主页 / server / 问题 / 803937
Accepted
ychaouche
Asked: 2016-09-20 02:31:49 +0800 CST

如何找到电子邮件的原始发件人?

  • 772

我发现了一些要发送到 [email protected] 的消息,并且想知道是谁发送的。在搜索日志时,我发现发件人是“<>”,所以它可能是后缀(邮件程序守护进程),但我怎样才能追溯原始发件人?

Sep 18 14:34:02 messagerie postfix/cleanup[610]: 6766E1E922DB: message-id=<[email protected]>
Sep 18 14:34:02 messagerie postfix/qmgr[2749]: 6766E1E922DB: from=<>, size=35673, nrcpt=1 (queue active)
Sep 18 14:34:03 messagerie postfix/pipe[648]: 6766E1E922DB: to=<[email protected]>, relay=maildrop, delay=0.59, delays=0.03/0.19/0/0.37, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domain.tld/rpub/1116.0.messagerie.domain.tld.  )
Sep 18 14:41:30 messagerie postfix/qmgr[2749]: 6766E1E922DB: from=<>, size=35673, nrcpt=1 (queue active)
Sep 18 14:41:30 messagerie postfix/pipe[656]: 6766E1E922DB: to=<[email protected]>, relay=maildrop, delay=448, delays=448/0.07/0/0.05, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domain.tld/rpub/4281.0.messagerie.domain.tld.  )
Sep 18 14:51:30 messagerie postfix/qmgr[2749]: 6766E1E922DB: from=<>, size=35673, nrcpt=1 (queue active)
Sep 18 14:51:31 messagerie postfix/pipe[5595]: 6766E1E922DB: to=<[email protected]>, relay=maildrop, delay=1049, delays=1049/0.11/0/0.04, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domain.tld/rpub/5601.0.messagerie.domain.tld.  )
Sep 18 15:11:30 messagerie postfix/qmgr[2749]: 6766E1E922DB: from=<>, size=35673, nrcpt=1 (queue active)
Sep 18 15:11:30 messagerie postfix/pipe[8843]: 6766E1E922DB: to=<[email protected]>, relay=maildrop, delay=2248, delays=2248/0.11/0/0.05, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domain.tld/rpub/9050.0.messagerie.domain.tld.  )

编辑

正如@RyanBabchishin 所指出的,我已经跳过了日志中的一些行。通过再次仔细搜索qid,我发现了这一点:

Sep 18 14:34:02 messagerie postfix/cleanup[610]: 6766E1E922DB: message-id=<[email protected]>
[... Many lines later ...]
Sep 18 14:34:02 messagerie postfix/bounce[777]: 283821E922D9: sender non-delivery notification: 6766E1E922DB
Sep 18 14:34:02 messagerie postfix/qmgr[2749]: 6766E1E922DB: from=<>, size=35673, nrcpt=1 (queue active)

所以实际上 6766E1E922DB 是 283821E922D9 的反弹。如果我搜索 283821E922D9 我可以找到原始发件人(应该是 rpub 本身):

Sep 18 14:34:01 messagerie postfix/smtpd[31851]: 283821E922D9: client=localhost[127.0.0.1]
Sep 18 14:34:01 messagerie postfix/cleanup[718]: 283821E922D9: message-id=<[email protected]>
Sep 18 14:34:01 messagerie postfix/smtpd[31851]: disconnect from localhost[127.0.0.1]
Sep 18 14:34:01 messagerie postfix/qmgr[2749]: 283821E922D9: from=<[email protected]>, size=32590, nrcpt=2 (queue active)

Quod Erat Demonstrandum

postfix

2 个回答

  1. 电子邮件的发件人很容易被欺骗,因此您不能将发件人的电子邮件用于任何有用的事情。您可以信任的唯一相关信息是发送电子邮件的 SMTP 服务器。

    • 1
  2. Best Answer

    通过再次搜索日志

    Sep 18 14:34:02 messagerie postfix/cleanup[610]: 6766E1E922DB: message-id=<[email protected]>
[... Many lines later ...]
Sep 18 14:34:02 messagerie postfix/bounce[777]: 283821E922D9: sender non-delivery notification: 6766E1E922DB
Sep 18 14:34:02 messagerie postfix/qmgr[2749]: 6766E1E922DB: from=<>, size=35673, nrcpt=1 (queue active)

    是 283821E922D9 的反弹。搜索该 QID 会得到原始发件人:

    Sep 18 14:34:01 messagerie postfix/qmgr[2749]: 283821E922D9: from=<[email protected]>, size=32590, nrcpt=2 (queue active)
    • 0

相关问题