电邮服务器的outgoing ip被bl.spamcop.net收录的解决方法
5月20日14时,朋友公司的postfix的outgoing ip被bl.spamcop.net收录,写信去申述,那边回复
There is spam being sent through this IP:
Received: from foobar.com.cn (HELO localhost) ([221.4..])
by [trap servername] with ESMTP; 19 May 2009 01:xx:xx -0700
From: "Ahmad Crawford" x@x
Subject: Swiss Branded Watches
Date: Tue, 19 May 2009 16:xx:xx +0800
同时朋友发现LAN内有一台PC由于没有及时更新SAV客户端病毒库,中了w32.netsky.Z@mm,不过已经杀掉了。当时没注意w32.netsky.Z@mm是个什么样的威胁。当时怀疑开放open-relay了,测试了下,没什么收获。后来在symantec.com查到w32.netsky.Z@mm是这么个东西:
Discovered: April 21, 2004
Updated: February 13, 2007 12:21:49 PM
Also Known As: W32/Netsky.z@MM [McAfee]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
The W32.Netsky.Z@mm worm is a Netsky variant that scans for the email addresses on all non-CD-ROM drives on an infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .zip extension.
Note: Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
然后再看spamcop.net回复的Received: from foobar.com.cn (HELO localhost) ([221.4..]),突然想通可能是那个w32.netsky.Z@mm的原因,于是建议他采取以下步骤:
1、在Router或者Proxy上封掉所有LAN 桌面机 的 25 端口,使得此类木马/病毒无用武之地,
2、全网杀毒。
今天早上我在spamcop.net看,那个outgping ip已经不在 bl.spamcop.net之列了。
注:如果没有再收到投诉,bl.spamcop.net将在上一次收到投诉之后22小时释放被收录的ip。
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。