Cpanel 某個email被發垃圾信該怎麼處理
如果不會處理可先關閉EXIM但MAIL SERVER服務就停了喔
systemctl stop exim.service
近日發現Cpanel 某個email被發垃圾信
但是又不知如何處理
剛好看到一篇相關文章
通常,垃圾郵件可以通過三種方式發生。1.通過黑客攻擊具有簡單密碼的電子郵件帳戶,這很容易猜到。2.通過在服務器上上傳腳本,定期發送郵件。3.通過發送大量電子郵件的論壇或新聞稿腳本。解決垃圾郵件問題意味著:*阻止IP地址,如果它是傳入垃圾郵件。(使用iptables或csf,apf)*更改密碼,禁用郵件列表和腳本,甚至暫停帳戶,如果它是外發垃圾郵件。情況1:進入終端機輸入exim -bpc出現160-163在隊列中找到一個號碼後,通過命令檢查垃圾郵件exim -bp | tail -10
如:0m 1.5K 1XV6jK0005iyRF <user@domain.com>
user@example.com
0m 1.5K 1XV85i000223B6 <user@domain.com>
user@example1.com
0m 1.5K 1XV9T10003ETD3 <user@domain.com>
user@example2.com
3) Check for each mail’s header by hitting the command, ‘exim Mvh message ID’.
For example:
#exim -Mvh 1XV6jK0005iyRF
————————————-
1XV6jK0005iyRFH
user 614 32007
<user@domain.com>
1411165962 0
ident user
received_protocol local
body_linecount 23
max_received_linelength 98
auth_id user
auth_sender user@domain.com
allow_unqualified_recipient
allow_unqualified_sender
local
XX
1
user@example.com
id 1XV6jK0005iyRF
for user@example.com; Sat, 20 Sep 2014 06:32:42 +0800
060T To: =?UTF8?B?bXlybmFpdTM=?= <user@example.com>
099 Subject:
=?UTF8?B?V2VsY29tZSB0byAiQXNpYSBQYWNpZmljIFBsYW5lIFNwb3R0ZXJzIEZvcnVt?=
=?UTF8?B?Ig==?=
026F From: <user@domain.com>
030R ReplyTo: <user@domain.com>
033* ReturnPath: <user@domain.com>
028* Sender: <user@domain.com>
018 MIMEVersion: 1.0
059I MessageID: <593045bb511db542f2a9955da9509c67@pvollering.com>
038 Date: Sat, 20 Sep 2014 06:32:42 +0800
040 ContentType: text/plain; charset=UTF8
032 ContentTransferEncoding: 8bit
014 XPriority: 3
026 XMSMailPriority: Normal
017 XMailer: phpBB3
018 XMimeOLE: phpBB3
046 XphpBBOrigin: phpbb://www.domain.com/phpbb/ucp.php
061 XAntiAbuse: Board servername =?UTF8?B?cHZvbGxlci5uZXQ=?=
025 XAntiAbuse: User_id 1
049 XAntiAbuse: Username =?UTF8?B?QW5vbnltb3Vz?=
038 XAntiAbuse: User IP xxx.xxx.xxx.xxx這時可以看到auth_id user 授權者的EMAIL信箱這時有可能是該帳號下的PHP 腳本亂發信cd /var/spool/exim/input
egrep "XPHPScript" * R
這時這ID會被列出來,且找到發垃圾信的標頭grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort |uniq -c | sort -n
如:
/home/domain/public_html/phpbb
我們能看目錄 /home/domain/public_html/phpbb 看到亂發信的檔案.
如這檔案 www.domain.com/phpbb/ucp.php
如:改變檔案權限
#cd /home/domain/public_html/phpbb
#chown root: ucp.php
#chmod 000 ucp.php
看到APACHE通過這腳本到IP發信
如
#grep "ucp.php" /home/domain/accesslogs/domain.com | awk '{print $1}' | sort n | uniq c | sort n
You should get back something similar to this:
10408 xxx.xxx.xxx.xxx
其實也可以不找 把該EMAIL帳號刪掉也可以
用
exim -Mvh 1XV6jK0005iyRF
回應內容
Subject:
Cron <user@ns1> ~/.ssh/.pibody -mc發現排程被寫入,檔案在 ~user/.ssh/.pibody 檔案被隱藏crontab -l -u user
* * * * * /home/user/Linux_amd64> /dev/null 2>&1
*/1 * * * * ~/.ssh/.pibody -mc
到該user目錄下
ls -la殺掉 Linux_amd64 及.ssh/.pibody檔案即可
文章出處:NetYea 網頁設計
參考文章:https://www.supportpro.com/blog/fix-spamming-in-cpanel-exim-server/https://www.2daygeek.com/start-stop-restart-enable-reload-exim-mail-server-service-in-linux/
頁:
[1]