关于ORF2.1的问题

dcsonofgun

近期突然发现，在exchange2003的队列里有上百上外网域名。开始以为是被中继了，后来发现在ORF日志里有很多如下事件
Version: 2.1 EVALUATION
Log mode: Verbose
Server: (not available)
Source: SMTPSVC-1
Time: 2010-2-9 9:29:04
Class: Add To Auto Sender Whitelist
Severity: Information
Filtering point: Non-filtering
Related IP address: 65.55.37.104
Message ID: (not available)
Sender: nationallottery@in.com
Recipient(s):
verynelihed@pimesibjisxy.com
velada@charter.net
veterinary@t-online.de
vetinadavis@comcast.net
vetnet@libertymovement.org
v-finley@sbcglobal.net
vel_raw@yahoo.com
versie98@yahoo.com
veryimptprincess@yahoo.com
veryrude18@yahoo.com
vessel314@yahoo.com
vet4life78@yahoo.com
vette_woods@yahoo.com
vettech1_95667@yahoo.com
vetteness69@yahoo.com
vevern223@yahoo.com
vewoman@yahoo.com
vfclisby@yahoo.com
vfelton@verizon.net
vfielding@seeworthacademy.org
vert1isi@aol.com
vesquivel32@aol.com
vff1130@aol.com
vesper@gillespieinternet.com
verzwyvelta@bellsouth.net
vest321012@bellsouth.net
velezc22@gmail.com
vevans2@gmail.com
velenr@bp.com
vetdomrep1965@earthlink.net
vejdc@hotmail.com
vejh@hotmail.com
vekhw@hotmail.com
verycherry41@hotmail.com
vesrglm@hotmail.com
vessita@hotmail.com
vestonst@hotmail.com
vetc@hotmail.com
vetenerian69@hotmail.com
veth@hotmail.com
vetydpk@hotmail.com
vewjh@hotmail.com
vewnj@hotmail.com
vezr@hotmail.com
vf224@hotmail.com
vfbeip@hotmail.com
vfbszh@hotmail.com
vfgja@hotmail.com
vfhi@hotmail.com
vfixokb@hotmail.com
Message:
Added "vetydpk@hotmail.com" to the automatic sender whitelist.

不知道这是为什么

[ 本帖最后由 dcsonofgun 于 2010-2-9 14:56 编辑 ]

钉子

你这种情况确实是被中继了。
据以前的客户经验，你这种应该是你服务器中某个用户名和密码被人猜出来中继的。
我建议你打开ORF的LOGViewer,Load LOG后，按Message字段排序，找到发件人和收件都不是你公司用户，但是有Authenticated session的LOG，后面掉的User就是被猜出密码的用户，请禁用或是删除，或是修改这个用户的密码复杂度。

Message:
Authenticated session (user: abc\abc).

PS：因为ORF不过滤从内到外的邮件，所以ORF只把这类验证信息记录。不会过滤这些垃圾邮件。

钉子

另外，ORF现在最新版是4.3，如果你是正式版客户并且客户ID在有效期，我建议你升级ORF。2.1的版本太低了。

dcsonofgun

Version: 2.1 EVALUATION
Log mode: Verbose
Server: (not available)
Source: SMTPSVC-1
Time: 2010-2-8 21:56:50
Class: Ignore Email
Severity: Information
Filtering point: On Arrival
Related IP address: 210.123.7.11
Message ID: <MAILRfcjcMzfoV1qdii000002d9@mail.DC.com.cn>
Sender: winners@national-lottery.co.uk
Recipient(s):
nick2daddy@yahoo.com
nick25@hotmail.com
nick255@hotmail.com
nick2567@hotmail.com
nick258@hotmail.com
nick25hh@hotmail.com
nick260@hotmail.com
nick261@hotmail.com
nick262@hotmail.com
nick265@hotmail.com
nick2650@hotmail.com
nick2672@hotmail.com
nick26j@hotmail.com
nick27@hotmail.com
nick2707@hotmail.com
nick277@hotmail.com
nick2782@hotmail.com
nick279@hotmail.com
nick27a@hotmail.com
nick282@hotmail.com
nick284@hotmail.com
nick29@hotmail.com
nick2910@hotmail.com
nick2956@hotmail.com
nick299@hotmail.com
nick29m@hotmail.com
nick29uk@hotmail.com
nick2cool@hotmail.com
nick2day@hotmail.com
nick2j@hotmail.com
nick2l@hotmail.com
nick2ooo@hotmail.com
nick2sweet@hotmail.com
nick30@hotmail.com
nick300@hotmail.com
nick3000gt@hotmail.com
nick3001@hotmail.com
nick301@hotmail.com
nick303@hotmail.com
nick3044@hotmail.com
nick305@hotmail.com
nick312@hotmail.com
nick3131@hotmail.com
nick315@hotmail.com
nick316@hotmail.com
nick3160@hotmail.com
nick3179@hotmail.com
nick320@hotmail.com
nick323@hotmail.com
nick3250@hotmail.com
Message:
Authenticated session (user: DC\marketing).
我查到一个，收件人和发件人都不是本地的。是不是这个账号被盗了。谢谢版主

钉子

是的。就是marketing这个帐号。请禁用或是删除，或是修改这个用户的密码复杂度。