DNSBL黑名單

dnsbl

harry77128 2018-09-10 11:10:32 ‧ 2435 瀏覽

分享至

各位前輩好,
小弟最近被DNSBL.info搞得天翻地覆...
MailSever原本是用自架的Roundcube，後來被檢舉發送垃圾郵件改申請用GSuite
用了一陣子後最近又被檢舉發送垃圾郵件
目前已經先把RoS防火牆的25 Port關閉
但還是有被cbl.abuseat.org等單位加入黑名單
拜訪cbl.abuseat.org後告知訊息有被殭屍網路感染...
有用過CommView、Wireshark及NTop_XTRA_3_18_0觀察過公司流量
但沒發現異常的流量
請問如何知道是哪部電腦感染呢?
附圖為訊息

以上再麻煩各位前輩幫忙
謝謝!

看更多先前的討論...收起先前的討論...

窮嘶發發發 iT邦高手 1 級 ‧ 2018-09-10 11:15:08 檢舉

4/4 號通知到現在才處理，嗯 .... ，都五個月了呢 ..... ，我想這個問題應該早就解了，只是上來問有沒有更好的處理方式

harry77128 iT邦新手 5 級 ‧ 2018-09-10 11:29:25 檢舉

翻譯成繁體中文日期格式會跑掉，已更新圖檔. 抱歉..

ayu iT邦好手 2 級 ‧ 2018-09-12 23:23:56 檢舉

是被當成spam relay沒錯,
abuseat.org的CBL LOOKUP 211.20.112.1 ,
一直持續增加現在都已到2159次.

211.20.112.3是哪個機器在用?

harry77128 iT邦新手 5 級 ‧ 2018-09-13 16:46:53 檢舉

ayu大您好
目前是沒再用的...

ayu iT邦好手 2 級 ‧ 2018-09-28 23:44:22 檢舉

已經很久都還沒找出禍源, 拖得愈久, 就愈難收拾.
https://cleantalk.org/blacklists/211.20.112.1
就近找或徵求高手就近協助吧.

登入發表討論

直播研討會

{{ item.channelVendor }} {{ item.webinarstarted }} |

直播中

1 個回答

林門神JanusLin

iT邦超人 1 級 ‧ 2018-09-10 11:43:33

FYI
很新的資訊
2018-08-03
超過17萬台MikroTik路由器淪為駭客挖礦攻擊的跳板
https://www.ithome.com.tw/news/124977

回應 7
分享
檢舉

看更多先前的回應...收起先前的回應...

harry77128 iT邦新手 5 級 ‧ 2018-09-10 11:52:32 檢舉

門神大您好
目前已有把MikroTik RouterOS升級至v6.42.7版及增加防火牆設定
但實在不知道該如何排除，只能每台電腦查了嗎? t_t

林門神JanusLin iT邦超人 1 級 ‧ 2018-09-10 12:33:12 檢舉

一般可筆先查 Firewall Log
如果沒有
可以跟對方要求 SMTP 表頭
比對就知道是那台電腦了

harry77128 iT邦新手 5 級 ‧ 2018-09-10 13:11:43 檢舉

門神大您好
有跟中華電信要表頭來看
但好像是被當跳板?

敬啟者您好：

標頭如下請參考:

Authentication-Results: mail.consulintel.es
iprev=pass policy.iprev=10.10.9.250 reason="white listed" (MAIL XXX@paintingdreams.com)
Received: from mail.consulintel.com by mail.consulintel.es (Cipher TLSv1:AES-SHA:128) (MDaemon PRO v16.5.2)
with ESMTPS id md50005872200.msg for ;
Wed, 05 Sep 2018 11:49:50 +0200
X-MDRemoteIP: 10.10.9.250
X-MDHelo: mail.consulintel.com
X-MDArrival-Date: Wed, 05 Sep 2018 11:49:50 +0200
X-Rcpt-To: XXXX@consulintel.es
X-MDRcpt-To: XXXXX@consulintel.es
X-Return-Path: XXXX@paintingdreams.com
X-Envelope-From: XXXX@paintingdreams.com
X-MDaemon-Deliver-To: XXXX@consulintel.es
Authentication-Results: mail.consulintel.com
spf=none smtp.mailfrom=XXXX@paintingdreams.com;
dkim-adsp=permerror (lookup failure) header.from=XXXX@paintingdreams.com;
dmarc=none header.from=paintingdreams.com (no DMARC record);
iprev=pass policy.iprev=211.20.112.1 (PTR 211-20-112-1.HINET-IP.hinet.net);
iprev=fail policy.iprev=211.20.112.1 reason="does not match" (HELO 211-20-112-3.HINET-IP.hinet.net);
iprev=fail policy.iprev=211.20.112.1 reason="has no MX" (MAIL XXXX@paintingdreams.com)
Received: from 211-20-112-3.HINET-IP.hinet.net (211-20-112-1.HINET-IP.hinet.net [211.20.112.1])
by mail.consulintel.com ([127.0.0.1])
(MDaemon PRO v16.5.2)
with ESMTP id md50000972248.msg for ;
Wed, 05 Sep 2018 11:49:43 +0200
X-MDDNSBL-Result: mail.consulintel.com, Wed, 05 Sep 2018 11:49:43 +0200
bl.spamcop.net returned result of 127.0.0.2
dnsbl.sorbs.net returned result of 127.0.0.6
Message-ID: 05772171270854.422pfg25117pw@palacestations.com
Received: from 52.134.100.214 by law9-mn64.law0.palacestations.com with DAV;
Wed, 05 Sep 2018 05:41:34 -0500
Reply-To: "Stewart Daly"
From: "Stewart Daly"
To:
Subject: [SPAM Score/Req: 28.3/13.0] 聶Listo para comenzar a generar ganancia del tipo????K al d穩a?
Date: Wed, 05 Sep 2018 07:41:34 -0300
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: base64
X-Spam-Prev-Subject: 聶Listo para comenzar a generar ganancia del tipo????K al d穩a?

中華電信數據分公司spam小組
服務電話：02-21926022 分機2
服務時間：週一至週五(AM9:00~12:00、PM1:30~5:00)，國定假日除外。

門神大 您好
有跟中華電信要表頭來看
但好像是被當跳板?

敬啟者 您好：

標頭如下請參考:

Authentication-Results: mail.consulintel.es
        iprev=pass policy.iprev=10.10.9.250 reason="white listed" (MAIL XXX@paintingdreams.com)
Received: from mail.consulintel.com by mail.consulintel.es (Cipher TLSv1:AES-SHA:128) (MDaemon PRO v16.5.2) 
        with ESMTPS id md50005872200.msg for ;
        Wed, 05 Sep 2018 11:49:50 +0200
X-MDRemoteIP: 10.10.9.250
X-MDHelo: mail.consulintel.com
X-MDArrival-Date: Wed, 05 Sep 2018 11:49:50 +0200
X-Rcpt-To: XXXX@consulintel.es
X-MDRcpt-To: XXXXX@consulintel.es
X-Return-Path: XXXX@paintingdreams.com
X-Envelope-From: XXXX@paintingdreams.com
X-MDaemon-Deliver-To: XXXX@consulintel.es
Authentication-Results: mail.consulintel.com
        spf=none smtp.mailfrom=XXXX@paintingdreams.com;
        dkim-adsp=permerror (lookup failure) header.from=XXXX@paintingdreams.com;
        dmarc=none header.from=paintingdreams.com (no DMARC record);
        iprev=pass policy.iprev=211.20.112.1 (PTR 211-20-112-1.HINET-IP.hinet.net);
        iprev=fail policy.iprev=211.20.112.1 reason="does not match" (HELO 211-20-112-3.HINET-IP.hinet.net);
        iprev=fail policy.iprev=211.20.112.1 reason="has no MX" (MAIL XXXX@paintingdreams.com)
Received: from 211-20-112-3.HINET-IP.hinet.net (211-20-112-1.HINET-IP.hinet.net [211.20.112.1])
        by mail.consulintel.com ([127.0.0.1])
        (MDaemon PRO v16.5.2) 
        with ESMTP id md50000972248.msg for ;
        Wed, 05 Sep 2018 11:49:43 +0200
X-MDDNSBL-Result: mail.consulintel.com, Wed, 05 Sep 2018 11:49:43 +0200
        bl.spamcop.net returned result of 127.0.0.2
        dnsbl.sorbs.net returned result of 127.0.0.6
Message-ID: <05772171270854.422pfg25117pw@palacestations.com>
Received: from 52.134.100.214 by law9-mn64.law0.palacestations.com with DAV;
        Wed, 05 Sep 2018 05:41:34 -0500
Reply-To: "Stewart Daly" 
From: "Stewart Daly" 
To: 
Subject: [*SPAM* Score/Req: 28.3/13.0] 聶Listo para comenzar a generar ganancia del tipo????K al d穩a? 
Date: Wed, 05 Sep 2018 07:41:34 -0300
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: base64
X-Spam-Prev-Subject: 聶Listo para comenzar a generar ganancia del tipo????K al d穩a?

中華電信數據分公司spam小組  
服務電話：02-21926022 分機2
服務時間：週一至週五(AM9:00~12:00、PM1:30~5:00)，國定假日除外。

修改

林門神JanusLin iT邦超人 1 級 ‧ 2018-09-12 08:45:14 檢舉

沒內部 IP 是被當跳板
一般都是帳號和密碼被猜中
要查看是那個帳號被盜用了