Durante el último día mi servidor se ha utilizado para enviar spam. Estoy usando la distribución Amazon Linux (basada en RedHat). Tiene sendmail 8.14.4. Está configurado para requerir autenticación, SSL, etc. A continuación se muestran algunos extractos del registro y mqueue. ¿Cómo puedo encontrar lo que está pasando y solucionarlo?
Sep 10 21:57:03 ps-aws-p1 sendmail[11662]: r8AJtH4r011662: from=<[email protected]>, size=464, class=0, nrcpts=10, msgid=<[email protected]>, proto=ESMTP, daemon=TLSMTA, relay=dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may be forged)
Sep 10 21:57:12 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:18, xdelay=00:00:09, mailer=esmtp, pri=390464, relay=mailin-01.mx.aol.com. [205.188.159.42], dsn=5.1.1, stat=User unknown
Sep 10 21:57:19 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:25, xdelay=00:00:03, mailer=esmtp, pri=390464, relay=mx1.earthlink.net. [209.86.93.226], dsn=2.0.0, stat=Sent (1vju3P5qX3Nl34d0 Message accepted for delivery)
Sep 10 21:57:20 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:26, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=gmail-smtp-in.l.google.com. [74.125.136.27], dsn=2.0.0, stat=Sent (OK 1378843040 x42si1080567eel.116 - gsmtp)
Sep 10 21:57:21 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:27, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=5.1.1, stat=User unknown
Sep 10 21:57:22 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>,<[email protected]>, delay=00:00:28, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=2.0.0, stat=Sent ( <[email protected]> Queued mail for delivery)
Sep 10 21:57:24 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:30, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=zeno.mx25.net. [207.210.234.36], dsn=2.0.0, stat=Sent (893 bytes received in 00:00:00; Message id 201309101457230095 accepted for delivery)
Sep 10 21:57:25 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:31, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx1.seznam.cz. [77.75.76.42], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:26 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>, delay=00:00:32, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.seznam.cz. [77.75.76.32], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<[email protected]>,<[email protected]>, delay=00:00:34, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mta5.am0.yahoodns.net. [98.138.112.34], dsn=2.0.0, stat=Sent (ok dirdel 1/1)
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: r8AJvS4i011781: DSN: User unknown
> V8 T1378843014 K0 N0 P300464 Fbs
> $_dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged) $rESMTP $saambanyoqp ${daemon_flags}s a
> ${if_addr}10.246.123.145 S<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]>
> rRFC822; [email protected]
> RPFD:<[email protected]> rRFC822; [email protected]
> RPFD:<[email protected]> rRFC822; [email protected] RPFD:<[email protected]>
> rRFC822; [email protected] RPFD:<[email protected]> rRFC822;
> [email protected] RPFD:<[email protected]> H?P?Return-Path:
> <<81>g> H??Received: from aambanyoqp
> (dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged))
> (authenticated bits=0)
> by ps-aws-p1.project-syndicate.org (8.14.4/8.14.4) with ESMTP id r8AJtH4r011662
> (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
> Tue, 10 Sep 2013 21:56:54 +0200 H?M?Message-Id: <[email protected]>
> H??Subject: H??From: "Wri Jm" <[email protected]> H??To:
> <[email protected]>, <[email protected]>,
> <[email protected]>, <[email protected]>,
> <[email protected]>, <[email protected]>, <[email protected]>,
> <[email protected]>, <[email protected]>,
> <[email protected]> H??Date: Tue, 10 Sep 2013 20:47:12 -0700 H??Mime-Version: 1.0 H??Content-Type: text/plain; charset="utf-7"
Respuesta1
Es muy probable que las contraseñas SMTP se hayan visto comprometidas.
Haga que sus credenciales SMTP AUTH de registro de sendmail utilicen: aumente LogLevel a 10. La línea sendmail.mc requerida:
define(`confLOG_LEVEL', `10')dnl
sendmail.mc requiere una recompilación en sendmail.cf. El demonio de Sendmail requería reiniciarse (o enviar una señal HUP) para "ver" la nueva versión de sendmail.cf.