各位前輩好,
小弟最近被DNSBL.info搞得天翻地覆...
MailSever原本是用自架的Roundcube,後來被檢舉發送垃圾郵件改申請用GSuite
用了一陣子後最近又被檢舉發送垃圾郵件
目前已經先把RoS防火牆的25 Port關閉
但還是有被cbl.abuseat.org等單位加入黑名單
拜訪cbl.abuseat.org後告知訊息有被殭屍網路感染...
有用過CommView、Wireshark及NTop_XTRA_3_18_0觀察過公司流量
但沒發現異常的流量
請問如何知道是哪部電腦感染呢?
附圖為訊息
以上再麻煩各位前輩幫忙
謝謝!
FYI
很新的資訊
2018-08-03
超過17萬台MikroTik路由器淪為駭客挖礦攻擊的跳板
https://www.ithome.com.tw/news/124977
門神大 您好
目前已有把MikroTik RouterOS升級至v6.42.7版及增加防火牆設定
但實在不知道該如何排除,只能每台電腦查了嗎? t_t
一般可筆先查 Firewall Log
如果沒有
可以跟對方要求 SMTP 表頭
比對就知道是那台電腦了
門神大 您好
有跟中華電信要表頭來看
但好像是被當跳板?
敬啟者 您好:
標頭如下請參考:
Authentication-Results: mail.consulintel.es
iprev=pass policy.iprev=10.10.9.250 reason="white listed" (MAIL XXX@paintingdreams.com)
Received: from mail.consulintel.com by mail.consulintel.es (Cipher TLSv1:AES-SHA:128) (MDaemon PRO v16.5.2)
with ESMTPS id md50005872200.msg for ;
Wed, 05 Sep 2018 11:49:50 +0200
X-MDRemoteIP: 10.10.9.250
X-MDHelo: mail.consulintel.com
X-MDArrival-Date: Wed, 05 Sep 2018 11:49:50 +0200
X-Rcpt-To: XXXX@consulintel.es
X-MDRcpt-To: XXXXX@consulintel.es
X-Return-Path: XXXX@paintingdreams.com
X-Envelope-From: XXXX@paintingdreams.com
X-MDaemon-Deliver-To: XXXX@consulintel.es
Authentication-Results: mail.consulintel.com
spf=none smtp.mailfrom=XXXX@paintingdreams.com;
dkim-adsp=permerror (lookup failure) header.from=XXXX@paintingdreams.com;
dmarc=none header.from=paintingdreams.com (no DMARC record);
iprev=pass policy.iprev=211.20.112.1 (PTR 211-20-112-1.HINET-IP.hinet.net);
iprev=fail policy.iprev=211.20.112.1 reason="does not match" (HELO 211-20-112-3.HINET-IP.hinet.net);
iprev=fail policy.iprev=211.20.112.1 reason="has no MX" (MAIL XXXX@paintingdreams.com)
Received: from 211-20-112-3.HINET-IP.hinet.net (211-20-112-1.HINET-IP.hinet.net [211.20.112.1])
by mail.consulintel.com ([127.0.0.1])
(MDaemon PRO v16.5.2)
with ESMTP id md50000972248.msg for ;
Wed, 05 Sep 2018 11:49:43 +0200
X-MDDNSBL-Result: mail.consulintel.com, Wed, 05 Sep 2018 11:49:43 +0200
bl.spamcop.net returned result of 127.0.0.2
dnsbl.sorbs.net returned result of 127.0.0.6
Message-ID: 05772171270854.422pfg25117pw@palacestations.com
Received: from 52.134.100.214 by law9-mn64.law0.palacestations.com with DAV;
Wed, 05 Sep 2018 05:41:34 -0500
Reply-To: "Stewart Daly"
From: "Stewart Daly"
To:
Subject: [SPAM Score/Req: 28.3/13.0] 聶Listo para comenzar a generar ganancia del tipo????K al d穩a?
Date: Wed, 05 Sep 2018 07:41:34 -0300
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: base64
X-Spam-Prev-Subject: 聶Listo para comenzar a generar ganancia del tipo????K al d穩a?
中華電信數據分公司spam小組
服務電話:02-21926022 分機2
服務時間:週一至週五(AM9:00~12:00、PM1:30~5:00),國定假日除外。
沒內部 IP 是被當跳板
一般都是帳號和密碼被猜中
要查看是那個帳號被盜用了