公司exchange2013邮件外网出口是162,全局外网出口是163,邮件网关是梭子鱼的网关。近期发现有部分邮件被收件方拒绝,经排查发现是163的地址不断上CBL的黑名单,但是在网关上没有发现发送垃圾邮件之类的现象。按理来说就算163被拉黑,162的邮件发送也是应该没有问题的。离奇的是我联系收件方的IT查询邮件,发现这边邮件发过去是163的地址。迷惘了。请哪位好心的大神指点一下。 万分感谢!
CBL上查询原因显示如下:
IP Address *.*.*.163 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2017-06-25 15:00 GMT (+/- 30 minutes), approximately 10 hours, 30 minutes ago.
It has been relisted following a previous removal at 2017-06-22 10:09 GMT (3 days, 14 hours, 46 minutes ago)
This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.
More information about Conficker can be obtained from Wikipedia
Please follow these instructions.
Dshield has a diary item containing many third party resources, especially removal tools such as Norton Power Eraser, Stinger, MSRT etc.
One of the most critical items is to make sure that all of your computers have the MS08-067 patch installed. But even with the patch installed, machines can get reinfected.
There are several ways to identify Conficker infections remotely. For a fairly complete approach, see Sophos.
If you have full firewall logs turned on at the time of detection, this may be sufficient to find the infection on a NAT:
Your IP was observed making connections to TCP/IP IP address 104.244.14.252 (a conficker sinkhole) with a destination port 80, source port (for this detection) of 1444 at exactly 2017-06-25 14:30:15 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.
If you don't have full firewall logging, perhaps you can set up a firewall block/log of all access (any port) to IP address 104.244.14.252 and keep watch for hits.
WARNING: DO NOT simply block access to 104.244.14.252 and expect to not get listed again. There are many conficker sinkholes - some move around and even we don't know where they all are. Blocking access to just one sinkhole does not mean that you have blocked all sinkholes, so relistings are possible. You have to monitor your firewall logs, identify the infected machine, and repair them if you wish to remain delisted.
