kck
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Добрый день уважаемые! Нарисовалась проблема - во входящей почте стали нарисовываться письма, якобы отправленные с наших же адресов (NickName@abc.ru), хотя фактически этого адреса в нашем домене не существует. По логу вроде отправитель первоначально авторизуется под другим именем (waild20@afes.com), а в момент когда находит живой ящик в нашем домене (info@abc.ru) адрессат меняется на NickName@abc.ru Прокомментируйте пожалуйста. В упор не понимаю что происходит и как такое возможно? Спасибо. Лог ниже: Код: Mon 2013-04-01 05:35:01: ---------- Mon 2013-04-01 05:34:49: Session 28321; child 1 Mon 2013-04-01 05:34:49: Accepting SMTP connection from [190.71.137.196:24357] to [1.1.1.1:25] Mon 2013-04-01 05:34:49: --> 220 mail.abc.ru ESMTP MDaemon 12.5.3; Mon, 01 Apr 2013 05:34:49 +0400 Mon 2013-04-01 05:34:49: <-- EHLO 190-71-137-196.epm.net.co Mon 2013-04-01 05:34:49: --> 250-mail.abc.ru Hello 190-71-137-196.epm.net.co, pleased to meet you Mon 2013-04-01 05:34:49: --> 250-ETRN Mon 2013-04-01 05:34:49: --> 250-AUTH LOGIN CRAM-MD5 PLAIN Mon 2013-04-01 05:34:49: --> 250-8BITMIME Mon 2013-04-01 05:34:49: --> 250 SIZE Mon 2013-04-01 05:34:49: <-- MAIL FROM: <waild20@afes.com> BODY=7BIT Mon 2013-04-01 05:34:49: Performing PTR lookup (196.137.71.190.IN-ADDR.ARPA) Mon 2013-04-01 05:34:49: * D=196.137.71.190.IN-ADDR.ARPA TTL=(66) PTR=[adsl190-71-137-196.epm.net.co] Mon 2013-04-01 05:34:49: * Gathering A records... Mon 2013-04-01 05:34:49: * D=adsl190-71-137-196.epm.net.co TTL=(9) A=[190.0.0.1] Mon 2013-04-01 05:34:49: ---- End PTR results Mon 2013-04-01 05:34:49: Performing IP lookup (190-71-137-196.epm.net.co) Mon 2013-04-01 05:34:50: * D=190-71-137-196.epm.net.co TTL=(60) A=[190.0.0.1] Mon 2013-04-01 05:34:50: ---- End IP lookup results Mon 2013-04-01 05:34:50: Performing IP lookup (afes.com) Mon 2013-04-01 05:34:50: * D=afes.com TTL=(185) A=[38.80.128.210] Mon 2013-04-01 05:34:50: * P=010 S=000 D=afes.com TTL=(185) MX=[mail.afes.com] Mon 2013-04-01 05:34:50: * D=afes.com TTL=(185) A=[38.80.128.210] Mon 2013-04-01 05:34:50: ---- End IP lookup results Mon 2013-04-01 05:34:50: Performing SPF lookup (afes.com / 190.71.137.196) Mon 2013-04-01 05:34:50: * Policy: v=spf1 ip4:38.80.128.208/28 +all Mon 2013-04-01 05:34:50: * Evaluating ip4:38.80.128.208/28: no match Mon 2013-04-01 05:34:50: * Evaluating +all: match Mon 2013-04-01 05:34:50: * Result: pass Mon 2013-04-01 05:34:50: ---- End SPF results Mon 2013-04-01 05:34:50: --> 250 <waild20@afes.com>, Sender ok Mon 2013-04-01 05:34:50: <-- RCPT TO:<NickName@abc.ru> Mon 2013-04-01 05:34:50: Отправитель сделал попытку доставить сообщение на неизвестный адрес Mon 2013-04-01 05:34:50: --> 550 <NickName@abc.ru>, Recipient unknown Mon 2013-04-01 05:34:50: <-- RCPT TO:<iamialgiam@abc.ru> Mon 2013-04-01 05:34:50: Отправитель сделал попытку доставить сообщение на неизвестный адрес Mon 2013-04-01 05:34:50: --> 550 <iamialgiam@abc.ru>, Recipient unknown Mon 2013-04-01 05:34:51: <-- RCPT TO:<info@abc.ru> Mon 2013-04-01 05:34:51: Производится поиск DNS-BL (190.71.137.196 – соединение с IP) Mon 2013-04-01 05:34:51: * zen.spamhaus.org - прошло Mon 2013-04-01 05:34:51: ---- Конечные результаты DNS-BL Mon 2013-04-01 05:34:51: --> 250 <info@abc.ru>, Recipient ok Mon 2013-04-01 05:34:51: <-- DATA Mon 2013-04-01 05:34:51: Creating temp file (SMTP): e:\mdaemon\queues\temp\md50000014462.tmp Mon 2013-04-01 05:34:51: --> 354 Enter mail, end with <CRLF>.<CRLF> Mon 2013-04-01 05:34:51: Message size: 635 bytes Mon 2013-04-01 05:34:51: Performing VBR certification (Domain: afes.com, Auth: SPF) Mon 2013-04-01 05:34:51: * File: e:\mdaemon\queues\temp\md50000014462.tmp Mon 2013-04-01 05:34:51: * Message-ID: <5158E2C4.8040705@abc.ru> Mon 2013-04-01 05:34:51: * Certifier (trusted): vbr.emailcertification.org ... Mon 2013-04-01 05:34:51: * Querying: afes.com._vouch.vbr.emailcertification.org ... Mon 2013-04-01 05:34:52: * Certifier does not recognize that domain Mon 2013-04-01 05:34:52: * Certification result: message not certified Mon 2013-04-01 05:34:52: ---- End VBR results Mon 2013-04-01 05:34:52: Performing DKIM lookup Mon 2013-04-01 05:34:52: * File: e:\mdaemon\queues\temp\md50000014462.tmp Mon 2013-04-01 05:34:52: * Message-ID: 5158E2C4.8040705@abc.ru Mon 2013-04-01 05:34:52: * Result: neutral Mon 2013-04-01 05:34:52: ---- End DKIM results Mon 2013-04-01 05:34:52: Performing DomainKeys lookup (Sender: NickName@abc.ru) Mon 2013-04-01 05:34:52: * File: e:\mdaemon\queues\temp\md50000014462.tmp Mon 2013-04-01 05:34:52: * Message-ID: 5158E2C4.8040705@abc.ru Mon 2013-04-01 05:34:52: * Querying for policy: abc.ru Mon 2013-04-01 05:34:52: * Querying: _domainkey.abc.ru ... Mon 2013-04-01 05:34:52: * DNS: * Сервер имен сообщает, что имя домена не опознано Mon 2013-04-01 05:34:52: * Result: neutral Mon 2013-04-01 05:34:52: ---- End DomainKeys results Mon 2013-04-01 05:34:52: Passing message through AntiVirus (Size: 635)... Mon 2013-04-01 05:34:52: * Сообщение чистое (вирусов не обнаружено) Mon 2013-04-01 05:34:52: ---- End AntiVirus results Mon 2013-04-01 05:34:52: Passing message through Spam Filter (Size: 635)... Mon 2013-04-01 05:35:02: * 0.0 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname Mon 2013-04-01 05:35:02: * (Split IP) Mon 2013-04-01 05:35:02: * 0.0 TVD_RCVD_IP TVD_RCVD_IP Mon 2013-04-01 05:35:02: * 1.6 BAYES_50 BODY: Bayes spam probability is 40 to 60% Mon 2013-04-01 05:35:02: * [score: 0.5000] Mon 2013-04-01 05:35:02: * 1.0 RDNS_DYNAMIC Delivered to internal network by host with Mon 2013-04-01 05:35:02: * dynamic-looking rDNS Mon 2013-04-01 05:35:02: * 3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr Mon 2013-04-01 05:35:02: * 2) Mon 2013-04-01 05:35:02: ---- End SpamAssassin results Mon 2013-04-01 05:35:02: Spam Filter score/req: 6.20/12.0 Mon 2013-04-01 05:35:02: Создание сообщения successful: e:\mdaemon\queues\inbound\md50000121681.msg Mon 2013-04-01 05:35:02: --> 250 Ok, message saved <Message-ID: 5158E2C4.8040705@abc.ru> Mon 2013-04-01 05:35:02: <-- QUIT Mon 2013-04-01 05:35:02: --> 221 See ya in cyberspace Mon 2013-04-01 05:35:02: SMTP session successful (Bytes in/out: 811/511) Mon 2013-04-01 05:35:02: ---------- Mon 2013-04-01 05:35:02: Performing SPF lookup (afes.com / 190.71.137.196) Mon 2013-04-01 05:35:02: * Policy: v=spf1 ip4:38.80.128.208/28 +all Mon 2013-04-01 05:35:02: * Evaluating ip4:38.80.128.208/28: no match Mon 2013-04-01 05:35:02: * Evaluating +all: match Mon 2013-04-01 05:35:02: * Result: pass Mon 2013-04-01 05:35:02: ---------- Mon 2013-04-01 05:35:02: (SMTP) Spam Filter processing e:\mdaemon\queues\temp\md50000014462.tmp... Mon 2013-04-01 05:35:02: * Message return-path: waild20@afes.com Mon 2013-04-01 05:35:02: * Message ID: 5158E2C4.8040705@abc.ru Mon 2013-04-01 05:35:02: Start SpamAssassin results Mon 2013-04-01 05:35:02: 06.20 points, 5.0 required; Mon 2013-04-01 05:35:02: * 0.0 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname Mon 2013-04-01 05:35:02: * (Split IP) Mon 2013-04-01 05:35:02: * 0.0 TVD_RCVD_IP TVD_RCVD_IP Mon 2013-04-01 05:35:02: * 1.6 BAYES_50 BODY: Bayes spam probability is 40 to 60% Mon 2013-04-01 05:35:02: * [score: 0.5000] Mon 2013-04-01 05:35:02: * 1.0 RDNS_DYNAMIC Delivered to internal network by host with Mon 2013-04-01 05:35:02: * dynamic-looking rDNS Mon 2013-04-01 05:35:02: * 3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr Mon 2013-04-01 05:35:02: * 2) Mon 2013-04-01 05:35:02: End SpamAssassin results Mon 2013-04-01 05:35:02: ---------- Mon 2013-04-01 05:35:07: SecurityPlus AntiVirus processing e:\mdaemon\queues\inbound\md50000121681.msg... Mon 2013-04-01 05:35:07: * Message return-path: Mon 2013-04-01 05:35:07: * Message from: NickName@abc.ru Mon 2013-04-01 05:35:07: * Message to: NickName@abc.ru Mon 2013-04-01 05:35:07: * Message subject: World baddest hackers join us here Mon 2013-04-01 05:35:07: * Message ID: <5158E2C4.8040705@abc.ru> Mon 2013-04-01 05:35:07: Start SecurityPlus AntiVirus results Mon 2013-04-01 05:35:07: * Total attachments scanned : 1 (including multipart/alternatives and message body) Mon 2013-04-01 05:35:07: * Total attachments infected : 0 Mon 2013-04-01 05:35:07: * Total attachments disinfected: 0 Mon 2013-04-01 05:35:07: * Total errors while scanning : 0 Mon 2013-04-01 05:35:07: * Total attachments removed : 0 Mon 2013-04-01 05:35:07: End of SecurityPlus AntiVirus results Mon 2013-04-01 05:35:07: ---------- Mon 2013-04-01 05:35:07: Content Filter processing e:\mdaemon\queues\inbound\md50000121681.msg... Mon 2013-04-01 05:35:07: * Message return-path: Mon 2013-04-01 05:35:07: * Message from: NickName@abc.ru Mon 2013-04-01 05:35:07: * Message to: NickName@abc.ru Mon 2013-04-01 05:35:07: * Message subject: World baddest hackers join us here Mon 2013-04-01 05:35:07: * Message ID: <5158E2C4.8040705@abc.ru> Mon 2013-04-01 05:35:07: Start Content Filter results Mon 2013-04-01 05:35:07: * Matched 0 of 4 active rules Mon 2013-04-01 05:35:07: End of Content Filter results Mon 2013-04-01 05:35:07: ---------- Mon 2013-04-01 05:35:07: Routing message (inbound queue): e:\mdaemon\queues\inbound\md50000121681.msg Mon 2013-04-01 05:35:07: * Применение фильтров контента/спама/вирусов к входящему письму списка рассылки Mon 2013-04-01 05:35:07: * From: NickName@abc.ru; Recipient: user1@abc.ru; Size: 2415; Message: e:\mdaemon\queues\local\pd80000199965.msg Mon 2013-04-01 05:35:07: * From: NickName@abc.ru; Recipient: user2@abc.ru; Size: 2419; Message: e:\mdaemon\queues\local\pd80000199966.msg Mon 2013-04-01 05:35:07: * From: NickName@abc.ru; Recipient: user3@abc.ru; Size: 2413; Message: e:\mdaemon\queues\local\pd80000199967.msg Mon 2013-04-01 05:35:07: * Subject: World baddest hackers join us here Mon 2013-04-01 05:35:07: * Message-ID: 5158E2C4.8040705@abc.ru Mon 2013-04-01 05:35:07: ---------- Mon 2013-04-01 05:35:08: Routing message (local queue): e:\mdaemon\queues\local\pd80000199965.msg Mon 2013-04-01 05:35:08: * From: NickName@abc.ru; Recipient: user1@abc.ru Mon 2013-04-01 05:35:08: * Subject: [***SPAM*** Score/Req: 06.20/5.0] [info] World baddest hackers join us here Mon 2013-04-01 05:35:08: * Message-ID: <MDAEMON-F201304010535.AA3507195pd80000199965@abc.ru> Mon 2013-04-01 05:35:08: * Размер: 2415; Сообщение: a:\md\users\abc.ru\user1\md50000013398.msg Mon 2013-04-01 05:35:08: ---------- Mon 2013-04-01 05:35:08: Routing message (local queue): e:\mdaemon\queues\local\pd80000199966.msg Mon 2013-04-01 05:35:08: * From: NickName@abc.ru; Recipient: user2@abc.ru Mon 2013-04-01 05:35:08: * Subject: [***SPAM*** Score/Req: 06.20/5.0] [info] World baddest hackers join us here Mon 2013-04-01 05:35:08: * Message-ID: <MDAEMON-F201304010535.AA3507205pd80000199966@abc.ru> Mon 2013-04-01 05:35:08: * Размер: 2419; Сообщение: a:\md\users\abc.ru\user2\md50000014007.msg Mon 2013-04-01 05:35:08: ---------- Mon 2013-04-01 05:35:08: Routing message (local queue): e:\mdaemon\queues\local\pd80000199967.msg Mon 2013-04-01 05:35:08: * From: NickName@abc.ru; Recipient: user3@abc.ru Mon 2013-04-01 05:35:08: * Subject: [***SPAM*** Score/Req: 06.20/5.0] [info] World baddest hackers join us here Mon 2013-04-01 05:35:08: * Message-ID: <MDAEMON-F201304010535.AA3507211pd80000199967@abc.ru> Mon 2013-04-01 05:35:08: * Размер: 2413; Сообщение: a:\md\users\abc.ru\user3\md50000014025.msg Mon 2013-04-01 05:35:08: ---------- |
|