[讨论] 大家帮看下是邮件用户中毒了还是服务器被攻击了

lixvfei

近几周，发送邮件量猛增，在公司防火墙上发现某个邮件用户每天不停发送大量邮件，查看服务器上队列日志，看到大量如下信息。

DE41118836     2226 Mon Dec 21 04:01:33  xm@XX.com
(host freemx3.sinamail.sina.com.cn[60.28.2.248] said: 452 Too many recipients received this hour (in reply to RCPT TO command))
                                         aodsz5z8pz@sina.com
                                         bulcse@sina.com
                                         bzf0r@sina.com
                                         d1x5s8pvks@sina.com
                                         dhyr1t7io@sina.com
                                         e0k@sina.com
                                         f22u@sina.com
                                         hy6zmu4d@sina.com
                                         iqbm@sina.com
                                         jtcommk@sina.com
                                         m5pq1cpmhr@sina.com
                                         oiai@sina.com
                                         ukqgudf67@sina.com
                                         uxn@sina.com
                                         vip25802580@sina.com
                                         vlt1d@sina.com
                                         wquuagyy@sina.com

查看其中一封邮件内容为：
[root@mail ~]# postcat -q DDB17188E8
*** ENVELOPE RECORDS deferred/D/DDB17188E8 ***
message_size:            2230            2392              27               0
message_arrival_time: Mon Dec 21 07:46:46 2009
create_time: Mon Dec 21 07:46:46 2009
named_attribute: rewrite_context=local
sender: xm@XX.com
named_attribute: log_client_name=mail.XX.com
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=mail.XX.com[127.0.0.1]
named_attribute: log_helo_name=localhost.localdomain
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=mail.XX.com
named_attribute: reverse_client_name=mail.XX.com
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=localhost.localdomain
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;xezj68al@sina.com
original_recipient: xezj68al@sina.com
recipient: xezj68al@sina.com
named_attribute: dsn_orig_rcpt=rfc822;hg60@sina.com
original_recipient: hg60@sina.com
recipient: hg60@sina.com
named_attribute: dsn_orig_rcpt=rfc822;2@sina.com
original_recipient: 2@sina.com
recipient: 2@sina.com
named_attribute: dsn_orig_rcpt=rfc822;2009@sina.com
original_recipient: 2009@sina.com
recipient: 2009@sina.com
named_attribute: dsn_orig_rcpt=rfc822;ackh@sina.com
original_recipient: ackh@sina.com
recipient: ackh@sina.com
named_attribute: dsn_orig_rcpt=rfc822;wjs05g5w@sina.com
original_recipient: wjs05g5w@sina.com
recipient: wjs05g5w@sina.com
named_attribute: dsn_orig_rcpt=rfc822;1m@sina.com
original_recipient: 1m@sina.com
recipient: 1m@sina.com
named_attribute: dsn_orig_rcpt=rfc822;sff@sina.com
original_recipient: sff@sina.com
recipient: sff@sina.com
named_attribute: dsn_orig_rcpt=rfc822;xokm3mn@sina.com
original_recipient: xokm3mn@sina.com
recipient: xokm3mn@sina.com
named_attribute: dsn_orig_rcpt=rfc822;uxvy@sina.com
original_recipient: uxvy@sina.com
recipient: uxvy@sina.com
named_attribute: dsn_orig_rcpt=rfc822;hwtpjvfq@sina.com
original_recipient: hwtpjvfq@sina.com
recipient: hwtpjvfq@sina.com
named_attribute: dsn_orig_rcpt=rfc822;utf@sina.com
original_recipient: utf@sina.com
recipient: utf@sina.com
named_attribute: dsn_orig_rcpt=rfc822;svwnzd@sina.com
original_recipient: svwnzd@sina.com
recipient: svwnzd@sina.com
named_attribute: dsn_orig_rcpt=rfc822;5ldhv@sina.com
original_recipient: 5ldhv@sina.com
recipient: 5ldhv@sina.com
named_attribute: dsn_orig_rcpt=rfc822;7slnrz1o@sina.com
original_recipient: 7slnrz1o@sina.com
recipient: 7slnrz1o@sina.com
named_attribute: dsn_orig_rcpt=rfc822;3jwel@sina.com
original_recipient: 3jwel@sina.com
recipient: 3jwel@sina.com
named_attribute: dsn_orig_rcpt=rfc822;ll1jmx2@sina.com
original_recipient: ll1jmx2@sina.com
recipient: ll1jmx2@sina.com
named_attribute: dsn_orig_rcpt=rfc822;p4kyc@sina.com
original_recipient: p4kyc@sina.com
recipient: p4kyc@sina.com
named_attribute: dsn_orig_rcpt=rfc822;ih0fh7rj@sina.com
original_recipient: ih0fh7rj@sina.com
recipient: ih0fh7rj@sina.com
named_attribute: dsn_orig_rcpt=rfc822;vip25802580@sina.com
original_recipient: vip25802580@sina.com
recipient: vip25802580@sina.com
named_attribute: dsn_orig_rcpt=rfc822;ebqw0@sina.com
original_recipient: ebqw0@sina.com
recipient: ebqw0@sina.com
named_attribute: dsn_orig_rcpt=rfc822;zkudw6vcnq@sina.com
original_recipient: zkudw6vcnq@sina.com
recipient: zkudw6vcnq@sina.com
named_attribute: dsn_orig_rcpt=rfc822;xrfcst@sina.com
original_recipient: xrfcst@sina.com
recipient: xrfcst@sina.com
named_attribute: dsn_orig_rcpt=rfc822;e7o3uj8zm@sina.com
original_recipient: e7o3uj8zm@sina.com
recipient: e7o3uj8zm@sina.com
named_attribute: dsn_orig_rcpt=rfc822;144c3@sina.com
original_recipient: 144c3@sina.com
recipient: 144c3@sina.com
named_attribute: dsn_orig_rcpt=rfc822;a@sina.com
original_recipient: a@sina.com
recipient: a@sina.com
named_attribute: dsn_orig_rcpt=rfc822;kr8t48z3wa@sina.com
original_recipient: kr8t48z3wa@sina.com
recipient: kr8t48z3wa@sina.com
*** MESSAGE CONTENTS deferred/D/DDB17188E8 ***
Received: from localhost.localdomain (mail.XX.com [127.0.0.1])
        by mail.kmcad.com (Postfix - by extmail.org) with ESMTP id DDB17188E8;
        Mon, 21 Dec 2009 07:46:46 +0800 (CST)
From: "=?GB2312?B?udwgwO0g1LE=?=" <xm@XX.com>
To: 2009@sina.com
Subject: =?GB2312?B?0MLAy7mry77Tys/kudzA7dSx0MXPotCh1+k=?=
    =?GB2312?B?ISA=?=
Date: Mon, 21 Dec 2009 07:46:46 +0800
Mime-version: 1.0
X-Originating-Ip: [59.50.162.109]
X-Mailer: ExtMail 1.1.0
Content-Type: text/html; charset="GB2312"
Content-Transfer-Encoding: base64
Message-Id: <20091220234646.DDB17188E8@mail.XX.com>

PFA+PEZPTlQgY29sb3I9I2ZmMDAwMD48Rk9OVCBxcT0icXEiPtfwPC9GT05UPjxGT05UIHFxPSJx
cSI+vrQ8L0ZPTlQ+PEZPTlQgcXE9InFxIj61xDwvRk9OVD48Rk9OVCBxcT0icXEiPtDCPC9GT05U
PjxGT05UIHFxPSJxcSI+wMs8L0ZPTlQ+PEZPTlQgcXE9InFxIj7TwzwvRk9OVD48Rk9OVCBxcT0i
cXEiPrunPC9GT05UPjxGT05UIHFxPSJxcSI+o7ogPC9GT05UPjwvRk9OVD48QlI+Jm5ic3A7Jm5i
c3A7ICZuYnNwOyZuYnNwOyAmbmJzcDsgPEZPTlQgY29sb3I9I2ZmMDAwMD7E+rrDITwvRk9OVD48
Rk9OVCBjb2xvcj0jZmYwMDAwPiZuYnNwO9DCwMvKx9bQufrB7M/ItcS7pcGqzfi8vMr1uavLvqOs
yrzW1bGjs9a5+sTa0rW957XEwezPyLXYzruho9DCwMu21NbQufq7pcGqzfi1xLei1bm+39PQx7/B
0iC1xMq5w/y40KOs0MLAy8D708PX7s/Ivfi1xLulwarN+Ly8yvWjrLzTx7/Iy9PryMvWrrzk0MXP
orXEvbvB97rNubLP7aOsyrXP1qGwzfi+28jLtcTBpsG/obGho9DCwMvJ7srcueO08834w/G7ttOt
o6zQwsDLuavLvrS0waLS1MC0o6zU+MG9tM6xu9bQufq7pcGqzfjC59DFz6LW0NDExsDRoc6q1tC5
+squvNHN+NW+LCCxvrmry77E3LvxtcPI57TLu9S7zbXEs8m8qMDrsru/qrTzvNK1xNans9ajoc6q
wcu72LGotPO80rbUsb65q8u+tcTWp7PW0+u68bCuo6zM2MGqus+5+sTauPe089Te1vrJzMGqyta+
2bDsobAyMDA5xOrQwsDLLbu2wNbLzaGxxPq1xNDCwMvVy7rF0tG78b2xISDE+rXE0enWpMLro7qh
viA2Njk4IKG/ICEgx+u147v3tcfCvSA8QSBocmVmPSJodHRwOi8vZHNmc2dyZWdmZWQuMjEyLmh1
eWkxLmNvbS9zaW5hLyIgdGFyZ2V0PV9ibGFuaz48Rk9OVCBjb2xvcj0jMDAwMGZmPmh0dHA6Ly93
d3cuc2luYS5jb20uY248L0ZPTlQ+PC9BPjxTUEFOIHN0eWxlPSJDT0xPUjogIzAwMDBmZiI+Jm5i
c3A7PC9TUEFOPjxGT05UIGNvbG9yPSNmZjAwMDA+sOzA7cHsyKEht8ezo7jQ0LvE+rbUsb65q8u+
tcTWp7PW0+vIyLCuISA8L0ZPTlQ+PC9GT05UPjwvUD4NCjxQPjxGT05UIGNvbG9yPSNmZjAwMDA+
ob4gzNggsfAgyfkgw/cgob/XojrH69DS1MvTw7unzdfJxrGjudy6w9fUvLq1xNXKusXD3MLrLMrV
tb20y9DFz6LH67K70qrNuMK2s/bIpSyx3MPiy/vIy7XByKHE+rXEvbG98NLUvLC9sca3LMjn09C2
qsqnsb65q8u+sruz0LWjyM66ztTwyM6ho9C70Lu6z9f3ITwvRk9OVD48QlI+PEJSPjxCUj48L1A+



*** HEADER EXTRACTED deferred/D/DDB17188E8 ***
*** MESSAGE FILE END deferred/D/DDB17188E8 ***
[root@mail ~]#

客户端邮件用户查看，发现大量退信如下：

标题： 邮件传输失败! 这不是垃圾邮件 | 回复 | 转发 | 编码 | 删除 |    | 更多操作  
来自： "Mail Delivery System" <MAILER-DAEMON@sina.com> 将该来信人加到地址本中
发给： xm@XX.com
日期： 2009-12-22 07:20:35
附件列表： delivery-status.txt (0.40K)  附件保存到网络磁盘
message.eml (2.3K)  附件保存到网络磁盘

  
您发送给ci@sina.com的邮件投递失败，错误原因：
5.x.1 - Maximum number of delivery attempts exceeded. [Default] 552-'5.2.2 <ci@sina.com>: Recipient address rejected: Quota exceeded or service disabled'

请查看附件了解详细信息，如果您有任何疑问请访问新浪邮箱帮助系统：
http://mail.sina.com.cn/help2/helpcenter.html

各位老大，这种情况应该怎么办？我现在是暂时把这个用户给封停了，前几天让她改过密码的也不行。是不是中毒了，还是服务器的什么情况？

liushaobo

会不会是他本机中毒了，

lulalalu

你的还好 我的是发现root 不停的发信给一堆地址

xufy

我这边也是LZ这种情况，求解？

darry_dai

我估计这是emos的一个严重的漏洞，所有使用emos的人应该都遇到这个问题

linuxth

我也碰到过，office@xxx.com被利用，我的分析是office帐号被利用，根据使用OFFICE的IP地址，我将其全部禁用并放进黑名单，后来情况稍后点，免强可以使用。
之前因为垃圾邮件服务器经常拒收送，假死状态。

jellyspeed

我在防火墙上有看到过一个我都没有注册过的账号，一直在向外发。是某个ip连的，然后我把那ip封了。但是还是一直在访问。。。还有个账号，也是老向外发，不过那邮箱专门用来收的。所以直接把smtp给封了才好。但是我怕有很多防火墙的都没显示，然后向外发送了，我都不知道。大家是否也有这个情况。如果拉日志，太长了，能否拉其中某个账号，或者某天发送或者接受的日志命令？？请大侠指教。。。