Spam E-Mails erkennen und entfernen

von dominion · Veröffentlicht 26. Februar 2014 · Aktualisiert 26. Februar 2014

Wenn das System für den Spam Versand genutzt wurde, sollte man sich so schnell wie möglich auf die Suche nach der Quelle machen, um mögliche Blacklist-Einträge der eigenen IP-Adresse zu vermeiden.

In diesem Beispiel möchte ich zeigen, wie man auch ohne Spamerkennung per Sendmail Wrapper und X-Header die Ursache beim Schopfe packen kann.

Punkt 1: Die Mail-Queue begutachten

Wir rufen die Mail-Queue unter Postfix mit postqueue -p auf und sehen bereits jede Menge Spam E-Mails.

# mailq
[..]
A19A01A7481      715 Fri Feb 21 08:07:49  deirdre_kelly@tauernresidence.at
(delivery temporarily suspended: host mailin-03.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         gerio7769@aol.com

A324A1A7E26      699 Sat Feb 22 06:41:27  cassandra_turner@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         ryanshay@aol.com

A34A01A7A6B      681 Fri Feb 21 20:04:56  alta_munoz@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         lseitelman@aol.com

AB2C4561DA6      744 Fri Feb 21 09:02:09  mollie_lester@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         mbarney555@aol.com

A493D590B20      765 Thu Feb 20 19:32:19  terri_duffy@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         canarien9561@aol.com

-- 32354 Kbytes in 12505 Requests.

# mailq

[..]

A19A01A7481 715 Fri Feb 21 08:07:49 deirdre_kelly@tauernresidence.at

(delivery temporarily suspended: host mailin-03.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)

gerio7769@aol.com

A324A1A7E26 699 Sat Feb 22 06:41:27 cassandra_turner@tauernresidence.at

(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)

ryanshay@aol.com

A34A01A7A6B 681 Fri Feb 21 20:04:56 alta_munoz@tauernresidence.at

(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)

lseitelman@aol.com

AB2C4561DA6 744 Fri Feb 21 09:02:09 mollie_lester@tauernresidence.at

(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)

mbarney555@aol.com

A493D590B20 765 Thu Feb 20 19:32:19 terri_duffy@tauernresidence.at

(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)

canarien9561@aol.com

-- 32354 Kbytes in 12505 Requests.

Punkt 2: Spam wurde über ein PHP Script verschickt

Um den schuldigen Benutzer zu finden, öffnen wir ein paar dieser Postfix ID’s, beispielsweise AB2C4561DA6.

# postcat -q AB2C4561DA6
*** ENVELOPE RECORDS deferred/A/AB2C4561DA6 ***
message_size:             744             185               1               0             744
message_arrival_time: Fri Feb 21 09:02:09 2014
create_time: Fri Feb 21 09:02:09 2014
named_attribute: rewrite_context=local
sender_fullname: 
sender: xxx@xxx.de
*** MESSAGE CONTENTS deferred/A/AB2C4561DA6 ***
Received: by xxx.xxx.de (Postfix, from userid 4079)
	id AB2C4561DA6; Fri, 21 Feb 2014 09:02:09 +0100 (CET)
To: mbarney555@aol.com
Subject: Re:  Good day
From: "xxx" <xxx@xxx.de>
Reply-To: "xxx" <xxx@xxx.de>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <20140221080209.AB2C4561DA6@xxx.xxx.de>
Date: Fri, 21 Feb 2014 09:02:09 +0100 (CET)

# postcat -q AB2C4561DA6

*** ENVELOPE RECORDS deferred/A/AB2C4561DA6 ***

message_size: 744 185 1 0 744

message_arrival_time: Fri Feb 21 09:02:09 2014

create_time: Fri Feb 21 09:02:09 2014

named_attribute: rewrite_context=local

sender_fullname:

sender: xxx@xxx.de

*** MESSAGE CONTENTS deferred/A/AB2C4561DA6 ***

Received: by xxx.xxx.de (Postfix, from userid 4079)

id AB2C4561DA6; Fri, 21 Feb 2014 09:02:09 +0100 (CET)

To: mbarney555@aol.com

Subject: Re: Good day

From: "xxx" <xxx@xxx.de>

Reply-To: "xxx" <xxx@xxx.de>

X-Priority: 3 (Normal)

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: 8bit

Message-Id: <20140221080209.AB2C4561DA6@xxx.xxx.de>

Date: Fri, 21 Feb 2014 09:02:09 +0100 (CET)

In Zeile 10 findet man die User ID 4079, diese suchen wir nun in der /etc/passwd um den Benutzernamen herauszubekommen.

# grep 4079 /etc/passwd
web274:x:4079:4079::/var/www/web274:/bin/false

1 2	# grep 4079 /etc/passwd web274:x:4079:4079::/var/www/web274:/bin/false

Wir wechseln in den Ordner indem sich die Apache Logfiles dieses Benutzers befinden.

Plesk: /var/www/vhosts/domain.de/statistics/logs/
Confixx: /var/www/webX/log/

Jetzt suchen wir in den access_log nach erfolgreichen POST Einträgen (Status 200).
Anbei seht ihr ein Beispiel wie die „Spammer“ mehrere PHP Scripte aufrufen um die Spam E-Mails zu versenden.

localhost:/var/www/web274# zcat log/old/access_log_2014_w9-0.gz 
[..]
68.71.243.135 - - [22/Feb/2014:06:30:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:30:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:30:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:31:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:31:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:31:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:03 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:19 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:35 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:51 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:35:39 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:35:54 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:36:10 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:36:28 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:36:44 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:37:00 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:37:15 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:37:31 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
[..]

localhost:/var/www/web274# zcat log/old/access_log_2014_w9-0.gz

[..]

68.71.243.135 - - [22/Feb/2014:06:30:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:30:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:30:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:31:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:31:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:31:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:32:03 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:32:19 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:32:35 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:32:51 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:35:39 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:35:54 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:36:10 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:36:28 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:36:44 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:37:00 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:37:15 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

68.71.243.135 - - [22/Feb/2014:06:37:31 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"

[..]

Jetzt sollten diese Dateien schnellstmöglich ausfindig gemacht und beseitigt werden, das Tool Malware Detect hilft dabei.

Ebenfalls sollte das CMS auf den neusten Stand gebracht, der Image/Upload Ordner gesichert und die Mail-Queue gesäubert werden.

Punkt 3: Spam wurde über einen Benutzer verschickt

Im folgenden Beispiel sieht man, dass ein Login stattgefunden hat sasl_username=kontakt@xxx.de. Das Passwort dieses Benutzers sollte so schnell wie möglich geändert werden.

# postcat -q 5942C8948326
*** ENVELOPE RECORDS active/5942C8948326 ***
message_size:             934            1432               8               0             917
message_arrival_time: Sun Jan 19 15:50:31 2014
create_time: Sun Jan 19 15:50:31 2014
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=kontakt@xxx.de
sender: gaf@xxx.de
named_attribute: log_client_name=93-120-196-244.dynamic.mts-nn.ru
named_attribute: log_client_address=93.120.196.244
named_attribute: log_client_port=3555
named_attribute: log_message_origin=93-120-196-244.dynamic.mts-nn.ru[93.120.196.244]
named_attribute: log_helo_name=cisqyltfbn
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=93-120-196-244.dynamic.mts-nn.ru
named_attribute: reverse_client_name=93-120-196-244.dynamic.mts-nn.ru
named_attribute: client_address=93.120.196.244
named_attribute: client_port=3555
named_attribute: helo_name=cisqyltfbn
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;tomnagy91@gmail.com
original_recipient: tomnagy91@gmail.com
done_recipient: tomnagy91@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;hingkik@yahoo.com
original_recipient: hingkik@yahoo.com
recipient: hingkik@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;shaunmurray24@yahoo.com
original_recipient: shaunmurray24@yahoo.com
recipient: shaunmurray24@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;malcolmervin57@gmail.com
original_recipient: malcolmervin57@gmail.com
done_recipient: malcolmervin57@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;blondie@yahoo.com
original_recipient: blondie@yahoo.com
recipient: blondie@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;o.ne...112.23.3.44.5566@gmail.com
original_recipient: o.ne...112.23.3.44.5566@gmail.com
done_recipient: o.ne...112.23.3.44.5566@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;ramanadxn@gmail.com
original_recipient: ramanadxn@gmail.com
done_recipient: ramanadxn@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;rich_miracle@rediffmail.com
original_recipient: rich_miracle@rediffmail.com
recipient: rich_miracle@rediffmail.com
*** MESSAGE CONTENTS active/5942C8948326 ***
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from cisqyltfbn (93-120-196-244.dynamic.mts-nn.ru [93.120.196.244])
        (Authenticated sender: kontakt@xxx.de)
        by xxx.xxx.de (Postfix) with ESMTPA id 5942C8948326;
        Sun, 19 Jan 2014 15:50:31 +0100 (CET)
Subject:
Date: Sun, 19 Jan 2014 15:36:27 -0700
From: "ny fyha" <gaf@xxx.de>
To: <tomnagy91@gmail.com>, <hingkik@yahoo.com>, <shaunmurray24@yahoo.com>, <malcolmervin57@gmail.com>, <blondie@yahoo.com>, <o.ne...112.23.3.44.5566@gmail.com>, <ramanadxn@gmail.com>, <rich_miracle@rediffmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-5

# postcat -q 5942C8948326

*** ENVELOPE RECORDS active/5942C8948326 ***

message_size: 934 1432 8 0 917

message_arrival_time: Sun Jan 19 15:50:31 2014

create_time: Sun Jan 19 15:50:31 2014

named_attribute: rewrite_context=remote

named_attribute: sasl_method=LOGIN

named_attribute: sasl_username=kontakt@xxx.de

sender: gaf@xxx.de

named_attribute: log_client_name=93-120-196-244.dynamic.mts-nn.ru

named_attribute: log_client_address=93.120.196.244

named_attribute: log_client_port=3555

named_attribute: log_message_origin=93-120-196-244.dynamic.mts-nn.ru[93.120.196.244]

named_attribute: log_helo_name=cisqyltfbn

named_attribute: log_protocol_name=ESMTP

named_attribute: client_name=93-120-196-244.dynamic.mts-nn.ru

named_attribute: reverse_client_name=93-120-196-244.dynamic.mts-nn.ru

named_attribute: client_address=93.120.196.244

named_attribute: client_port=3555

named_attribute: helo_name=cisqyltfbn

named_attribute: protocol_name=ESMTP

named_attribute: client_address_type=2

named_attribute: dsn_orig_rcpt=rfc822;tomnagy91@gmail.com

original_recipient: tomnagy91@gmail.com

done_recipient: tomnagy91@gmail.com

named_attribute: dsn_orig_rcpt=rfc822;hingkik@yahoo.com

original_recipient: hingkik@yahoo.com

recipient: hingkik@yahoo.com

named_attribute: dsn_orig_rcpt=rfc822;shaunmurray24@yahoo.com

original_recipient: shaunmurray24@yahoo.com

recipient: shaunmurray24@yahoo.com

named_attribute: dsn_orig_rcpt=rfc822;malcolmervin57@gmail.com

original_recipient: malcolmervin57@gmail.com

done_recipient: malcolmervin57@gmail.com

named_attribute: dsn_orig_rcpt=rfc822;blondie@yahoo.com

original_recipient: blondie@yahoo.com

recipient: blondie@yahoo.com

named_attribute: dsn_orig_rcpt=rfc822;o.ne...112.23.3.44.5566@gmail.com

original_recipient: o.ne...112.23.3.44.5566@gmail.com

done_recipient: o.ne...112.23.3.44.5566@gmail.com

named_attribute: dsn_orig_rcpt=rfc822;ramanadxn@gmail.com

original_recipient: ramanadxn@gmail.com

done_recipient: ramanadxn@gmail.com

named_attribute: dsn_orig_rcpt=rfc822;rich_miracle@rediffmail.com

original_recipient: rich_miracle@rediffmail.com

recipient: rich_miracle@rediffmail.com

*** MESSAGE CONTENTS active/5942C8948326 ***

X-No-Relay: not in my network

Received: from cisqyltfbn (93-120-196-244.dynamic.mts-nn.ru [93.120.196.244])

(Authenticated sender: kontakt@xxx.de)

by xxx.xxx.de (Postfix) with ESMTPA id 5942C8948326;

Sun, 19 Jan 2014 15:50:31 +0100 (CET)

Subject:

Date: Sun, 19 Jan 2014 15:36:27 -0700

From: "ny fyha" <gaf@xxx.de>

To: <tomnagy91@gmail.com>, <hingkik@yahoo.com>, <shaunmurray24@yahoo.com>, <malcolmervin57@gmail.com>, <blondie@yahoo.com>, <o.ne...112.23.3.44.5566@gmail.com>, <ramanadxn@gmail.com>, <rich_miracle@rediffmail.com>

Mime-Version: 1.0

Content-Type: text/plain; charset=iso-8859-5

Spam E-Mails erkennen und entfernen

Punkt 1: Die Mail-Queue begutachten

Punkt 2: Spam wurde über ein PHP Script verschickt

Punkt 3: Spam wurde über einen Benutzer verschickt

Das könnte dich auch interessieren …

Schreibe einen Kommentar Antworten abbrechen

adminForge in der Presse

Spam E-Mails erkennen und entfernen

Punkt 1: Die Mail-Queue begutachten

Punkt 2: Spam wurde über ein PHP Script verschickt

Punkt 3: Spam wurde über einen Benutzer verschickt

Das könnte dich auch interessieren …

SMTP Banner setzen Postfix / MailEnable

Postfix Header anonymisieren

Postfix Mail-Queue aufräumen

Schreibe einen Kommentar Antworten abbrechen

adminForge in der Presse

Popular Posts