討厭的郵件密碼猜測攻擊

時至今日, 還是存在很多寄垃圾郵件的事件.
寄垃圾信的人, 現在不再用自己的電腦來寄, 因為很容易被找到.
他們都把腦筋動到別人的郵件主機, 以往很多郵件主機管理不善, 不管誰要求它寄信,
一律來者不拒! (open relay) 寄垃圾信的人最喜歡這種主機了.

可是被偷過, 誰不會加個鎖, 裝個門的.
要求寄信, 好的, 請問帳號密碼是什麼? (SMTP AUTH)
畢竟郵件主機就是用來寄信的, 不可能關掉不寄的. 也只能加強安全性!
就好像大門就是用來出入的, 被小偷偷過, 也不可能把大門封掉吧!

所以寄垃圾信的, 很簡單, 就是想法子取得你的帳號密碼了!
總是有人把帳號密碼設得很簡單, 很容易被猜到的.

你知道有多少人每天都在試你的帳號密碼嗎?
在FreeBSD + Sendmail的環境下, 可以把Sendmail的Log Level 開到10以上:

在/etc/mail/sendmail.cf 中
# log level
O LogLevel=10

然後, 在/var/log/maillog裡就可以看到類似以下的訊息:

Mar 11 11:09:32 mail sm-mta[62505]: u2B39QJH062505: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed, relay=[194.186.181.206]

不用太懷疑, 這就是有人在敲你的門了.

一筆一筆的看太累了!

我寫了一個小程式:

mail# more whichip.rb

#!/usr/local/bin/ruby -w

ARGF.each{ |line|

if line.include? "["

relay = line[/relay=(.)*/]

relay = relay[/\[(.)*\]/]

puts relay

end

}

這樣我就可以用以下的指令:

# cat /var/log/maillog | grep "AUTH failure" | ./whichip.rb | sort | uniq -c

看看今天有那些人敲我門, 而且敲了幾次:

4 [1.85.2.119]

3 [103.232.148.206]

3 [131.0.140.46]

2 [138.0.211.130]

3 [138.118.102.182]

3 [138.121.182.157]

3 [138.186.92.65]

3 [138.186.95.196]

3 [138.94.5.59]

3 [138.99.166.107]

3 [143.208.245.158]

3 [143.255.144.109]

3 [151.252.70.171]

3 [154.72.144.51]

3 [176.101.236.55]

3 [177.10.85.70]

3 [177.11.95.117]

3 [177.152.161.95]

3 [177.152.170.51]

3 [177.152.171.182]

3 [177.152.172.115]

3 [177.37.168.115]

3 [177.54.231.94]

3 [177.75.233.119]

3 [177.75.233.99]

3 [179.189.94.53]

3 [179.49.122.146]

3 [186.216.131.78]

3 [186.216.137.134]

3 [186.216.137.175]

3 [186.216.141.63]

3 [186.56.6.47]

3 [187.73.1.191]

3 [187.73.5.10]

3 [187.86.64.242]

3 [187.86.74.187]

3 [187.86.75.139]

3 [187.87.1.13]

3 [187.95.86.109]

3 [189.51.102.205]

1 [189.90.248.188]

3 [189.90.251.185]

3 [190.104.37.95]

3 [190.107.253.72]

3 [190.52.212.35]

3 [191.5.81.217]

3 [191.5.81.23]

3 [191.5.85.96]

3 [191.5.86.71]

3 [191.6.67.156]

3 [194.186.181.206]

3 [196.12.61.220]

3 [200.142.178.25]

3 [201.220.19.97]

3 [201.48.196.85]

3 [202.52.240.61]

3 [31.148.43.72]

3 [37.238.95.233]

3 [37.239.102.252]

3 [37.77.105.133]

3 [80.242.55.103]

3 [83.69.12.49]

3 [86.109.58.26]

3 [89.47.116.226]

3 [91.143.23.34]

3 [91.233.67.216]

3 [92.87.49.53]

3 [95.129.253.242]

看起來, 今天還算乖, 沒有太過份!

沒有太多人, 也沒有敲太多次!

如果要看昨天或前天的情況, 可以用以下指令:

# bzcat /var/log/maillog.0.bz2 | grep "AUTH failure" | ./whichip.rb | sort | uniq -c

其中的maillog.0.bz2是被系統的log機制自己切出來的, 通常是設成每天切一個檔, 而且會壓縮成bz2格式的檔案. 日子愈往前, 號碼愈大, 所以檔名會是maillog.1.bz2, maillog.2.bz2, ...

我們看一下幾天前的:

# bzcat /var/log/maillog.1.bz2 | grep "AUTH failure" | ./whichip.rb | sort | uniq -c

9 [1.85.2.119]

3 [101.100.173.45]

3 [103.196.10.96]

3 [103.203.209.127]

3 [103.243.60.3]

3 [103.248.120.17]

3 [103.248.34.69]

3 [103.54.102.21]

6 [103.54.200.15]

3 [103.54.200.205]

3 [103.6.133.31]

3 [109.124.145.147]

3 [109.203.41.164]

3 [109.206.97.147]

3 [109.206.97.211]

3 [109.74.230.43]

3 [109.74.230.74]

3 [109.86.133.61]

3 [109.86.58.178]

3 [109.87.21.205]

3 [110.78.175.154]

3 [116.73.210.88]

3 [118.179.208.2]

3 [118.189.192.123]

3 [118.189.205.108]

3 [118.233.199.59]

3 [131.100.218.156]

3 [131.100.218.242]

3 [131.100.218.71]

3 [131.100.218.72]

3 [131.100.239.146]

3 [131.161.7.105]

3 [132.255.235.33]

3 [132.255.31.137]

3 [138.0.200.74]

3 [138.0.254.81]

3 [138.0.26.233]

3 [138.121.181.140]

3 [138.122.136.41]

3 [138.122.171.45]

3 [138.185.19.106]

3 [138.185.61.13]

3 [138.186.45.107]

3 [138.186.92.129]

3 [138.186.92.163]

3 [138.186.92.59]

3 [138.186.92.64]

3 [138.186.93.68]

3 [138.186.94.15]

3 [138.186.94.16]

3 [138.186.94.231]

3 [138.186.94.34]

3 [138.186.95.240]

3 [138.186.95.33]

3 [138.255.244.240]

3 [138.255.34.225]

3 [138.59.23.238]

3 [138.94.206.220]

3 [141.105.136.40]

3 [143.208.140.103]

3 [143.208.27.91]

6 [143.255.112.19]

3 [143.255.113.226]

3 [151.237.174.89]

3 [154.0.132.111]

3 [154.0.143.16]

3 [154.118.131.110]

3 [154.73.45.250]

3 [154.73.45.58]

3 [168.167.88.127]

6 [168.167.88.163]

3 [168.167.88.5]

3 [168.205.108.142]

3 [176.103.9.89]

3 [176.107.227.65]

3 [176.111.253.211]

3 [176.113.17.149]

3 [176.114.65.21]

3 [176.114.67.69]

3 [176.120.194.127]

3 [176.120.198.186]

3 [176.122.58.192]

3 [176.122.61.114]

3 [176.122.62.124]

3 [176.122.62.97]

3 [176.193.228.231]

3 [176.222.251.242]

6 [176.227.164.148]

6 [176.62.180.17]

3 [176.97.184.241]

3 [176.97.187.20]

3 [176.98.134.179]

3 [176.98.143.179]

3 [176.98.149.8]

3 [176.98.152.86]

3 [177.10.148.16]

3 [177.11.236.11]

3 [177.124.141.38]

3 [177.126.237.73]

3 [177.152.160.146]

3 [177.152.160.217]

3 [177.152.161.211]

3 [177.152.161.49]

3 [177.152.167.234]

3 [177.152.167.75]

3 [177.152.169.98]

3 [177.152.170.70]

3 [177.152.172.138]

3 [177.152.172.211]

3 [177.152.172.68]

3 [177.152.175.43]

3 [177.152.175.83]

3 [177.152.175.97]

3 [177.154.235.124]

3 [177.21.106.23]

3 [177.21.112.153]

3 [177.22.185.225]

3 [177.221.110.218]

3 [177.37.188.84]

3 [177.38.123.195]

3 [177.38.255.252]

3 [177.44.94.123]

3 [177.66.166.183]

3 [177.66.91.16]

3 [177.72.63.131]

3 [177.73.118.143]

3 [177.74.229.171]

3 [177.74.229.98]

3 [177.75.199.45]

3 [177.75.233.113]

3 [177.91.74.30]

3 [178.141.69.62]

3 [178.150.215.207]

3 [178.151.124.200]

3 [178.151.82.203]

3 [178.163.120.170]

3 [178.173.208.67]

3 [178.210.13.182]

3 [178.218.53.171]

3 [178.253.198.254]

3 [178.254.143.18]

3 [178.49.192.177]

3 [178.57.27.121]

3 [179.109.83.178]

3 [179.124.30.33]

3 [179.125.74.103]

3 [179.127.134.162]

3 [179.189.87.35]

3 [180.176.13.112]

3 [181.114.220.146]

3 [181.16.144.19]

3 [181.199.202.58]

24 [184.0.26.153]

3 [185.110.47.6]

3 [185.115.97.71]

3 [185.34.21.161]

3 [185.40.40.242]

3 [185.55.1.43]

3 [185.59.244.59]

3 [185.59.247.42]

3 [185.68.155.80]

3 [186.159.164.184]

3 [186.195.156.26]

3 [186.211.98.156]

3 [186.216.130.135]

3 [186.216.130.163]

3 [186.216.131.245]

3 [186.216.132.142]

3 [186.216.132.220]

3 [186.216.132.80]

3 [186.216.133.118]

3 [186.216.133.127]

3 [186.216.134.239]

3 [186.216.135.142]

3 [186.216.135.148]

3 [186.216.136.147]

3 [186.216.139.149]

3 [186.216.140.117]

3 [186.216.141.185]

3 [186.219.210.12]

6 [186.219.215.6]

3 [186.227.220.34]

3 [186.237.178.58]

3 [186.251.202.113]

3 [186.251.202.26]

6 [187.1.25.80]

3 [187.1.50.165]

3 [187.102.75.146]

3 [187.110.225.167]

3 [187.141.166.164]

3 [187.185.190.233]

2 [187.49.59.17]

3 [187.63.212.248]

3 [187.73.10.145]

3 [187.73.10.45]

3 [187.73.3.71]

3 [187.73.80.35]

3 [187.84.17.216]

3 [187.84.189.18]

3 [187.86.64.226]

3 [187.86.64.89]

3 [187.86.64.8]

3 [187.86.65.133]

3 [187.86.65.150]

3 [187.86.66.229]

3 [187.86.66.64]

3 [187.86.67.37]

3 [187.86.67.40]

3 [187.86.74.183]

3 [187.87.120.13]

3 [187.87.81.20]

3 [188.226.114.106]

3 [188.243.218.60]

6 [188.255.158.156]

3 [188.255.183.182]

3 [188.32.77.138]

3 [189.113.114.165]

3 [189.113.114.47]

3 [189.113.117.32]

3 [189.113.120.148]

6 [189.113.121.30]

3 [189.126.135.242]

3 [189.126.189.23]

3 [189.51.102.208]

3 [189.51.104.200]

3 [189.57.246.139]

3 [189.89.13.234]

3 [189.89.165.60]

3 [189.90.242.172]

3 [189.90.243.237]

3 [189.90.243.238]

3 [189.90.246.183]

3 [189.90.246.21]

3 [189.90.246.221]

3 [189.90.246.65]

3 [189.90.247.108]

3 [189.90.247.145]

3 [189.90.247.171]

6 [189.90.250.246]

3 [189.90.251.138]

3 [189.90.251.153]

3 [189.90.251.165]

3 [189.90.252.114]

3 [190.115.130.217]

3 [190.123.87.114]

3 [190.171.223.8]

3 [190.196.228.12]

3 [190.224.199.146]

3 [191.102.244.227]

3 [191.253.239.65]

3 [191.5.80.95]

3 [191.5.83.102]

3 [191.5.84.227]

3 [191.5.86.70]

3 [191.5.93.109]

3 [191.97.36.214]

3 [192.194.88.178]

1 [193.0.200.183]

3 [193.105.126.151]

3 [194.186.181.206]

3 [194.33.125.155]

1 [194.33.125.204]

3 [194.44.76.56]

3 [194.50.143.32]

3 [194.85.174.66]

3 [195.182.132.44]

3 [195.182.203.123]

3 [195.218.145.114]

3 [195.230.184.133]

3 [195.3.141.59]

3 [195.98.81.2]

3 [196.44.108.197]

19 [199.36.82.140]

3 [200.113.195.222]

3 [200.179.102.79]

3 [200.225.121.133]

3 [200.27.142.155]

3 [200.29.180.150]

3 [200.33.89.29]

3 [201.175.48.239]

3 [201.20.121.202]

3 [201.20.71.7]

3 [201.220.19.97]

3 [201.55.177.35]

3 [201.55.178.12]

3 [202.142.157.90]

3 [202.169.242.170]

3 [203.112.130.46]

3 [212.80.14.44]

3 [212.80.15.189]

3 [213.149.187.90]

3 [213.211.36.118]

3 [213.27.99.189]

3 [213.92.193.86]

3 [213.92.248.15]

3 [217.175.127.32]

3 [217.218.246.138]

3 [31.13.181.249]

3 [31.130.48.227]

3 [31.131.86.114]

6 [31.132.115.160]

3 [31.134.44.180]

3 [31.148.168.5]

3 [31.148.40.170]

3 [31.180.123.184]

3 [31.207.214.246]

3 [31.207.240.121]

3 [31.208.26.245]

3 [31.208.88.131]

3 [31.220.162.61]

3 [37.1.5.202]

3 [37.135.31.125]

3 [37.140.68.70]

3 [37.200.126.108]

3 [37.235.134.7]

3 [37.236.195.9]

3 [37.236.60.49]

3 [37.237.51.82]

3 [37.237.90.113]

3 [37.238.23.21]

3 [37.238.54.29]

3 [37.238.97.142]

2 [37.239.105.9]

3 [37.239.23.222]

3 [37.32.121.40]

3 [37.49.216.51]

3 [37.77.105.159]

3 [37.77.105.170]

3 [37.8.150.89]

6 [41.216.209.46]

3 [41.242.65.137]

3 [41.76.142.209]

3 [41.77.14.234]

3 [43.225.213.58]

3 [43.241.244.26]

3 [45.114.176.38]

3 [45.118.167.229]

3 [46.143.216.51]

3 [46.149.130.159]

3 [46.149.84.130]

3 [46.173.10.254]

3 [46.174.98.138]

3 [46.180.207.163]

3 [46.252.58.36]

3 [46.50.172.22]

3 [5.1.106.252]

3 [5.139.148.82]

3 [5.145.222.183]

3 [5.160.173.116]

3 [5.160.183.168]

3 [5.190.34.55]

3 [5.190.42.60]

3 [5.190.79.152]

3 [5.22.195.125]

3 [5.226.154.35]

3 [5.228.46.209]

3 [5.35.120.22]

560 [61.190.7.133]

3 [62.63.247.172]

3 [62.92.155.53]

3 [77.236.230.122]

3 [77.236.67.154]

3 [77.237.130.9]

3 [77.238.237.97]

3 [77.243.114.57]

3 [77.34.165.227]

3 [77.91.164.76]

3 [78.143.123.184]

3 [78.143.161.160]

3 [78.26.184.90]

3 [78.30.227.233]

6 [79.135.7.35]

3 [79.174.41.179]

3 [80.233.177.248]

3 [80.50.4.162]

3 [80.77.163.191]

3 [81.163.35.54]

3 [81.163.37.209]

3 [81.163.43.230]

3 [81.163.46.21]

3 [81.163.57.115]

6 [81.163.57.118]

3 [81.19.131.115]

3 [82.151.213.103]

3 [82.159.228.104]

3 [82.159.228.113]

3 [82.159.228.22]

3 [82.159.228.61]

3 [82.159.228.62]

3 [82.159.228.73]

3 [82.159.228.80]

3 [82.193.103.105]

3 [82.208.178.141]

3 [82.209.133.203]

3 [82.218.217.184]

1 [83.110.232.52]

3 [83.166.226.132]

3 [83.238.192.31]

3 [84.211.128.216]

3 [85.133.232.237]

3 [85.140.69.89]

3 [85.219.176.243]

3 [85.90.119.6]

3 [87.224.172.95]

3 [87.228.7.124]

3 [87.228.70.88]

3 [87.229.205.170]

3 [87.245.145.183]

3 [87.246.141.32]

3 [87.248.252.40]

3 [88.86.81.6]

3 [89.140.105.81]

6 [89.19.177.173]

3 [89.38.228.83]

3 [91.106.66.38]

3 [91.133.15.112]

6 [91.143.23.36]

3 [91.185.50.127]

3 [91.195.156.52]

3 [91.209.139.123]

3 [91.215.88.160]

3 [91.221.134.139]

3 [91.229.235.3]

3 [91.244.171.138]

3 [92.246.192.93]

3 [92.247.127.54]

3 [93.178.24.147]

3 [93.90.208.245]

3 [93.91.149.236]

3 [93.99.219.98]

3 [94.19.107.192]

3 [94.19.170.74]

3 [94.241.165.192]

3 [94.241.166.95]

3 [94.253.51.144]

3 [95.139.102.123]

3 [95.143.128.205]

3 [95.154.85.59]

3 [95.158.33.130]

3 [95.158.44.218]

3 [95.169.215.233]

3 [95.179.21.97]

3 [95.46.2.17]

3 [95.68.192.233]

哇! 有人敲我們的門560次!

其實我還看過好幾千次的! 怎麼了, 有仇嗎?

更奇怪的是, 那些試個3次, 6次的, 是怎樣? 怕試太多次被發現嗎?

而且都由不同的地方來的哩!

這個世界, 真是...

搜尋此網誌

雨恩的生活日誌

討厭的郵件密碼猜測攻擊

留言

這個網誌中的熱門文章

D-BUS學習筆記

Cisco Switch學習筆記: EtherChannel

Cisco Switch學習筆記: interface的封包錯誤統計