спам рассылка, найти и наказать

205

Plutishe

23 июля 2014, 16:09

5072

а если серьёзно, вопрос созрел:

в очереди порядка 130 замороженных сообщений. (exim)

по логам долбят imap, pop3, ip турции, ирландии

чувствую что спамят:


31h   19K 1X9WE8-0003S6-97 <>

          pcerosk@elrond.atlantis.sk



26h  7.6K 1X9aGf-00034H-Ga <>

          admin@domino-club.ru



10h  3.7K 1X9p91-0005AK-Tp <>

          elenam@trtk.ru



10h  3.3K 1X9pNi-0005jj-VR <>

          krilov@trtk.ru



 9h  3.4K 1X9qxP-0000K2-Pj <>

          anezhka@trtk.ru



 5h   93K 1X9u1t-0004WF-Lt <>

          claudioabaq241@kgtrk.ru

например заголовок последнего:

1X9u1t-0004WF-Lt-H

exim 93 93

<>

1406112253 0

-ident exim

-received_protocol local

-aclc 8 0



-aclc 9 0



-body_linecount 1300

-allow_unqualified_recipient

-allow_unqualified_sender

-localerror

XX

1

claudioabaq241@kgtrk.ru



149P Received: from exim by zx-spectrum-x86.org with local (Exim 4.63)

        id 1X9u1t-0004WF-Lt

        for claudioabaq241@kgtrk.ru; Wed, 23 Jul 2014 14:44:13 +0400

040  X-Failed-Recipients: info@XXXXXX.ru

029  Auto-Submitted: auto-replied

063F From: Mail Delivery System <Mailer-Daemon@zx-spectrum-x86.org>

028T To: claudioabaq241@kgtrk.ru

059  Subject: Mail delivery failed: returning message to sender

052I Message-Id: <E1X9u1t-0004WF-Lt@zx-spectrum-x86.org>

038  Date: Wed, 23 Jul 2014 14:44:13 +0400

Логи письма:


2014-07-23 14:44:13 Received from <> R=1X9u1o-0004W1-Tj U=exim P=local S=95520

2014-07-23 14:44:15 SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 14:44:15 claudioabaq241@kgtrk.ru R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 15:07:35 SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 15:07:35 claudioabaq241@kgtrk.ru R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 16:14:14 SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 16:14:14 claudioabaq241@kgtrk.ru R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 17:13:01 SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 17:13:01 claudioabaq241@kgtrk.ru R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 19:07:26 SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

2014-07-23 19:07:26 claudioabaq241@kgtrk.ru R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<> SIZE=97854: host mail.kgtrk.ru [217.74.167.98]: 451 <zx-spectrum-x86.org> is invalid or DNS says does not exist

Банальный вопрос, что это?

Лог exim (main.log):

2014-07-23 19:54:45 1X9ysC-0002N6-0D removed by root

2014-07-23 19:54:45 1X9ysC-0002N6-0D Completed

2014-07-23 20:03:53 1X9z1F-0002Ww-9k <= zakaz@pechat-veka.ru H=static.163.19.9.176.clients.your-server.de (image.fastvps.ru) [176.9.19.163] P=esmtps X=TLSv1:AES256-SHA:256 S=152012 id=NTkyMDExMAAC7816070Y37BAMTQwNjEyOTgxOTU1MDg@zakazdo.ru from <zakaz@pechat-veka.ru> for info@XXXXXXXXXXXXX2.ru

2014-07-23 20:03:54 1X9z1F-0002Ww-9k == info@XXXXXXXXXXXXX2.ru R=procmail T=procmail_pipe defer (0): Child process of procmail_pipe transport returned 73 (could mean can't create output file) from command: /usr/bin/procmail

2014-07-23 20:03:54 1X9z1F-0002Ww-9k ** info@XXXXXXXXXXXXX2.ru <info@XXXXXXXXXXXX2.ru>: retry timeout exceeded

2014-07-23 20:03:54 1X9z1G-0002X4-CM <= <> R=1X9z1F-0002Ww-9k U=exim P=local S=108513 from <> for zakaz@pechat-veka.ru

2014-07-23 20:03:54 1X9z1F-0002Ww-9k Completed

2014-07-23 20:03:56 1X9z1G-0002X4-CM ** zakaz@pechat-veka.ru R=dnslookup T=remote_smtp: SMTP error from remote mail server after end of data: host mx.yandex.ru [213.180.193.89]: 554 5.7.1 Message rejected under suspicion of SPAM taGhoore4e-3s8icIJP

2014-07-23 20:03:56 1X9z1G-0002X4-CM Frozen (delivery error message)

2014-07-23 20:04:18 1X9z1c-0002XD-KO <= nzp@33.ru H=mail.klsc.co.kr [121.152.73.14] P=esmtps X=TLSv1:AES256-SHA:256 S=50207 id=D4D167343FEBC4D70B0E47FA1EEE64B4@rybkasl from <nzp@33.ru> for info@XXXXXXXXX.ru

2014-07-23 20:04:18 1X9z1c-0002XD-KO ** XXXXX@yandex.ru <info@XXXXXXX.ru> R=dnslookup T=remote_smtp: SMTP error from remote mail server after end of data: host mx.yandex.ru [93.158.134.89]: 554 5.7.1 Message rejected under suspicion of SPAM 1RJ1p4GtDj-4I0mI4D5

2014-07-23 20:04:18 1X9z1e-0002XI-My <= <> R=1X9z1c-0002XD-KO U=exim P=local S=51189 from <> for nzp@33.ru

2014-07-23 20:04:18 1X9z1c-0002XD-KO Completed

2014-07-23 20:04:19 1X9z1e-0002XI-My == nzp@33.ru R=dnslookup T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<nzp@33.ru>: host mx.ibox.ru [213.248.34.8]: 450 <nzp@33.ru>: Recipient address rejected: Greylisted for 300 seconds (see https://control.ibox.ru/noc/gl/)

Хостинг за РУБЛИ (http://yousite.ru/h) | VPS/VDS на платформе: XEN c администрированием (http://yousite.ru/v) | Регистрация доменов (http://yousite.ru/d)

205

Plutishe

23 июля 2014, 16:09

#1

Exim (reject.log):

2014-07-23 16:38:11 login authenticator failed for 79.142.46.196.static.impol.net (mnsmbizelc) [196.46.142.79]: 535 Incorrect authentication data
2014-07-23 16:38:11 cram authenticator (CRAM-MD5):
  Cyrus SASL permanent failure: user not found
2014-07-23 16:38:11 cram authenticator failed for 79.142.46.196.static.impol.net (mnsmbizelc) [196.46.142.79]: 535 Incorrect authentication data
2014-07-23 17:05:57 plain authenticator (PLAIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 17:05:57 plain authenticator failed for 203-113-206-105-static.tcs.netspace.net.au (ijoxofeyjz) [203.113.206.105]: 535 Incorrect authentication data
2014-07-23 17:05:58 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 17:05:58 login authenticator failed for 203-113-206-105-static.tcs.netspace.net.au (ijoxofeyjz) [203.113.206.105]: 535 Incorrect authentication data
2014-07-23 17:05:59 cram authenticator (CRAM-MD5):
  Cyrus SASL permanent failure: user not found
2014-07-23 17:05:59 cram authenticator failed for 203-113-206-105-static.tcs.netspace.net.au (ijoxofeyjz) [203.113.206.105]: 535 Incorrect authentication data
2014-07-23 17:23:50 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 17:23:50 login authenticator failed for s15433869.onlinehome-server.com (User) [74.208.72.28]: 535 Incorrect authentication data
2014-07-23 17:42:26 H=mail.craftsite.co.uk [66.155.18.68] F=<mfvt@show-master.ru> rejected RCPT <info@XXXXXXXXXXX3.ru>: relay not permitted
2014-07-23 18:03:09 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:03:10 login authenticator failed for select64.lnk.telstra.net (User) [203.45.217.245]: 535 Incorrect authentication data
2014-07-23 18:08:15 plain authenticator (PLAIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:08:15 plain authenticator failed for (tqkltbzihl) [223.255.191.92]: 535 Incorrect authentication data
2014-07-23 18:08:16 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:08:16 login authenticator failed for (tqkltbzihl) [223.255.191.92]: 535 Incorrect authentication data
2014-07-23 18:08:16 cram authenticator (CRAM-MD5):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:08:16 cram authenticator failed for (tqkltbzihl) [223.255.191.92]: 535 Incorrect authentication data
2014-07-23 18:46:19 plain authenticator (PLAIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:46:19 plain authenticator failed for (tbzguqfppa) [188.135.8.47]: 535 Incorrect authentication data
2014-07-23 18:46:19 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:46:19 login authenticator failed for (tbzguqfppa) [188.135.8.47]: 535 Incorrect authentication data
2014-07-23 18:46:20 cram authenticator (CRAM-MD5):
  Cyrus SASL permanent failure: user not found
2014-07-23 18:46:20 cram authenticator failed for (tbzguqfppa) [188.135.8.47]: 535 Incorrect authentication data
2014-07-23 19:14:15 plain authenticator (PLAIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 19:14:15 plain authenticator failed for (cyrqhyfcjc) [212.179.214.48]: 535 Incorrect authentication data
2014-07-23 19:14:16 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 19:14:16 login authenticator failed for (cyrqhyfcjc) [212.179.214.48]: 535 Incorrect authentication data
2014-07-23 19:14:16 cram authenticator (CRAM-MD5):
  Cyrus SASL permanent failure: user not found
2014-07-23 19:14:16 cram authenticator failed for (cyrqhyfcjc) [212.179.214.48]: 535 Incorrect authentication data
2014-07-23 19:22:22 login authenticator (LOGIN):
  Cyrus SASL permanent failure: user not found
2014-07-23 19:22:22 login authenticator failed for s15433869.onlinehome-server.com (User) [74.208.72.28]: 535 Incorrect authentication data

И вот такие записи не понятны:

Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: NEWSOCKFD - 2
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: Check quota for 'info@XXXXXXXXXXXXX.ru'
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: cache_quota /usr/sbin/repquota -u -n /dev/simfs
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: info@XXXXX.ru [u:533] disk quota used '92' limit '0'
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: cache_quota /usr/sbin/repquota -g -n /dev/simfs
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: info@XXXXXXXX.ru [g:524] disk quota used '108' limit '0'
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: SEND START -   size - 1
Jul 23 18:27:00 zx-spectrum-x86 eximquotacheck: N - 1
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: NEWSOCKFD - 2
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: Check quota for 'info@XXXXXXX.ru'
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: cache_quota /usr/sbin/repquota -u -n /dev/simfs
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: info@XXXXXX.ru [u:533] disk quota used '92' limit '0'
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: cache_quota /usr/sbin/repquota -g -n /dev/simfs
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: info@XXXXXXX.ru [g:524] disk quota used '108' limit '0'
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: SEND START -   size - 1
Jul 23 18:32:22 zx-spectrum-x86 eximquotacheck: N - 1

Буду признателен любой помощи/наводке.

M

235

madoff

23 июля 2014, 17:16

#2

Видемо ранее была рассылка что в спам папали, тут надо многое понимать что за домены у вас и т п

Check quota for 'info@XXXXXXXXXXXXX.ru'

Последнее напоминания о квоте что лимит исчерпан - в панели ispmanager укажите явный размер почтового ящика. 0 - не катит.

Администратор Linux,Freebsd. построения крупных проектов.

Команда Telegram запустила новый Google не регулирует трафик ISPmanager -> FastPanel простой

M

92

megadimon

23 июля 2014, 18:14

#3

Plutishe:

например заголовок последнего:

1X9u1t-0004WF-Lt-H

exim 93 93

<>

1406112253 0

-ident exim

-received_protocol local

-aclc 8 0



-aclc 9 0



-body_linecount 1300

-allow_unqualified_recipient

-allow_unqualified_sender

-localerror

XX

1

claudioabaq241@kgtrk.ru



149P Received: from exim by zx-spectrum-x86.org with local (Exim 4.63)

        id 1X9u1t-0004WF-Lt

        for claudioabaq241@kgtrk.ru; Wed, 23 Jul 2014 14:44:13 +0400

040  X-Failed-Recipients: info@XXXXXX.ru

029  Auto-Submitted: auto-replied

063F From: Mail Delivery System <Mailer-Daemon@zx-spectrum-x86.org>

028T To: claudioabaq241@kgtrk.ru

059  Subject: Mail delivery failed: returning message to sender

052I Message-Id: <E1X9u1t-0004WF-Lt@zx-spectrum-x86.org>

038  Date: Wed, 23 Jul 2014 14:44:13 +0400

самое интересное там в теле письма, где указаны заголовки исходящего письма, а не отбойника.

A

130

admak

23 июля 2014, 18:23

#4

если долбят прямо сейчас, то гляньте Apache server-status, увидите POST запросы - это оно и есть.

или ищите в логах apache/nginx POST запросы.

imap, pop3 - это протоколы приема почты, а не отправки. максимум их используют для подбора паролей.

.............

Как менять url без NGINX + PHP-FPM Почта Mail.Ru готовит переход

205

Plutishe

23 июля 2014, 18:32

#5

admak:
если долбят прямо сейчас, то гляньте Apache server-status, увидите POST запросы - это оно и есть.
или ищите в логах apache/nginx POST запросы.

imap, pop3 - это протоколы приема почты, а не отправки. максимум их используют для подбора паролей.

запросов POST нет, в том то и дело, не знаю куда копать...

---------- Добавлено 23.07.2014 в 22:38 ----------

megadimon:
самое интересное там в теле письма, где указаны заголовки исходящего письма, а не отбойника.

вот:

1XA1Qo-0005fI-Jy-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  info@XXXXXXX
    local delivery failed: retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <velma_morris@fizikportali.com>
Received: from [78.135.94.146] (helo=fizikportali.com)
        by zx-spectrum-x86.org with esmtp (Exim 4.63)
        (envelope-from <velma_morris@fizikportali.com>)
        id 1XA1Qn-0005fB-Ph
        for info@XXXXXX; Wed, 23 Jul 2014 22:38:25 +0400
Date: Wed, 23 Jul 2014 21:38:19 +0300
From: "Velma Morris" <velma_morris@fizikportali.com>
Reply-To:"Velma Morris" <velma_morris@fizikportali.com>
Message-ID: <690d277-1e5e1-8c@fizikportali.com>
To: info@XXXXXX
Subject: Fw:  Lol, Sexy blonde whore double fucked in gangbang
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit


<div><a href="http://uni-display.com/wp-includes/css/themes.html">Sexy blonde whore double fucked in gangbang</a></div>

---------- Добавлено 23.07.2014 в 22:41 ----------

беда, беда 😡


1XA1RI-0005fi-D2-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  info@xxxxxx
    local delivery failed: retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <jill_mccullough@scherbinka.net>
Received: from t4d.ru ([195.189.180.250] helo=scherbinka.net)
        by zx-spectrum-x86.org with esmtp (Exim 4.63)
        (envelope-from <jill_mccullough@scherbinka.net>)
        id 1XA1RI-0005fb-8p
        for info@xxxxxx; Wed, 23 Jul 2014 22:38:56 +0400
Date: Wed, 23 Jul 2014 22:39:09 +0400
From: "Jill Mccullough" <jill_mccullough@scherbinka.net>
Reply-To:"Jill Mccullough" <jill_mccullough@scherbinka.net>
Message-ID: <62dabed-9b9fc-93@scherbinka.net>
To: info@xxxxxxx
Subject: FW:  Lol, Lesbos kissing passionately and dildoing asshole
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit


<div><a href="http://raykoon.com/wp-content/themes/d8/ajax/ini.html">Lesbos kissing passionately and dildoing asshole</a></div>

M

92

megadimon

23 июля 2014, 19:21

#6

сканируйте сайт с помощью clamav и maldet. какой движок?

1

970

kxk

23 июля 2014, 19:29

#7

Plutishe, И снова Cent os?

По сабжу поставьте mail patch чтобы знать откуда шлют, те сам спаммерский скрипт (есть само по себе с isp lite 4 + Debian 7).

1

Ваш DEVOPS

205

Plutishe

23 июля 2014, 19:30

#8

megadimon:
сканируйте сайт с помощью clamav и maldet. какой движок?

clam:

----------- SCAN SUMMARY -----------

Known viruses: 3503092

Engine version: 0.98.4

Scanned directories: 54531

Scanned files: 217101

Infected files: 0

Total errors: 174

Data scanned: 7642.80 MB

Data read: 35580.68 MB (ratio 0.21:1)

Time: 2352.601 sec (39 m 12 s)

hostcms и bitrix

---------- Добавлено 23.07.2014 в 23:32 ----------

nmap:

Not shown: 1664 closed ports

PORT     STATE SERVICE

21/tcp   open  ftp

22/tcp   open  ssh

25/tcp   open  smtp

53/tcp   open  domain

110/tcp  open  pop3

143/tcp  open  imap

443/tcp  open  https

465/tcp  open  smtps

587/tcp  open  submission

953/tcp  open  rndc

993/tcp  open  imaps

995/tcp  open  pop3s

1500/tcp open  vlsi-lm

3306/tcp open  mysql

8080/tcp open  http-proxy

8888/tcp open  sun-answerbook

970

kxk

23 июля 2014, 19:34

#9

Plutishe, Вы порт

8888/tcp open sun-answerbook

используете?

K5

209

kgtu5

23 июля 2014, 19:57

#10

ну аи из простого - ай-болитом прогони сайты.

при выключении exim рассылка прекращается?

аська 45два48499два записки на работе (http://memoryhigh.ru) помогу с сайтом, удалю вирусы, настрою впс -> отзывы ТУТ (/ru/forum/836248) и ТАМ (http://www.maultalk.com/topic140187.html) !!!всегда проверяйте данные людей, которые сами пишут вам в аську или скайп!!!

Зачем быть уникальным в мире, где все можно скопировать

Курс биткоина превысил $50 тысяч