找出导致被列入黑名单的邮件账号

今天收接到代理商一客户邮件,说是发邮件提示以下错误信息:
[208.xxx.xxx.180] refused to talk to me: 421 4.7.0 xx.hostname.com closing connection
于是是客户邮件系统telnet对方25端口,结果如下:
[root@mail log]# telnet 208.xxx.xxx.180 25
Trying 208.xxx.xxx.180…
Connected to xclxr-h.maxxxx.com (208.xxx.xxx.180).
Escape character is ‘^]’.
421 4.7.0 rlxx.srx.xxx.com closing connection
Connection closed by foreign host.
[root@mail log]#
执行telnet命令没有几秒就Connection closed了,用别的IP邮件系统telnet以上IP又正常,说明对方系统对208.xxx.xxx.180这个IP做过滤了。
于是上http://www.dnsbl.info检测邮件系统IP,看是否有被列入黑名单,果然是被列入黑名单的,为什么会列入黑名单呢,此问题不解决了,即使现在全申请移除了,不久也会再被列入黑名单的。经分析,IP是直接设在邮件服务器上的,IP只给邮件系统用,没有用做NAT,所以排除了网内电脑中病毒的原因,那很可能是邮件账号密码被破解了,从而给spamer利用被破解的邮件账号来发垃圾邮件。于是上http://psbl.org/查询Recent received spamtrap mail,查询结果如下:

Received: from Debian-exim by obfuscated2 with spam-scanned (Exim 4.71)
(envelope-from )
id 1RDmAQ-0001Nc-2P
for [email protected]; Tue, 11 Oct 2011 19:55:27 -0400
Received: from www.itkylin.com ([203.xxx.xxx.24]:36645)
by obfuscated2 with esmtp (Exim 4.71)
(envelope-from )
id 1RDmAP-0001ND-EF
for [email protected]; Tue, 11 Oct 2011 19:55:26 -0400
Received: from localhost (localhost [127.0.0.1])
by www.itkylin.com (Enterprise Mail System) with ESMTP id B22885BF032;
Wed, 12 Oct 2011 03:49:53 +0800 (CST)
Received: from www.itkylin.com ([127.0.0.1])
by localhost (www.itkylin.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id D3VrVSVciZNK; Wed, 12 Oct 2011 03:49:53 +0800 (CST)
Received: from User (75-151-233-234-Pennsylvania.hfc.comcastbusiness.net [75.151.233.234])
by www.itkylin.com (Enterprise Mail System) with ESMTP id E6F9E5BF06D;
Wed, 12 Oct 2011 03:49:39 +0800 (CST)
Reply-To: 
From: "Lawrence Sight"
Subject: You are a Winner Of £750, 000.00 Pounds
Date: Tue, 11 Oct 2011 15:58:31 -0400
MIME-Version: 1.0
charset="Windows-1251"
To: undisclosed-recipients:;

以上信息关键是IP75.151.233.234,于是查找maillog,发现如下信息:
[root@mail log]# grep “75.151.233.234” maillog |more

Oct  5 10:41:32 mail postfix/smtpd[7213]: warning: 75-151-233-234-Pennsylvania.hfc.comcastbusiness.net[75.151.233.234]: SASL LOGIN authentication failed: authentication failure
Oct  5 10:41:55 mail postfix/smtpd[7213]: connect from 75-151-233-234-Pennsylvania.hfc.comcastbusiness.net[75.151.233.234]
Oct  5 10:41:57 mail postfix/smtpd[7213]: NOQUEUE: reject: RCPT from 75-151-233-234-Pennsylvania.hfc.comcastbusiness.net[75.151.233.234]: 553 5.7.1 : Sender address rejected: not owned by user [email protected]; from= to= proto=ESMTP helo=

从IP75.151.233.234来的sasl认证开始有失败,之后就认证通过了,应该是给破解了:

Oct  5 10:43:08 mail postfix/smtpd[7213]: DCE735BC79A: client=75-151-233-234-Pennsylvania.hfc.comcastbusiness.net[75.151.233.234], sasl_method=LOGIN, [email protected]
Oct  5 10:43:10 mail amavis[5371]: (05371-04) Passed CLEAN, SASLBYPASS [75.151.233.234] [75.151.233.234] 
 -> ,,, Message-ID: <[email protected]>
, mail_id: OdjpEct9VWGI, Hits: -, size: 3050, queued_as: 5BD205BC79E, 123 ms

之后就见到很多[email protected]账号发垃圾邮件的信息了!
于是建议客户马上修改[email protected]账号密码,马上登陆各防垃圾组织移除黑名单!