Q:
請教一下mail server spam的問題
你好 我想請問一下
我收到一封 message 發到我mail server的 abuse 信箱
他的內容提到 " appears to be from one of your users,
arrived recently at one of the domains that I manage. It looks to me
like spam, unsolicited bulk e-mail "
他給我的訊息是
Received: from abc.xxx.xxx (HELO email) (abc.xxx.xxx )
by mail.xxx.com with SMTP; 20 Sep 2004 19:09:31 -0000
Received: from xxxtops ([xx.xx.xx.xx])
by abc.xxx.xxx (iPlanet Messaging Server) with ESMTPA id <0HXC000NE6G1UE@abc.xxx.xxx> for
xxxman@xxx.com ; Fri, 07 May 2004 17:13:38 +0800 (CST)
我可以怎 trace 是哪個 user發出這封信或是我可以從 ESMTPA id
查出是哪位user
( p.s abc.xxx.xxx is my email server )
感謝高人指點
A:
一般完整的header會像這樣:
Return-Path:
Received: from auth2.cht.com.tw (esmtpo2.cht.com.tw [202.39.168.17] (may be forged))
by Server.softsqr.com (8.12.11/8.12.11) with ESMTP id i8M2ujbX093106
for ; Wed, 22 Sep 2004 10:56:45 +0800 (CST)
(envelope-from
mou@cht.com.tw)
Received: from yupei1 ([10.16.22.88])
by auth2.cht.com.tw (8.12.11/8.12.11) with ESMTP id i8M2ufNh016449
for ; Wed, 22 Sep 2004 10:56:41 +0800
第一、六行會顯示真實寄件人的資訊
第五、九行會顯示真實收件人的資訊
這是一封從mou@cht.com.tw寄來給henri@softnext.com.tw的信,我們可以看到header裡有兩段Received,這就表示這封信經過兩台mail server,而經過的順序是先到auth2.cht.com.tw,然後再到server.softsqr.com。從第一段Received裡可以看到信是從10.16.22.88這台電腦發出的,在第二個Received裡可以看到softnext.com.tw的mail server是從202.39.168.17收到這封信的。
Received: from abc.xxx.xxx (HELO email) (abc.xxx.xxx )
by mail.xxx.com with SMTP; 20 Sep 2004 19:09:31 -0000
Received: from xxxtops ([xx.xx.xx.xx])
by abc.xxx.xxx (iPlanet Messaging Server) with ESMTPA id <0HXC000NE6G1UE@abc.xxx.xxx> for
xxxman@xxx.com ; Fri, 07 May 2004 17:13:38 +0800 (CST)
從你來的訊息中做分析,從第一段Received看到這封信是透過abc.xxx.xxx(你的mail server)從xx.xx.xx.xx的ip寄出,而這封信是要寄給xxxman.xxx.com,所以從第二段Received可以看到是由mail.xxx.com這台mail server收下來。
如果原發信人發信不需透過認證,那寄件者的地方就可以任意偽造,如要查出寄件人為何,可以透過ESMTPA id
0HXC000NE6G1UE@abc.xxx.xxx從mail server的log中查出,不過我的建議是從xx.xx.xx.xx這個ip的電腦去查會比較準確。