd: rcpt=4222, greylist=new, host=60.22.220.40 (unknown), from=jwdx@zhandou8.com, to=hr@rojao.cn, size=0
Oct 20 14:29:21 rojao postfix/smtpd[7054]: NOQUEUE: reject: RCPT from unknown[60.22.220.40]: 450 4.7.1 <hr@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<jwdx@zhandou8.com> to=<hr@rojao.cn> proto=SMTP helo=<zhandou8.com>
Oct 20 14:29:21 rojao postfix/smtpd[7054]: lost connection after RCPT from unknown[60.22.220.40]
Oct 20 14:29:21 rojao postfix/smtpd[7054]: disconnect from unknown[60.22.220.40]
Oct 20 14:30:02 rojao postfix/smtpd[7054]: connect from unknown[203.198.177.23]
Oct 20 06:30:07 rojao policyd: rcpt=4223, greylist=update, host=203.198.177.23 (unknown), from=tzjohnson@ketaili.com, to=mcj@rojao.cn, size=1118
Oct 20 06:30:07 rojao policyd: rcpt=4223, throttle_rcpt=clear(a), host=203.198.177.23, from=tzjohnson@ketaili.com, to=mcj@rojao.cn, count=0/64(67), threshold=0%
Oct 20 14:30:07 rojao postfix/smtpd[7054]: DD9C39A59E4: client=unknown[203.198.177.23]
Oct 20 14:30:09 rojao postfix/cleanup[7200]: DD9C39A59E4: message-id=<201010200622.o9K6MA2U028673@mail.mcit.com.hk>
Oct 20 14:30:09 rojao postfix/qmgr[2892]: DD9C39A59E4: from=<tzjohnson@ketaili.com>, size=1380, nrcpt=1 (queue active)
Oct 20 14:30:13 rojao postfix/smtpd[7207]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:30:13 rojao postfix/trivial-rewrite[7208]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:30:13 rojao postfix/smtpd[7207]: 961229A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:30:13 rojao postfix/cleanup[7200]: 961229A59E5: message-id=<201010200622.o9K6MA2U028673@mail.mcit.com.hk>
Oct 20 14:30:13 rojao postfix/qmgr[2892]: 961229A59E5: from=<tzjohnson@ketaili.com>, size=1780, nrcpt=1 (queue active)
Oct 20 14:30:13 rojao postfix/smtpd[7207]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:30:13 rojao postfix/trivial-rewrite[7208]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:30:13 rojao amavis[6904]: (06904-03) Passed SPAM, LOCAL [203.198.177.23] [218.249.27.69] <tzjohnson@ketaili.com> -> <mcj@rojao.cn>, quarantine: spam-in0aIiB3KBpu.gz, Message-ID: <201010200622.o9K6MA2U028673@mail.mcit.com.hk>, mail_id: in0aIiB3KBpu, Hits: 17.393, size: 1380, queued_as: 961229A59E5, 4305 ms
Oct 20 14:30:13 rojao postfix/smtp[7203]: DD9C39A59E4: to=<mcj@rojao.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=6.5/0.01/0/4.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06904-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 961229A59E5)
Oct 20 14:30:13 rojao postfix/qmgr[2892]: DD9C39A59E4: removed
Oct 20 14:30:13 rojao postfix/pipe[7211]: 961229A59E5: to=<mcj@rojao.cn>, relay=dovecot, delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:30:13 rojao postfix/qmgr[2892]: 961229A59E5: removed
Oct 20 14:32:02 rojao postfix/smtpd[7232]: connect from unknown[120.87.36.13]
Oct 20 14:32:02 rojao postfix/trivial-rewrite[7233]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:32:07 rojao policyd: connection from: 127.0.0.1 port: 57608 slots: 1 of 2044 used
Oct 20 06:32:07 rojao policyd: rcpt=4224, greylist=new, host=120.87.36.13 (unknown), from=ghetht@telegoal.com.cn, to=hr@rojao.cn, size=0
Oct 20 14:32:07 rojao postfix/smtpd[7232]: NOQUEUE: reject: RCPT from unknown[120.87.36.13]: 450 4.7.1 <hr@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<ghetht@telegoal.com.cn> to=<hr@rojao.cn> proto=ESMTP helo=<telegoal.com.cn>
Oct 20 14:32:08 rojao postfix/smtpd[7232]: disconnect from unknown[120.87.36.13]
Oct 20 14:32:44 rojao postfix/smtpd[7232]: connect from unknown[60.190.243.74]
Oct 20 14:32:44 rojao postfix/trivial-rewrite[7238]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:32:49 rojao postfix/smtpd[7232]: 6A47A9A59E4: client=unknown[60.190.243.74], sasl_method=login, sasl_username=llj@rojao.cn
Oct 20 14:32:49 rojao postfix/cleanup[7239]: 6A47A9A59E4: message-id=<20101020063249.6A47A9A59E4@rojao.cn>
Oct 20 14:32:49 rojao postfix/qmgr[2892]: 6A47A9A59E4: from=<llj@rojao.cn>, size=866, nrcpt=1 (queue active)
Oct 20 14:32:51 rojao postfix/smtpd[7246]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:32:51 rojao postfix/trivial-rewrite[7238]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:32:51 rojao postfix/smtpd[7246]: DAF839A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:32:51 rojao postfix/cleanup[7239]: DAF839A59E5: message-id=<20101020063249.6A47A9A59E4@rojao.cn>
Oct 20 14:32:51 rojao postfix/qmgr[2892]: DAF839A59E5: from=<llj@rojao.cn>, size=1274, nrcpt=1 (queue active)
Oct 20 14:32:51 rojao amavis[6949]: (06949-03) Passed CLEAN, LOCAL [60.190.243.74] [60.190.243.74] <llj@rojao.cn> -> <cyongc@yahoo.com>, Message-ID: <20101020063249.6A47A9A59E4@rojao.cn>, mail_id: iJH+NNnyK8AY, Hits: 5.882, size: 865, queued_as: DAF839A59E5, 2408 ms
Oct 20 14:32:51 rojao postfix/smtpd[7246]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:32:51 rojao postfix/smtp[7243]: 6A47A9A59E4: to=<cyongc@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.5, delays=5.1/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06949-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as DAF839A59E5)
Oct 20 14:32:51 rojao postfix/qmgr[2892]: 6A47A9A59E4: removed
Oct 20 14:32:57 rojao postfix/smtp[7247]: DAF839A59E5: to=<cyongc@yahoo.com>, relay=e.mx.mail.yahoo.com[67.195.168.230]:25, delay=5.4, delays=0.01/0.01/1.5/3.9, dsn=2.0.0, status=sent (250 ok dirdel)
Oct 20 14:32:57 rojao postfix/qmgr[2892]: DAF839A59E5: removed
Oct 20 14:34:09 rojao postfix/smtpd[7232]: disconnect from unknown[60.190.243.74]
Oct 20 14:34:10 rojao postfix/smtpd[7054]: disconnect from unknown[203.198.177.23]
Oct 20 14:34:19 rojao postfix/anvil[6990]: statistics: max connection rate 1/60s for (smtp:210.72.13.75) at Oct 20 14:24:39
Oct 20 14:34:19 rojao postfix/anvil[6990]: statistics: max connection count 1 for (smtp:210.72.13.75) at Oct 20 14:24:39
Oct 20 14:34:19 rojao postfix/anvil[6990]: statistics: max cache size 3 at Oct 20 14:32:44
Oct 20 14:34:52 rojao roundcube: [20-Oct-2010 14:34:52 +0800]: Successful login for mj@rojao.cn (id 3) from 58.62.85.167
Oct 20 14:46:56 rojao postfix/qmgr[2892]: E60889A59E1: from=<mj@rojao.cn>, size=1309, nrcpt=1 (queue active)
Oct 20 14:46:58 rojao postfix/smtp[7416]: E60889A59E1: host mailin-03.mx.aol.com[64.12.137.169] refused to talk to me: 554- (RTR:CH) http://postmaster.info.aol.com/errors/554rtrch.html 554 Connecting IP: 124.172.234.56
Oct 20 14:46:59 rojao postfix/smtp[7416]: E60889A59E1: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 554- (RTR:CH) http://postmaster.info.aol.com/errors/554rtrch.html 554 Connecting IP: 124.172.234.56
Oct 20 14:47:01 rojao postfix/smtp[7416]: E60889A59E1: host mailin-04.mx.aol.com[205.188.157.18] refused to talk to me: 554- (RTR:CH) http://postmaster.info.aol.com/errors/554rtrch.html 554 Connecting IP: 124.172.234.56
Oct 20 14:47:02 rojao postfix/smtp[7416]: E60889A59E1: host mailin-02.mx.aol.com[64.12.90.65] refused to talk to me: 554- (RTR:CH) http://postmaster.info.aol.com/errors/554rtrch.html 554 Connecting IP: 124.172.234.56
Oct 20 14:47:04 rojao postfix/smtp[7416]: E60889A59E1: to=<danielkellynr@aol.com>, relay=mailin-01.mx.aol.com[205.188.59.194]:25, delay=25545, delays=25538/0.02/7.8/0, dsn=4.0.0, status=deferred (host mailin-01.mx.aol.com[205.188.59.194] refused to talk to me: 554- (RTR:CH) http://postmaster.info.aol.com/errors/554rtrch.html 554 Connecting IP: 124.172.234.56)
Oct 20 14:48:00 rojao postfix/smtpd[7426]: connect from unknown[60.190.243.74]
Oct 20 14:48:00 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:06 rojao postfix/smtpd[7426]: 50BA39A59E4: client=unknown[60.190.243.74], sasl_method=login, sasl_username=zfs@rojao.cn
Oct 20 14:48:06 rojao postfix/cleanup[7430]: 50BA39A59E4: message-id=<20101020064806.50BA39A59E4@rojao.cn>
Oct 20 14:48:06 rojao postfix/qmgr[2892]: 50BA39A59E4: from=<zfs@rojao.cn>, size=880, nrcpt=1 (queue active)
Oct 20 14:48:06 rojao postfix/smtpd[7437]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:48:06 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:06 rojao postfix/smtpd[7437]: CAF9B9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:48:06 rojao postfix/cleanup[7430]: CAF9B9A59E5: message-id=<20101020064806.50BA39A59E4@rojao.cn>
Oct 20 14:48:06 rojao postfix/qmgr[2892]: CAF9B9A59E5: from=<zfs@rojao.cn>, size=1300, nrcpt=1 (queue active)
Oct 20 14:48:06 rojao postfix/smtpd[7437]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:48:06 rojao amavis[6904]: (06904-04) Passed CLEAN, LOCAL [60.190.243.74] [60.190.243.74] <zfs@rojao.cn> -> <eric.chang@meiloon.com>, Message-ID: <20101020064806.50BA39A59E4@rojao.cn>, mail_id: yCMvo5MZbvo5, Hits: 4.558, size: 879, queued_as: CAF9B9A59E5, 448 ms
Oct 20 14:48:06 rojao postfix/smtp[7434]: 50BA39A59E4: to=<eric.chang@meiloon.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6, delays=5.5/0.01/0/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06904-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CAF9B9A59E5)
Oct 20 14:48:06 rojao postfix/qmgr[2892]: 50BA39A59E4: removed
Oct 20 14:48:15 rojao postfix/smtpd[7438]: connect from unknown[202.102.188.177]
Oct 20 14:48:15 rojao postfix/trivial-rewrite[7429]: warning: do not list domain ROJAO.CN in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:17 rojao postfix/smtpd[7439]: connect from unknown[120.192.100.60]
Oct 20 14:48:19 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:48:26 rojao policyd: connection from: 127.0.0.1 port: 39956 slots: 0 of 2044 used
Oct 20 06:48:26 rojao policyd: rcpt=4225, greylist=new, host=202.102.188.177 (unknown), from=jingchi@vkuw.com, to=hr@rojao.cn, size=0
Oct 20 14:48:26 rojao postfix/smtpd[7438]: NOQUEUE: reject: RCPT from unknown[202.102.188.177]: 450 4.7.1 <HR@ROJAO.CN>: Recipient address rejected: Policy Rejection- Please try later.; from=<jingchi@vkuw.com> to=<HR@ROJAO.CN> proto=ESMTP helo=<vkuw.com>
Oct 20 14:48:26 rojao postfix/smtpd[7438]: lost connection after RCPT from unknown[202.102.188.177]
Oct 20 14:48:26 rojao postfix/smtpd[7438]: disconnect from unknown[202.102.188.177]
Oct 20 06:48:30 rojao policyd: connection from: 127.0.0.1 port: 39957 slots: 1 of 2044 used
Oct 20 06:48:30 rojao policyd: rcpt=4226, greylist=new, host=120.192.100.60 (unknown), from=jingchi@vkuw.com, to=hr@rojao.cn, size=0
Oct 20 14:48:30 rojao postfix/smtpd[7439]: NOQUEUE: reject: RCPT from unknown[120.192.100.60]: 450 4.7.1 <hr@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<jingchi@vkuw.com> to=<hr@rojao.cn> proto=SMTP helo=<vkuw.com>
Oct 20 14:48:30 rojao postfix/smtpd[7439]: lost connection after RCPT from unknown[120.192.100.60]
Oct 20 14:48:30 rojao postfix/smtpd[7439]: disconnect from unknown[120.192.100.60]
Oct 20 14:48:38 rojao postfix/smtp[7416]: CAF9B9A59E5: to=<eric.chang@meiloon.com>, relay=mailsqr.meiloon.com[210.66.151.235]:25, delay=31, delays=0.01/0/25/6.3, dsn=5.0.0, status=bounced (host mailsqr.meiloon.com[210.66.151.235] said: 500 5.0.0 Service unavailable (in reply to end of DATA command))
Oct 20 14:48:38 rojao postfix/cleanup[7430]: 193929A59E6: message-id=<20101020064838.193929A59E6@rojao.cn>
Oct 20 14:48:38 rojao postfix/bounce[7440]: CAF9B9A59E5: sender non-delivery notification: 193929A59E6
Oct 20 14:48:38 rojao postfix/qmgr[2892]: 193929A59E6: from=<>, size=3161, nrcpt=1 (queue active)
Oct 20 14:48:38 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:38 rojao postfix/qmgr[2892]: CAF9B9A59E5: removed
Oct 20 14:48:38 rojao postfix/pipe[7441]: 193929A59E6: to=<zfs@rojao.cn>, relay=dovecot, delay=0.02, delays=0/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:48:38 rojao postfix/qmgr[2892]: 193929A59E6: removed
Oct 20 14:49:09 rojao postfix/smtpd[7426]: disconnect from unknown[60.190.243.74]
Oct 20 14:50:38 rojao postfix/smtpd[7426]: connect from unknown[209.85.161.170]
Oct 20 06:50:46 rojao policyd: connection from: 127.0.0.1 port: 58164 slots: 0 of 2044 used
Oct 20 06:50:46 rojao policyd: rcpt=4227, greylist=new, host=209.85.161.170 (unknown), from=cola913@gmail.com, to=zfs@rojao.cn, size=0
Oct 20 14:50:46 rojao postfix/smtpd[7426]: NOQUEUE: reject: RCPT from unknown[209.85.161.170]: 450 4.7.1 <zfs@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<cola913@gmail.com> to=<zfs@rojao.cn> proto=ESMTP helo=<mail-gx0-f170.google.com>
Oct 20 14:50:46 rojao postfix/smtpd[7426]: disconnect from unknown[209.85.161.170]
Oct 20 14:53:11 rojao postfix/smtpd[7471]: connect from unknown[202.96.74.114]
Oct 20 14:53:12 rojao postfix/trivial-rewrite[7473]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:53:17 rojao postfix/smtpd[7471]: NOQUEUE: reject: RCPT from unknown[202.96.74.114]: 550 5.1.1 <hyujrf@rojao.cn>: Recipient address rejected: User unknown in local recipient table; from=<postmaster@online.ln.cn> to=<hyujrf@rojao.cn> proto=SMTP helo=<online.ln.cn>
Oct 20 14:53:17 rojao postfix/smtpd[7471]: lost connection after RCPT from unknown[202.96.74.114]
Oct 20 14:53:17 rojao postfix/smtpd[7471]: disconnect from unknown[202.96.74.114]
Oct 20 14:53:34 rojao postfix/smtpd[7471]: connect from unknown[120.192.100.60]
Oct 20 14:53:36 rojao postfix/trivial-rewrite[7474]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:53:46 rojao policyd: connection from: 127.0.0.1 port: 58179 slots: 0 of 2044 used
Oct 20 06:53:46 rojao policyd: rcpt=4228, greylist=update, host=120.192.100.60 (unknown), from=jingchi@vkuw.com, to=hr@rojao.cn, size=0
Oct 20 06:53:46 rojao policyd: rcpt=4228, throttle_rcpt=update(a), host=120.192.100.60, from=jingchi@vkuw.com, to=hr@rojao.cn, count=2/64(454), threshold=1%
Oct 20 14:53:46 rojao postfix/smtpd[7471]: D765A9A59E4: client=unknown[120.192.100.60]
Oct 20 14:53:48 rojao postfix/cleanup[7478]: D765A9A59E4: message-id=<20101020065346.D765A9A59E4@rojao.cn>
Oct 20 14:53:48 rojao postfix/qmgr[2892]: D765A9A59E4: from=<jingchi@vkuw.com>, size=16476, nrcpt=1 (queue active)
Oct 20 14:53:49 rojao postfix/smtpd[7471]: disconnect from unknown[120.192.100.60]
Oct 20 14:53:53 rojao postfix/smtpd[7487]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:53:53 rojao postfix/trivial-rewrite[7488]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:53:53 rojao postfix/smtpd[7487]: CAA0A9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:53:53 rojao postfix/cleanup[7478]: CAA0A9A59E5: message-id=<20101020065346.D765A9A59E4@rojao.cn>
Oct 20 14:53:53 rojao postfix/qmgr[2892]: CAA0A9A59E5: from=<jingchi@vkuw.com>, size=16874, nrcpt=1 (queue active)
Oct 20 14:53:53 rojao postfix/smtpd[7487]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:53:53 rojao postfix/trivial-rewrite[7488]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:53:53 rojao amavis[6949]: (06949-04) Passed SPAM, LOCAL [120.192.100.60] [120.192.100.60] <jingchi@vkuw.com> -> <hr@rojao.cn>, quarantine: spam-l7QRH6AbeyUz.gz, Message-ID: <20101020065346.D765A9A59E4@rojao.cn>, mail_id: l7QRH6AbeyUz, Hits: 17.704, size: 16476, queued_as: CAA0A9A59E5, 4850 ms
Oct 20 14:53:53 rojao postfix/smtp[7482]: D765A9A59E4: to=<hr@rojao.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=13/0.01/0/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06949-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CAA0A9A59E5)
Oct 20 14:53:53 rojao postfix/qmgr[2892]: D765A9A59E4: removed
Oct 20 14:53:53 rojao postfix/pipe[7489]: CAA0A9A59E5: to=<hr@rojao.cn>, relay=dovecot, delay=0.02, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:53:53 rojao postfix/qmgr[2892]: CAA0A9A59E5: removed
Oct 20 14:54:01 rojao postfix/smtpd[7471]: connect from unknown[124.192.161.31]
Oct 20 14:54:17 rojao postfix/smtpd[7471]: NOQUEUE: reject: RCPT from unknown[124.192.161.31]: 450 4.1.8 <MAILER-DAEMON@root.domain>: Sender address rejected: Domain not found; from=<MAILER-DAEMON@root.domain> to=<hyujrf@rojao.cn> proto=ESMTP helo=<dfhinfo.com.cn>
Oct 20 14:54:17 rojao postfix/smtpd[7471]: disconnect from unknown[124.192.161.31]

ZhangHuangbin · 2010-10-21 12:57:20

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

日志里明确显示是从你本地发出给 ouchaoyi@21cn.com 的啊：

Oct 20 14:20:11 rojao amavis[6904]: (06904-02) Passed CLEAN, LOCAL [218.249.27.69] [218.249.27.69] <mj@rojao.cn> -> <ouchaoyi@21cn.com>, Message-ID: <20101020062011.33D779A59E4@rojao.cn>, mail_id: ewImxlGWxTMx, Hits: 5.966, size: 864, queued_as: F08BC9A59E5, 670 ms

brucemioo · 2010-10-21 13:18:51

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

问题在于我的邮件系统中的用户并没有发送过这些邮件，这点我可以确定！
从发送邮件的时间和IP地址上可以看出，那些邮件并不是邮件的主人发送的。

其中hyujrf@rojao.cn帐号在我的邮件服务器中是不存在的，难道有人创建这个帐号并发送垃圾邮件后，又删除了该帐号？如果是这样，那系统应该有日志记录呀，可现在没找到类似的日志信息。

系统的安全日志中可以看到无数的尝试登录邮件系统的日志，但都是失败的。

我刚查看了数据库，也没发现任何异常的记录。

还有可能是什么原因呢？？

brucemioo · 2010-10-21 13:53:28

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

下面是数据库中的白名单信息，这些数据是安装时初始化的吧？是否有不是初始化的记录呢？？

mysql> select * from whitelist ;
+-----------------+--------------------------------------------------------------+------------+
| _whitelist | _description | _expire |
+-----------------+--------------------------------------------------------------+------------+
| 127.%.%.% | # localhost | 0 |
| 192.168.%.% | # private netblock | 0 |
| 10.%.%.% | # private netblock | 0 |
| 12.5.136.141 | # Southwest Airlines (unique sender, no retry) | 0 |
| 12.5.136.142 | # Southwest Airlines (unique sender, no retry) | 0 |
| 12.107.209.244 | # kernel.org mailing lists (high traffic, unique sender per | 0 |
| 12.107.209.250 | # sourceware.org mailing lists (high traffic, unique sender | 0 |
| 63.82.37.110 | # SLmail | 0 |
| 64.7.153.18 | # sentex.ca (common pool) | 0 |
| 64.12.137.% | # AOL (common pool) - http://postmaster.aol.com/servers/imo. | 0 |
| 64.12.138.% | # AOL (common pool) | 0 |
| 64.124.204.39 | # moveon.org (unique sender per attempt) | 0 |
| 64.125.132.254 | # collab.net (unique sender per attempt) | 0 |
| 64.233.170.% | # gmail (common server pool) | 0 |
| 65.82.241.160 | # Groupwise? | 0 |
| 66.100.210.82 | # Groupwise? | 0 |
| 66.135.209.% | # Ebay (for time critical alerts) | 0 |
| 66.135.197.% | # Ebay (common pool) | 0 |
| 66.162.216.166 | # Groupwise? | 0 |
| 66.206.22.82 | # PLEXOR | 0 |
| 66.206.22.83 | # PLEXOR | 0 |
| 66.206.22.84 | # PLEXOR | 0 |
| 66.206.22.85 | # PLEXOR | 0 |
| 66.218.66.% | # Yahoo Groups servers (common pool, no retry) | 0 |
| 66.218.67.% | # Yahoo Groups servers (common pool, no retry) | 0 |
| 66.218.69.% | # Yahoo Groups servers (common pool, no retry) | 0 |
| 66.27.51.218 | # ljbtc.com (Groupwise) | 0 |
| 66.89.73.101 | # Groupwise? | 0 |
| 68.15.115.88 | # Groupwise? | 0 |
| 194.245.101.88 | # Joker.com (email forwarding server) | 0 |
| 195.235.39.19 | # Tid InfoMail Exchanger v2.20 | 0 |
| 195.238.2.105 | # skynet.be (wierd retry pattern) | 0 |
| 195.238.2.124 | # skynet.be (common pool) | 0 |
| 195.238.3.12 | # skynet.be (common pool) | 0 |
| 195.238.3.13 | # skynet.be (common pool) | 0 |
| 204.60.8.162 | # Groupwise? | 0 |
| 204.107.120.10 | # Ameritrade (no retry) | 0 |
| 205.188.139.136 | # AOL (common pool) | 0 |
| 205.188.139.137 | # AOL (common pool) | 0 |
| 205.188.144.207 | # AOL (common pool) | 0 |
| 205.188.144.208 | # AOL (common pool) | 0 |
| 205.188.156.66 | # AOL (common pool) | 0 |
| 205.188.157.% | # AOL (common pool) | 0 |
| 205.188.159.7 | # AOL (common pool) | 0 |
| 205.206.231.% | # SecurityFocus.com (unique sender per attempt) | 0 |
| 205.211.164.50 | # sentex.ca (common pool) | 0 |
| 207.115.63.% | # Prodigy (broken software that retries continually with no | 0 |
| 207.171.168.% | # Amazon.com (common pool) | 0 |
| 207.171.180.% | # Amazon.com (common pool) | 0 |
| 207.171.187.% | # Amazon.com (common pool) | 0 |
| 207.171.188.% | # Amazon.com (common pool) | 0 |
| 207.171.190.% | # Amazon.com (common pool) | 0 |
| 213.136.52.31 | # Mysql.com (unique sender) | 0 |
| 216.136.226.0 | # Yahoo Mail? | 0 |
| 216.157.204.5 | # Groupwise? | 0 |
| 217.158.50.178 | # AXKit mailing list (unique sender per attempt) | 0 |
| 209.237.227.% | # SpamAssassin mailing list | 0 |
| 66.35.250.% | # lists.sourceforge.net | 0 |
| 196.25.240.% | # saix.net | 0 |
| 196.4.160.% | # internet solutions (business smtp) | 0 |
| 196.35.77.% | # internet solutions (dialup smtp) | 0 |
| 196.25.69.% | # telkom | 0 |
| 196.2.50.% | # mweb (dialup smtp) | 0 |
| 196.2.49.% | # mweb (business smtp) | 0 |
| 196.2.24.% | # mweb (business smtp) | 0 |
| 220.181.13.174 | # autowhitelisted host | 1280893202 |
| 116.254.203.60 | # autowhitelisted host | 1281490617 |
| 220.181.12.11 | # autowhitelisted host | 1281605003 |
| 119.147.10.244 | # autowhitelisted host | 1281684453 |
| 211.150.67.10 | # autowhitelisted host | 1281938021 |
| 220.181.13.40 | # autowhitelisted host | 1281950081 |
| 211.150.100.26 | # autowhitelisted host | 1282576219 |
| 220.181.15.5 | # autowhitelisted host | 1282808364 |
| 220.181.13.113 | # autowhitelisted host | 1283144306 |
| 220.181.12.12 | # autowhitelisted host | 1283424245 |
| 123.125.50.111 | # autowhitelisted host | 1283486536 |
| 119.147.10.226 | # autowhitelisted host | 1283495975 |
| 210.51.25.227 | # autowhitelisted host | 1283744805 |
| 220.181.15.134 | # autowhitelisted host | 1283828790 |
| 211.150.67.12 | # autowhitelisted host | 1283830432 |
| 220.181.13.193 | # autowhitelisted host | 1283837813 |
| 220.181.15.138 | # autowhitelisted host | 1284458437 |
| 119.147.10.233 | # autowhitelisted host | 1284540118 |
| 220.181.13.172 | # autowhitelisted host | 1284609339 |
| 116.228.35.190 | # autowhitelisted host | 1285147946 |
| 220.181.15.89 | # autowhitelisted host | 1285313938 |
| 123.125.50.110 | # autowhitelisted host | 1285641728 |
| 211.150.67.16 | # autowhitelisted host | 1286000309 |
| 116.213.96.125 | # autowhitelisted host | 1286008392 |
| 220.181.13.176 | # autowhitelisted host | 1286076968 |
| 220.181.15.74 | # autowhitelisted host | 1286239501 |
| 220.181.12.14 | # autowhitelisted host | 1286333837 |
| 220.181.13.189 | # autowhitelisted host | 1287118637 |
| 119.147.10.250 | # autowhitelisted host | 1287310347 |
| 123.125.50.135 | # autowhitelisted host | 1287643547 |
| 220.181.13.31 | # autowhitelisted host | 1287664553 |
| 202.108.3.163 | # autowhitelisted host | 1287714334 |
| 58.60.63.22 | # autowhitelisted host | 1288076509 |
+-----------------+--------------------------------------------------------------+------------+

mysql> select * from whitelist_dnsname;
+-------------+----------------------------------------------------+---------+
| _whitelist | _description | _expire |
+-------------+----------------------------------------------------+---------+
| bigfish.com | # bigfish.com has smtp servers behind multiple ips | 0 |
+-------------+----------------------------------------------------+---------+
1 row in set (0.00 sec)

ZhangHuangbin · 2010-10-21 14:50:29

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

这是安装policyd时自动添加的。

brucemioo · 2010-10-22 15:31:16

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

现在综合各方面的情况来看，初步确定是有人把我的邮件服务器“劫持”为“垃圾邮件生成器”了，也就是通过我的邮件服务器的正常用户帐号向外发送垃圾邮件，所以本身正常的邮件用户就会收到那些发送失败的垃圾邮件返回消息。

现在比较麻烦的问题是：怎样来查找、追踪并解决这个问题？

系统安装的是RedHat Linux 5，对linux方面的安全知识比较缺乏，所以请这方面的高手帮帮忙。

ZhangHuangbin · 2010-10-22 16:21:17

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

可以考虑这个：
http://www.iredmail.org/wiki/index.php? … g.Messages

将收发的邮件的标题、收件人、发件人都记录到 MYSQL 里，便于分析。

tao · 2010-10-23 13:07:50

tao
会员
离线

注册日期: 2009-12-18
文章数: 16

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

brucemioo 写道:

最近域内的很多用户反映他们的邮件帐户经常收到邮件服务器发“发送失败”的邮件，邮件的主题基本都是“发送给hao的金蛋”，但实际用户根本没有发送过那些邮件，发送日志和历史记录中也没有发送到任何记录。
下面是其中一封失败邮件的内容：
This is the mail system at host rojao.cn.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<ouchaoyi@21cn.com>: host mta.21cn.com[59.36.102.50] said: 550
(ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on
Inbound SMTP server 233! (in reply to RCPT TO command)
很多类似的邮件，只是收件人不同。
各位大侠，这是怎么回事呢？系统被黑了吗？

我的邮件服务器也出现这个情况了，大概有一周了，我也没有太去注意它，那现在得注意一下看看！楼主使用的是那个版本的iredmail呢？

eddiechen · 2010-10-25 15:56:04

eddiechen
会员
离线

注册日期: 2009-12-18
文章数: 156

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

这个好像是客户端中毒，调用客户端来发邮件。

http://www.google.com.hk/search?client= … 1%E8%9B%8B

brucemioo · 2010-10-25 16:53:11

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

tao 写道:

brucemioo 写道:
最近域内的很多用户反映他们的邮件帐户经常收到邮件服务器发“发送失败”的邮件，邮件的主题基本都是“发送给hao的金蛋”，但实际用户根本没有发送过那些邮件，发送日志和历史记录中也没有发送到任何记录。
下面是其中一封失败邮件的内容：
This is the mail system at host rojao.cn.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<ouchaoyi@21cn.com>: host mta.21cn.com[59.36.102.50] said: 550
(ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on
Inbound SMTP server 233! (in reply to RCPT TO command)
很多类似的邮件，只是收件人不同。
各位大侠，这是怎么回事呢？系统被黑了吗？
我的邮件服务器也出现这个情况了，大概有一周了，我也没有太去注意它，那现在得注意一下看看！楼主使用的是那个版本的iredmail呢？

0.6.0

brucemioo · 2010-10-25 16:57:47

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

现在看来邮件客户端中毒的可能性比较大！

另一个我非常疑惑的地方就是hyujrf@rojao.cn帐号在我的邮件服务器中是不存在的，但maillog中很多这个帐号发送到垃圾邮件。比较可能的情况应该是客户端中毒后外发的垃圾邮件的发件人地址写了这个帐号而已，所以实际上系统中并没有这个帐号，但maillog中却很多这个帐号的日志。

看来先从邮件客户端查查问题了。

carlkyo · 2010-10-25 19:48:26

carlkyo
会员
离线

注册日期: 2010-02-10
文章数: 301

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

brucemioo 写道:

现在看来邮件客户端中毒的可能性比较大！
另一个我非常疑惑的地方就是hyujrf@rojao.cn帐号在我的邮件服务器中是不存在的，但maillog中很多这个帐号发送到垃圾邮件。比较可能的情况应该是客户端中毒后外发的垃圾邮件的发件人地址写了这个帐号而已，所以实际上系统中并没有这个帐号，但maillog中却很多这个帐号的日志。
看来先从邮件客户端查查问题了。

我刚装几天的系统都有这问题
小心一下系统安全
因为装了iredmail就有人开始在入侵系统
特别是SSH ,phpmyadmin 那些
我装了N次了
在log看到一天就有人试了几千次密码

brucemioo · 2010-10-26 08:59:13

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

昨天修改了邮件客户端以及邮件帐号的密码，今天发现还是有“送给hao的金蛋”那个垃圾邮件外发的记录，晕死了。

看来真的是系统安全性的问题，有人入侵了。

我的安全日志中可以看到，每天确实有几千次的尝试密码登录，但还没看到有登录成功的日志。

现在怀疑是iRedmail安装的一些模块在配置上可能有什么漏洞，因为我的配置基本都是参考网上的那些资料，不知到有什么安全补丁或配置是我没有看到或注意到的，有知道的或这方面经验的大侠给爹些指点，不胜感激！！

我的iredmail安装的是0.6.0版的，webmail安装了roundcube，启用了postfixadmin来管理用户，其他都没开，用的是mysql数据库。这样的配置中，可能是什么地方存在安全漏洞呢？？

ZhangHuangbin · 2010-10-26 10:07:57

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

另外一种可能是 backscatter 邮件。
http://www.postfix.org/BACKSCATTER_README.html

carlkyo · 2010-10-26 12:20:06

carlkyo
会员
离线

注册日期: 2010-02-10
文章数: 301

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

brucemioo
你的iredmail可以用outlook那些收发吗
不知道为什么
我的用不了~”~
Unrecognized warning:
TLS library problem: 27222:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1086:SSL alert number 48: : 1 Time(s)

**Unmatched Entries**

lost connection after DATA (0 bytes) from unknown[17.7.160.196]
lost connection after DATA (0 bytes) from unknown[185.24.25.26]
NOQUEUE: reject: RCPT from unknown[110.25.170.75]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
NOQUEUE: reject: RCPT from unknown[112.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
NOQUEUE: reject: RCPT from unknown[112.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
lost connection after DATA (0 bytes) from unknown[21.5.109.3]
lost connection after DATA (0 bytes) from unknown[21.138.92.24]
lost connection after DATA (0 bytes) from unknown[41.200.166.80]
lost connection after DATA (0 bytes) from unknown[110.139.72.210]
lost connection after DATA (0 bytes) from unknown[180.180.210.23]
lost connection after DATA (0 bytes) from unknown[189.136.46.201]
lost connection after DATA (0 bytes) from unknown[189.218.202.37]
lost connection after DATA (0 bytes) from unknown[189.218.202.37]
lost connection after DATA (0 bytes) from unknown[10.162.126.230]
NOQUEUE: reject: RCPT from unknown[11.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com>

ZhangHuangbin · 2010-10-26 12:35:32

ZhangHuangbin
iRedMail 开发组
离线

注册日期: 2009-12-18
文章数: 2,864

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

在论坛里搜索一下你的 log 里出现的这句： "Sender address rejected: not logged in"

太懒了。。。

brucemioo · 2010-10-26 18:09:55

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

首先这个懒不懒没关系，由于不是特别熟悉iRedmail，所以出现这种问题，当然想到的是来这里寻找帮助。

其次，搜索了“Sender address rejected: not logged in”，基本和我说的情况没关系，我现在的邮件系统收发邮件都是正常的，只是一部分用户经常收到自己从来没有发送过的发送失败的提示邮件，而且发部分发送失败的邮件的主题是否“发送hao的金蛋”

backscatter还没仔细看，无论如何还是谢谢ZhangHuangbin的指点帮助。

brucemioo · 2010-10-26 18:11:10

brucemioo
会员
离线

注册日期: 2010-06-07
文章数: 15

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

carlkyo 写道:

brucemioo
你的iredmail可以用outlook那些收发吗
不知道为什么
我的用不了~”~
Unrecognized warning:
TLS library problem: 27222:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1086:SSL alert number 48: : 1 Time(s)
**Unmatched Entries**
lost connection after DATA (0 bytes) from unknown[17.7.160.196]
lost connection after DATA (0 bytes) from unknown[185.24.25.26]
NOQUEUE: reject: RCPT from unknown[110.25.170.75]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
NOQUEUE: reject: RCPT from unknown[112.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
NOQUEUE: reject: RCPT from unknown[112.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
lost connection after DATA (0 bytes) from unknown[21.5.109.3]
lost connection after DATA (0 bytes) from unknown[21.138.92.24]
lost connection after DATA (0 bytes) from unknown[41.200.166.80]
lost connection after DATA (0 bytes) from unknown[110.139.72.210]
lost connection after DATA (0 bytes) from unknown[180.180.210.23]
lost connection after DATA (0 bytes) from unknown[189.136.46.201]
lost connection after DATA (0 bytes) from unknown[189.218.202.37]
lost connection after DATA (0 bytes) from unknown[189.218.202.37]
lost connection after DATA (0 bytes) from unknown[10.162.126.230]
NOQUEUE: reject: RCPT from unknown[11.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com>

这位老兄，目前我这里没有人用outlook来收发邮件，所以暂时不能回答你的问题，等我找个outlook试试看。

carlkyo · 2010-10-26 23:13:03

carlkyo
会员
离线

注册日期: 2010-02-10
文章数: 301

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

现在的webmail不是0.4的版本
没群组功能(好像可以在ladp里加,但很不方便)
装iredmail快一星期了
收发还是有点慢

iRedMail 技术交流 QQ 群：296792359。

系统被黑了吗？还是iRedMail有漏洞呢？ 页码 [ 第 1 页 共 2 页 ]

文章数 [ 第 1 至 25 则 共 26 则 ]

1 brucemioo发表 2010-10-20 17:49:02

主题: 系统被黑了吗？还是iRedMail有漏洞呢？

2 ZhangHuangbin回复 2010-10-20 17:58:59

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

3 brucemioo回复 2010-10-21 09:13:32 最后由 brucemioo (2010-10-21 10:49:22) 编辑

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

4 ZhangHuangbin回复 2010-10-21 09:39:20

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

5 brucemioo回复 2010-10-21 10:49:56

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

6 ZhangHuangbin回复 2010-10-21 11:07:26

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

7 brucemioo回复 2010-10-21 11:52:14

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

8 ZhangHuangbin回复 2010-10-21 12:57:20

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

9 brucemioo回复 2010-10-21 13:18:51

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

10 brucemioo回复 2010-10-21 13:53:28

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

11 ZhangHuangbin回复 2010-10-21 14:50:29

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

12 brucemioo回复 2010-10-22 15:31:16

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

13 ZhangHuangbin回复 2010-10-22 16:21:17

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

14 tao回复 2010-10-23 13:07:50

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

15 eddiechen回复 2010-10-25 15:56:04

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

16 brucemioo回复 2010-10-25 16:53:11

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

17 brucemioo回复 2010-10-25 16:57:47

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

18 carlkyo回复 2010-10-25 19:48:26

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

19 brucemioo回复 2010-10-26 08:59:13

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

20 ZhangHuangbin回复 2010-10-26 10:07:57

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

21 carlkyo回复 2010-10-26 12:20:06

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

22 ZhangHuangbin回复 2010-10-26 12:35:32

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

23 brucemioo回复 2010-10-26 18:09:55 最后由 brucemioo (2010-10-26 18:13:35) 编辑

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

24 brucemioo回复 2010-10-26 18:11:10

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

25 carlkyo回复 2010-10-26 23:13:03

回复: 系统被黑了吗？还是iRedMail有漏洞呢？

文章数 [ 第 1 至 25 则 共 26 则 ]

系统被黑了吗？还是iRedMail有漏洞呢？页码 [ 第 1 页共 2 页 ]

文章数 [ 第 1 至 25 则共 26 则 ]

文章数 [ 第 1 至 25 则共 26 则 ]