悠悠博客 (讨论区存档) — 技术永无止尽，未来事在人为

关于邮件服务器的怪问题请教

系统: FC6+Sendmail+MailScanner+Spamassassin+ClamAV
现象描述:
   公司内有用户[email=A@ABC.COM]A@ABC.COM[/email],不论是内部还是外部的任何人发信给A,系统就会自动让[email=A@ABC.COM]A@ABC.COM[/email] 发一封邮件到固定的邮箱
   [email=XXX@163.COM]XXX@163.COM[/email];类似的同样还有用户[email=B@ABC.COM]B@ABC.COM[/email]对应到[email=YYY@YAHOO.COM]YYY@YAHOO.COM[/email]等等,这样的用户目前发现已有5-10个左右
   ,服务器有1K多用户. 这些信发到163,雅虎有时候会成功,有的会被当垃圾之类的退信.


日志 1:
[root@mail log]# cat maillog.5 |grep  m5IARAWw020244
Jun 18 18:27:13 mail sendmail[20244]: m5IARAWw020244: from=<[email=tequilatrouble@hotmail.com]tequilatrouble@hotmail.com[/email]>, size=585, class=0, nrcpts=1, msgid=<[email=01c8d146$fa75d000$8a04705c@tequilatrouble]01c8d146$fa75d000$8a04705c@tequilatrouble[/email]>, proto=ESMTP, daemon=MTA, relay=138-4-112-92.pool.ukrtel.net [92.112.4.138] (may be forged)
Jun 18 18:27:19 mail sendmail[20289]: m5IARAWw020244: [b]to=//caddie[/b], delay=00:00:07, xdelay=00:00:00, mailer=local, pri=120585, dsn=2.0.0, stat=Sent
Jun 18 18:27:20 mail sendmail[20289]: m5IARAWw020244: [email=to=caddie512@163.com]to=caddie512@163.com[/email], delay=00:00:08, xdelay=00:00:01, mailer=esmtp, pri=120585, relay=163.mxmail.netease.com. [220.181.12.73], dsn=5.0.0, stat=Service unavailable
Jun 18 18:27:20 mail sendmail[20289]: m5IARAWw020244: [b]m5IARJYb020289[/b]: DSN: Service unavailable

[root@mail log]# cat maillog.5 |grep  [b]m5IARJYb020289
[/b]Jun 18 18:27:20 mail sendmail[20289]: m5IARAWw020244: m5IARJYb020289: DSN: Service unavailable
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: to=<[email=tequilatrouble@hotmail.com]tequilatrouble@hotmail.com[/email]>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=31953, relay=mx4.hotmail.com. [65.54.244.232], dsn=5.1.1, stat=User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: to=marc, ctladdr=root (8/0), delay=00:00:01, mailer=local, pri=31953, dsn=5.1.1, stat=User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: to=marc, ctladdr=root (8/0), delay=00:00:01, mailer=local, pri=31953, dsn=5.1.1, stat=User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: m5IARJYc020289: return to sender: User unknown
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: Losing ./qfm5IARJYb020289: savemail panic
Jun 18 18:27:21 mail sendmail[20289]: m5IARJYb020289: SYSERR(root): savemail: cannot save rejected email anywhere

日志2:
Jun 17 16:26:49 mail sendmail[10903]: m5H8QnTw010903: from=<[email=ivy7@ABC.COM]ivy7@ABC.COM[/email]>, size=249473, class=0, nrcpts=3, msgid=<[email=003701c8d053$8374ec00$860ca8c0@sdf]003701c8d053$8374ec00$860ca8c0@sdf[/email]>, proto=SMTP, daemon=MTA, relay=bogon [192.168.12.134] (may be forged)
Jun 17 16:27:33 mail sendmail[12414]: m5H8QnTw010903: to=<[email=yuer@ABC.COM]yuer@ABC.COM[/email]>, ctladdr=<[email=ivy7@ABC.COM]ivy7@ABC.COM[/email]> (1820/12), delay=00:00:44, xdelay=00:00:01, mailer=local, pri=429473, dsn=2.0.0, stat=Sent
Jun 17 16:27:33 mail sendmail[12414]: m5H8QnTw010903: to=<[email=lisalee@ABC.COM]lisalee@ABC.COM[/email]>, ctladdr=<[email=ivy7@ABC.COM]ivy7@ABC.COM[/email]> (1820/12), delay=00:00:44, xdelay=00:00:00, mailer=local, pri=429473, dsn=2.0.0, stat=Sent
Jun 17 16:27:33 mail sendmail[12414]: m5H8QnTw010903: [b]to=//caddie[/b], ctladdr=<[email=ivy7@ABC.COM]ivy7@ABC.COM[/email]> (1820/12), delay=00:00:44, xdelay=00:00:00, mailer=local, pri=429473, dsn=2.0.0, stat=Sent
Jun 17 16:27:36 mail sendmail[12414]: m5H8QnTw010903: [email=to=caddie512@163.com]to=caddie512@163.com[/email], ctladdr=<[email=ivy7@ABC.COM]ivy7@ABC.COM[/email]> (1820/12), delay=00:00:47, xdelay=00:00:03, mailer=esmtp, pri=429473, relay=163.mxmail.netease.com. [220.181.12.75], dsn=4.0.0, stat=Deferred: 451 DT:SPM mx25, S8CowLBLVgBndVdIamDyFw==.31838S2, please try again 1213691241 [url=http://mail.163.com/help/help_spam_16.htm?ip=-770850491&hostid=mx25&time=1213691241]http://mail.163.com/help/help_spam_16.htm?ip=-770850491&hostid=mx25&time=1213691241[/url]
Jun 17 16:38:54 mail sendmail[30985]: m5H8QnTw010903: [email=to=caddie512@163.com]to=caddie512@163.com[/email], ctladdr=<[email=ivy7@ABC.COM]ivy7@ABC.COM[/email]> (1820/12), delay=00:12:05, xdelay=00:00:09, mailer=esmtp, pri=519473, relay=163.mxmail.netease.com. [220.181.12.63], dsn=2.0.0, stat=Sent (Mail OK queued as mx13,P8CowLBbPwMBeFdI9jibFw==.2958S2 1213691914)

[b]caddie[/b]是我服务器上的一个用户,它都是对应发送给[email=caddie512@163.com]caddie512@163.com[/email],我问过用户本人,根本不知道caddie512是谁.
不知道为什么,[email]caddie@abc.com[/email]会变成[url=file:////caddie]//caddie[/url].

   是不是我的服务器被攻击了,当作垃圾邮件的中继了?
   不过感觉又有点不像,因为所有出现的域名都是163,雅虎等大型的服务商,而且就几个用户,发到外部的也是固定的几个域名用户.
   又不像客户端中毒,因为信还没到A的邮箱,就已经被夹带发信给第三方了.
   系统没发现特别的进程和端口啊
   各位大哥,我该咋办啊,该怎么查啊.

另1例:
Jun 21 08:23:37 mail sendmail[683]: m5L0NPe9000624: to=//debby, ctladdr=<[email=jerry@ABC.COM]jerry@ABC.COM[/email]> (520/12), delay=00:00:10, xdelay=00:00:00, mailer=local, pri=487090, dsn=2.0.0, stat=Sent
Jun 21 08:35:55 mail sendmail[4278]: m5L0NPe9000624: [email=to=yangping5235@yahoo.com.tw]to=yangping5235@yahoo.com.tw[/email], ctladdr=<[email=jerry@ABC.COM]jerry@ABC.COM[/email]> (520/12), delay=00:12:28, xdelay=00:00:01, mailer=esmtp, pri=577090, relay=mx1.mail.tw.yahoo.com. [203.188.197.9], dsn=4.0.0, stat=Deferred: 421 Message from (我的IP) temporarily deferred - 4.16.50. Please refer to [url=http://help.yahoo.com/help/us/mail/defer/defer-06.html]http://help.yahoo.com/help/us/mail/defer/defer-06.html[/url]