[轉貼]Mail Server [postfix] 使用者帳號遭受盜用處理
<a href="http://blog.xuite.net/tolarku/blog/81551578-Mail+Server+%5Bpostfix%5D+%E4%BD%BF%E7%94%A8%E8%80%85%E5%B8%B3%E8%99%9F%E9%81%AD%E5%8F%97%E7%9B%9C%E7%94%A8+-+%E4%BA%8B%E4%BB%B6%E8%A8%98%E9%8C%84">http://blog.xuite.net/tolarku/blog/81551578-Mail+Server+%5Bpostfix%5D+%E4%BD%BF%E7%94%A8%E8%80%85%E5%B8%B3%E8%99%9F%E9%81%AD%E5%8F%97%E7%9B%9C%E7%94%A8+-+%E4%BA%8B%E4%BB%B6%E8%A8%98%E9%8C%84</a><div><br></div><div><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">在詐騙信件實在多到攔不完,所以使用者還是偶爾會收到詐騙信,從早期的英文詐騙信一直到現在的中英文都有,發送主機(來源)也從怪怪的國外IP進展為國內的IP(學術單位的IP居多),這算是APT的一種進化嗎?</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">持續的觀察與封鎖帳號,大部分的使用者都已經學乖了,但還是有些人會上當......底下就針對攻擊方式簡單做個記錄</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">先來看個<span style="color: rgb(137, 63, 26);"> <strong>Mail Server 收信的流程</strong></span>吧!!</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><a href="http://photo.xuite.net/_pic/tolarku/1585902/260952978_l.jpg/redir" target="_blank" style="color: rgb(153, 153, 153); text-decoration: none;"><img border="0" src="http://6.share.photo.xuite.net/tolarku/1698780/1585902/260952978_o.jpg" style="width: 612px; height: 509.8766626360338px; cursor: url(http://blog.xuite.net/_image/zoom_in.png), auto;"></a></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"> </p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">Manual Page 針對各個 Mail program 的簡單描述</span></p><ul style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;"><span style="color: rgb(137, 63, 26);"><strong>smtpd:Postfix SMTP server</strong></span>,Postfix daemon. </span></span><span style="line-height: 19px; font-size: medium;">The SMTP server accepts network connection requests and performs zero or more SMTP transactions per</span><span style="line-height: 19px; font-size: 12pt;"> connection. Each received message is piped through the cleanup(8) daemon, and is placed into the</span><span style="line-height: 19px; font-size: 12pt;"> incoming queue as one single queue file. For this mode of operation, the program expects to be run</span><span style="line-height: 19px; font-size: 12pt;"> from the master(8) process manager. <span style="color: rgb(137, 63, 26);">利用 port:25 對外提供接收郵件的服務程式</span>。</span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;"><span style="color: rgb(137, 63, 26);"><strong>pickup:Postfix local mail pickup</strong></span>,The pickup(8) daemon waits for hints that new mail has been dropped into the maildrop directory, and feeds it into the cleanup(8) daemon.<span style="color: rgb(137, 63, 26);">接受本地端使用者送過來的信件</span>。</span></span></li><li style="list-style-position: inside;"><span style="color: rgb(137, 63, 26);"><strong><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;">cleanup</span></span><span style="font-size: medium; line-height: 19px;">:</span></strong></span><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;"><span style="color: rgb(137, 63, 26);"><strong>canonicalize and enqueue Postfix message.</strong></span> The cleanup(8) daemon processes inbound mail, inserts it into the incoming mail queue, and informs the queue manager of its arrival. <span style="color: rgb(137, 63, 26);">依循 main.cf 訂定的規則,來處理、排隊依序進來的信件。</span></span></span></li><li style="list-style-position: inside;"><span style="color: rgb(137, 63, 26);"><strong><span style="font-size: medium; line-height: 19px;">trivial-rewrite</span><span style="font-size: medium; line-height: 19px;">:</span></strong></span><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;"><span style="color: rgb(137, 63, 26);"><strong>Postfix address rewriting and resolving daemon.</strong></span> Rewrite an address to standard form, according to the address rewriting context. <span style="color: rgb(137, 63, 26);">針對 recipient address 做重寫的格式化輸出。</span></span></span></li><li style="list-style-position: inside;"><span style="color: rgb(137, 63, 26);"><strong><span style="font-size: medium; line-height: 19px;">qmgr</span><span style="font-size: medium; line-height: 19px;">:</span></strong></span><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;"><span style="color: rgb(137, 63, 26);"><strong>Postfix queue manager.</strong></span> The qmgr(8) daemon awaits the arrival of incoming mail and arranges for its delivery via Postfix delivery processes. The actual mail routing strategy is delegated to the trivial-rewrite(8) daemon. <span style="color: rgb(137, 63, 26);">Postfix 最重要的排隊處理程式。</span></span></span></li><li style="list-style-position: inside;"><span color="#893f1a" size="3" style="color: rgb(137, 63, 26); font-size: 12pt;"><span style="line-height: 19px;"> </span></span></li></ul><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;">--------------------------------------------------------------------</span></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">Mail Queues / 郵件暫存的資料夾</span></p><ul style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;"><span style="color: rgb(137, 63, 26);"><strong>incoming</strong></span>:Inbound mail from the network, or mail picked up by the local pickup(8) daemon from the maildrop directory. <span style="color: rgb(137, 63, 26);">處理 pickup 收進來的信件,會先放到 incoming 這個資料夾 (以 Binary file 格式儲存,可以用 postcat 來觀看信件內容)。或者 Queue Manager 來不及處理的信件也會暫時先放在這個目錄 /var/spool/postfix/incoming 。</span></span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>active</strong></span>:<span style="line-height: 19px;">Messages that the queue manager has opened for delivery. Only a limited number of messages is allowed to enter the active queue (leaky bucket strategy, for a fixed delivery rate). <span style="color: rgb(137, 63, 26);">正準備寄送的信件會被放在這個目錄。</span></span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>deferred</strong></span>:<span style="line-height: 19px;">Mail that could not be delivered upon the first attempt. The queue manager implements exponential backoff by doubling the time between delivery attempts. <span style="color: rgb(137, 63, 26);">傳送失敗的信件會被放到這個目錄,每失敗一次都會利用 exponential backoff 算出應該等待的時間,時間倒數完才會進行下一次的嘗試傳送。</span><br><span style="color: rgb(137, 63, 26);">想要清除這麼目錄下的信件可以參考</span>「<span style="color: rgb(89, 112, 164); font-family: 'Ms Gothic'; font-size: 17px; font-weight: bold;"><a href="http://blog.xuite.net/tolarku/blog/58439089" style="color: rgb(153, 153, 153); text-decoration: none;">Postfix Mail Queue - 一些簡單的管理指令</a></span>」 ,<span style="color: rgb(137, 63, 26);">但不建議一次刪除這目錄下的檔案,除非你知道那些信件都是不要的。</span></span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>corrupt</strong></span>:<span style="line-height: 19px;">Unreadable or damaged queue files are moved here for inspection. <span style="color: rgb(137, 63, 26);">損毀或是無法讀取的信件。</span></span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>hold</strong></span>:Messages that are kept "on hold" are kept here until someone sets them free. <span style="color: rgb(137, 63, 26);">管理者可以利用「/usr/sbin/postsuper -h queue_id」來將信件 Hold 住不讓他寄送出去,這時該信件就會被暫時放到這個目錄下。</span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>bounce</strong></span>:<span style="line-height: 19px;">Per-recipient status information about why mail is bounced. These files are maintained by the bounce(8) daemon.</span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>defer</strong></span>:<span style="line-height: 19px;">Per-recipient status information about why mail is delayed. These files are maintained by the defer(8) daemon.</span></span></li><li style="list-style-position: inside;"><span size="3" style="font-size: 12pt;"><span style="color: rgb(137, 63, 26);"><strong>trace</strong></span>:<span style="line-height: 19px;">Per-recipient status information as requested with the Postfix "sendmail -v" or "sendmail -bv" command. These files are maintained by the trace(8) daemon.</span></span></li></ul><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"> </p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">-----------------------------------------------------------------------------</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">既然這篇定義是說「事件記錄」怎麼會前面突然跑出一大堆 mail 的 programs / folders 或流程的描述呢?耐心的看下....</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><span style="color: rgb(98, 47, 105);"><strong><span style="font-size: 14pt;">狀況一:當使用者誤信了詐騙信件,導致將自己的帳密提供給別人</span></strong></span>,依我的觀察~~</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">## 大約不到一天這個帳號就會被利用來散發廣告信,因為我有擋每封信收件者的上線,所以瞬間可能會有幾百封的廣告信從我的 mail server 送出去。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 14pt; color: rgb(98, 47, 105);"><strong>狀況二:若在狀況一發生時,無法及時處理過了一晚大約會有數千到數萬筆信件 queue 住等待散發垃圾信</strong></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">##這時反應比較快的 mail server 已經將我的 mail server 阻擋,不再接受我的主機送信過去。像這項的情況需要用</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><span style="color: rgb(200, 78, 3);">mailq | grep "xxx@123.com" | cut -d " " -f1 | cut -d’*’ -f1 | postsuper -d - <br></span></span><span style="color: rgb(200, 78, 3); font-size: 12pt; line-height: 1.2;">或<br></span><span style="font-size: 12pt; line-height: 1.2; color: rgb(200, 78, 3);">/usr/sbin/postqueue -p | grep "</span><span style="font-size: 12pt; line-height: 1.2; color: rgb(200, 78, 3);">xxx@123.com</span><span style="font-size: 12pt; line-height: 1.2; color: rgb(200, 78, 3);">" | cut -d " " -f1 | cut -d"*" -f1 | /usr/sbin/postsuper -d -</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">將特定寄件者的信件清除掉,當然你得同時封鎖該使用者的帳號。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="color: rgb(98, 47, 105); font-size: 14pt;"><strong>狀況三:在狀況二已封鎖使用者帳號情況下,也清除了 mail Queue 裡的信件,卻持續的被對方利用來寄發垃圾信</strong></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">##這時是因為 smtpd 的 SASL認證 或 webmail 的 session 還沒過期所致,你可以簡單的重新啟動 postfix / sendmail 來解決。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">狀況四:某次發現 mail queue 裡怎麼會有 AA@domain, AX@domain ....ZC@domain 的寄件者送出的信件</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">##這是某位使用者帳號遭受盜用,通過SASL認證後,其竄改寄件者的來源 (以往都是用單一寄件者來發信,這已進化到以程式來偽裝寄件者,而且每個偽裝的 XX@domain 不多不少都只寄50封信,減少被偵測出來的機會。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">##這樣的處理就複雜的多,因為某些 XX@domain 是真的有這個帳號的,所以就必須個別的清除不存在寄件者所送出的信件。而這一次 mail queue 就 queue 住了快10萬筆的信件。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="color: rgb(98, 47, 105);"><strong><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;">狀況五:這次的情況跟狀況二相似,不同的在於很慢才發現,系統的 loading 已經破百 102.x(使用 w 指令觀察,而一般的狀況 loading 連1都不到,只有 0.1x)</span></span></strong></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span size="3" style="font-size: 12pt;"><span style="line-height: 19px;">##利用「</span></span><span style="font-size: 12pt; line-height: 1.2; color: rgb(200, 78, 3);">/usr/sbin/postqueue -p | grep "</span><span style="font-size: 12pt; line-height: 1.2; color: rgb(200, 78, 3);">xxx@123.com</span><span style="font-size: 12pt; line-height: 1.2; color: rgb(200, 78, 3);">" | cut -d " " -f1 | cut -d"*" -f1 | /usr/sbin/postsuper -d -</span><span style="line-height: 19px; font-size: medium;">」方式清除特定使用者的信件,用這一行程式清除 mail queue 裡的信件跑了快 6個小時</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="line-height: 19px; font-size: medium;">##一則是 CPU loading 已被超爆,再來是信件大量到信並不是卡在 /var/spool/postfix/active ,而是連 </span><span style="font-size: medium; line-height: 19px;">/var/spool/postfix/incoming 都被放了上百萬封,所以單獨清 active 是不夠的, 在 incoming 會再進來,在 deferred 的也會再嘗試傳送</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: medium; line-height: 19px;">##最後我的作法是先清除非當天的 deferred 信件「</span><span style="color: rgb(200, 78, 3); font-family: tahoma, arial, sans-serif; font-size: 16px;">find /var/spool/postfix/deferred -type f -mtime +1 -exec rm -f \{\} \;</span><span style="font-size: medium; line-height: 19px;">」,為了怕誤刪正常的信件就必須過濾,只將某特定使用者的信才刪除。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"> </p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">當遇到使用者帳號遭受盜用的情形,第一時間當然是先封鎖帳號、封鎖發信IP或重新啟動郵件服務程式 postfix / sendmail ,再來就清 active 的 mail queue 跟過了幾天送不出去的信件,如果情形很嚴重則需要去觀察 incoming 目錄下 queue 住的信件。</span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;"><br></span></p><p style="color: rgb(153, 153, 153); font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><span style="font-size: 12pt;">朋友建議「撈出log裡的sasl認證,找出sasl username對應的mail queue ID」然後利用此方式來刪,找時間寫段 shell script 來試試看。</span></p></div>