1

Topic: 搭建的iredmail邮件服务器发布到公网,日志显示疑似被利用发送垃圾邮件,

新部署的iramail邮件服务器
版本:
iRedMail    1.4.0
iRedAdmin-Pro    4.8 (MySQL)

疑似日志:
ued_as: 4HWtng44j9zlcjX, Subject: "Kindly get back to me", From: <cdonati@nicematin.fr>, X-Mailer: Microsoft_Outlook_Express_6.00.2600.0000, helo=User, Tests: [ADVANCE_FEE_2_NEW_MONEY=1.999,ALL_TRUSTED=-1,AXB_XMAILER_MIMEOLE_OL_024C2=0.001,CTE_8BIT_MISMATCH=0.836,FORGED_
Oct 17 03:42:12 vmailapp1 postfix/qmgr[4733]: 4HWqrx3tMnzlchx: removed
Oct 17 03:42:12 vmailapp1 postfix/qmgr[4733]: 4HWthp37NHzwsS1: from=<>, size=5132, nrcpt=1 (queue active)
Oct 17 03:42:12 vmailapp1 postfix/qmgr[4733]: 4HWqrx43nNzlXxP: removed
Oct 17 03:42:12 vmailapp1 postfix/qmgr[4733]: 4HWthp3Dn2zwsS0: from=<>, size=5107, nrcpt=1 (queue active)
Oct 17 03:42:12 vmailapp1 postfix/10025/smtpd[2924]: connect from localhost[127.0.0.1]
Oct 17 03:42:12 vmailapp1 postfix/10025/smtpd[2133]: 4HWtnc3rP1z101k: client=localhost[127.0.0.1]
Oct 17 03:42:12 vmailapp1 postfix/cleanup[5558]: 4HWtnc3rP1z101k: message-id=<4HWtnc3rP1z101k@vmailapp1.venusgroup.com.cn>
Oct 17 03:42:12 vmailapp1 postfix/10025/smtpd[2924]: 4HWtnc3wL8zlcj3: client=localhost[127.0.0.1]
Oct 17 03:42:12 vmailapp1 postfix/cleanup[5608]: 4HWtnc3wL8zlcj3: message-id=<4HWtnc3wL8zlcj3@vmailapp1.venusgroup.com.cn>
Oct 17 03:42:12 vmailapp1 amavis[5359]: (05359-14) Passed SPAM {RelayedTaggedInbound}, [10.20.8.41]:41122 SMTP/ESMTP <cdonati@nicematin.fr> -> <josue_valiente96@hotmail.com>, (), Queue-ID: 4HWt3H2mN2zQqNX, mail_id: 9BfVPTNNr9aI, b: ra7wkhbXr, Hits: 18.354, size: 1573, qu
eued_as: 4HWtnc3rP1z101k, Subject: "Kindly get back to me", From: <cdonati@nicematin.fr>, X-Mailer: Microsoft_Outlook_Express_6.00.2600.0000, helo=User, Tests: [ADVANCE_FEE_2_NEW_MONEY=1.999,ALL_TRUSTED=-1,AXB_XMAILER_MIMEOLE_OL_024C2=0.001,CTE_8BIT_MISMATCH=0.836,FORGED
_MUA_OUTLOOK=2.785,FREEMAIL_FORGED_REPLYTO=2.503,FREEMAIL_REPLYTO_END_DIGIT=0.25,FROM_MISSPACED=0.001,FROM_MISSP_EH_MATCH=0.001,FROM_MISSP_MSFT=0.001,FROM_MISSP_USER=0.001,FSL_CTYPE_WIN1251=0.001,FSL_NEW_HELO_USER=0.001,HK_NAME_MR_MRS=1,LOTS_OF_MONEY=0.001,MILLION_HUNDRE
D=1.645,MISSING_HEADERS=1.207,MISSING_MID=0.14,MONEY_FREEMAIL_REPTO=2.533,MONEY_FROM_MISSP=0.001,NSL_RCVD_FROM_USER=0.001,REPLYTO_WITHOUT_TO_CC=1.946,TO_NO_BRKTS_FROM_MSSP=2.499,URIBL_BLOCKED=0.001], auto...
Oct 17 03:42:12 vmailapp1 amavis[5359]: (05359-14) ...learn=no autolearn_force=no, autolearnscore=19.353, 3655 ms
Oct 17 03:42:12 vmailapp1 amavis[5359]: (05359-14) Passed SPAM, <cdonati@nicematin.fr> -> <josue_valiente96@hotmail.com>, Hits: 18.354, tag=2, tag2=6.2, kill=6.9, queued_as: 4HWtnc3rP1z101k, L/Y/Y/Y
Oct 17 03:42:12 vmailapp1 postfix/amavis/smtp[5291]: 4HWt3H2mN2zQqNX: to=<josue_valiente96@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1994, delays=361/1629/0/3.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4HWtn
c3rP1z101k)
Oct 17 03:42:12 vmailapp1 amavis[5464]: (05464-09) Passed SPAM {RelayedTaggedInbound}, [10.20.8.41]:40838 SMTP/ESMTP <cdonati@nicematin.fr> -> <josue_toek@hotmail.com>, (), Queue-ID: 4HWt350cvTzHg6V, mail_id: EAL2iiizhbEO, b: ra7wkhbXr, Hits: 18.354, size: 1573, queued_a
s: 4HWtnc3wL8zlcj3, Subject: "Kindly get back to me", From: <cdonati@nicematin.fr>, X-Mailer: Microsoft_Outlook_Express_6.00.2600.0000, helo=User, Tests: [ADVANCE_FEE_2_NEW_MONEY=1.999,ALL_TRUSTED=-1,AXB_XMAILER_MIMEOLE_OL_024C2=0.001,CTE_8BIT_MISMATCH=0.836,FORGED_MUA_O
UTLOOK=2.785,FREEMAIL_FORGED_REPLYTO=2.503,FREEMAIL_REPLYTO_END_DIGIT=0.25,FROM_MISSPACED=0.001,FROM_MISSP_EH_MATCH=0.001,FROM_MISSP_MSFT=0.001,FROM_MISSP_USER=0.001,FSL_CTYPE_WIN1251=0.001,FSL_NEW_HELO_USER=0.001,HK_NAME_MR_MRS=1,LOTS_OF_MONEY=0.001,MILLION_HUNDRED=1.64
5,MISSING_HEADERS=1.207,MISSING_MID=0.14,MONEY_FREEMAIL_REPTO=2.533,MONEY_FROM_MISSP=0.001,NSL_RCVD_FROM_USER=0.001,REPLYTO_WITHOUT_TO_CC=1.946,TO_NO_BRKTS_FROM_MSSP=2.499,URIBL_BLOCKED=0.001], autolearn=...
Oct 17 03:42:12 vmailapp1 amavis[5464]: (05464-09) ...no autolearn_force=no, autolearnscore=19.353, 22204 ms
Oct 17 03:42:12 vmailapp1 amavis[5464]: (05464-09) Passed SPAM, <cdonati@nicematin.fr> -> <josue_toek@hotmail.com>, Hits: 18.354, tag=2, tag2=6.2, kill=6.9, queued_as: 4HWtnc3wL8zlcj3, L/Y/Y/Y
Oct 17 03:42:12 vmailapp1 postfix/amavis/smtp[5462]: 4HWt350cvTzHg6V: to=<josue_toek@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2004, delays=369/1612/0/22, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4HWtnc3wL8zl
cj3)
Oct 17 03:42:12 vmailapp1 postfix/10025/smtpd[2560]: 4HWtnc49lczlchx: client=localhost[127.0.0.1]
Oct 17 03:42:12 vmailapp1 postfix/cleanup[5538]: 4HWtnc49lczlchx: message-id=<4HWtnc49lczlchx@vmailapp1.venusgroup.com.cn>
Oct 17 03:42:12 vmailapp1 amavis[5292]: (05292-11) Passed SPAM {RelayedTaggedInbound}, [10.20.8.41]:41122 SMTP/ESMTP <cdonati@nicematin.fr> -> <josue_v14@hotmail.com>, (), Queue-ID: 4HWt3H2mN2zQqNX, mail_id: tx4zek1SMQC0, b: ra7wkhbXr, Hits: 18.354, size: 1573, queued_as
: 4HWtnc49lczlchx, Subject: "Kindly get back to me", From: <cdonati@nicematin.fr>, X-Mailer: Microsoft_Outlook_Express_6.00.2600.0000, helo=User, Tests: [ADVANCE_FEE_2_NEW_MONEY=1.999,ALL_TRUSTED=-1,AXB_XMAILER_MIMEOLE_OL_024C2=0.001,CTE_8BIT_MISMATCH=0.836,FORGED_MUA_OU
TLOOK=2.785,FREEMAIL_FORGED_REPLYTO=2.503,FREEMAIL_REPLYTO_END_DIGIT=0.25,FROM_MISSPACED=0.001,FROM_MISSP_EH_MATCH=0.001,FROM_MISSP_MSFT=0.001,FROM_MISSP_USER=0.001,FSL_CTYPE_WIN1251=0.001,FSL_NEW_HELO_USER=0.001,HK_NAME_MR_MRS=1,LOTS_OF_MONEY=0.001,MILLION_HUNDRED=1.645
,MISSING_HEADERS=1.207,MISSING_MID=0.14,MONEY_FREEMAIL_REPTO=2.533,MONEY_FROM_MISSP=0.001,NSL_RCVD_FROM_USER=0.001,REPLYTO_WITHOUT_TO_CC=1.946,TO_NO_BRKTS_FROM_MSSP=2.499,URIBL_BLOCKED=0.001], autolearn=n...
Oct 17 03:42:12 vmailapp1 amavis[5292]: (05292-11) ...o autolearn_force=no, autolearnscore=19.353, 8897 ms
Oct 17 03:42:12 vmailapp1 amavis[5292]: (05292-11) Passed SPAM, <cdonati@nicematin.fr> -> <josue_v14@hotmail.com>, Hits: 18.354, tag=2, tag2=6.2, kill=6.9, queued_as: 4HWtnc49lczlchx, L/Y/Y/Y
Oct 17 03:42:12 vmailapp1 postfix/amavis/smtp[5286]: 4HWt3H2mN2zQqNX: to=<josue_v14@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1994, delays=361/1624/0.06/8.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4HWtnc49l
czlchx)
Oct 17 03:42:12 vmailapp1 postfix/10025/smtpd[1939]: 4HWtnc4zBnznn6j: client=localhost[127.0.0.1]
Oct 17 03:42:12 vmailapp1 postfix/cleanup[5636]: 4HWtnc4zBnznn6j: message-id=<4HWtnc4zBnznn6j@vmailapp1.venusgroup.com.cn>
Oct 17 03:42:12 vmailapp1 amavis[5103]: (05103-19) Passed SPAM {RelayedTaggedInbound}, [10.20.8.41]:40838 SMTP/ESMTP <cdonati@nicematin.fr> -> <josue_to94@hotmail.com>, (), Queue-ID: 4HWt350cvTzHg6V, mail_id: DKMlM0gpwJOs, b: ra7wkhbXr, Hits: 18.354, size: 1573, queued_a
s: 4HWtnc4zBnznn6j, Subject: "Kindly get back to me", From: <cdonati@nicematin.fr>, X-Mailer: Microsoft_Outlook_Express_6.00.2600.0000, helo=User, Tests: [ADVANCE_FEE_2_NEW_MONEY=1.999,ALL_TRUSTED=-1,AXB_XMAILER_MIMEOLE_OL_024C2=0.001,CTE_8BIT_MISMATCH=0.836,FORGED_MUA_O
UTLOOK=2.785,FREEMAIL_FORGED_REPLYTO=2.503,FREEMAIL_REPLYTO_END_DIGIT=0.25,FROM_MISSPACED=0.001,FROM_MISSP_EH_MATCH=0.001,FROM_MISSP_MSFT=0.001,FROM_MISSP_USER=0.001,FSL_CTYPE_WIN1251=0.001,FSL_NEW_HELO_USER=0.001,HK_NAME_MR_MRS=1,LOTS_OF_MONEY=0.001,MILLION_HUNDRED=1.64
5,MISSING_HEADERS=1.207,MISSING_MID=0.14,MONEY_FREEMAIL_REPTO=2.533,MONEY_FROM_MISSP=0.001,NSL_RCVD_FROM_USER=0.001,REPLYTO_WITHOUT_TO_CC=1.946,TO_NO_BRKTS_FROM_MSSP=2.499,URIBL_BLOCKED=0.001], autolearn=...
Oct 17 03:42:12 vmailapp1 amavis[5103]: (05103-19) ...no autolearn_force=no, autolearnscore=19.353, 23575 ms
Oct 17 03:42:12 vmailapp1 amavis[5103]: (05103-19) Passed SPAM, <cdonati@nicematin.fr> -> <josue_to94@hotmail.com>, Hits: 18.354, tag=2, tag2=6.2, kill=6.9, queued_as: 4HWtnc4zBnznn6j, L/Y/Y/Y
Oct 17 03:42:12 vmailapp1 postfix/amavis/smtp[5362]: 4HWt350cvTzHg6V: to=<josue_to94@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2004, delays=369/1611/0/24, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4HWtnc4zBnzn
n6j)



上面的Passed SPAM {RelayedTaggedInbound}, [10.20.8.41]:41122 SMTP/ESMTP <cdonati@nicematin.fr> -> <josue_valiente96@hotmail.com>

发件账号:cdonati@nicematin.fr   收件:josue_valiente96@hotmail.com都不是我本地的账号,为什么会出现这样的情况?邮件服务是被他人利用了吗?


postfix的main.cf认证配置:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: 搭建的iredmail邮件服务器发布到公网,日志显示疑似被利用发送垃圾邮件,

有可能是某个账号的密码被破解了用来发送垃圾邮件。运行这个脚本试试,如果排名靠前的几个账号发送的邮件数量出奇的多,那就很可能是这几个被破解了:
https://github.com/iredmail/iRedMail/bl … ernames.sh

建议立即修改它们的密码,然后将所有邮件 hold 住不让发送或接收(命令:postsuper -h ALL),再手工检查队列里的邮件,删干净垃圾邮件后再将 hold 的邮件重新放回队列(命令:postsuper -H ALL)。