最近几天公司的邮件服务器Exchange 2010总是被列入CBL、ARRACUDA 等垃圾邮件黑名单，并且在请求清除后的几个小时后又被加进去。公司以前的环境是公网IP 映射到CAS/HUB服务器，公网IP是防火墙外网口IP，内部用户连接INTENET的IP地址也是用这个IP，最近因怀疑内部用户电脑中病毒外发垃圾，造成邮件服务器IP地址被加入黑名单，所以更换了外网口IP地址，原IP地址专用于邮件服务器，但是还是清除之后又被列入黑名单。现在一直不清楚这些垃圾邮件就竟是从公司邮件系统发出还是邮件服务器（因感染病毒）发出去。

    虽然我们公司已经申请试用了思威电邮的海外邮件中继转发服务，但是我还是想找到IP被拉黑的原因，

公司的邮件系统已经启用了一些基本的防垃圾设置：

1. 禁用了邮件中继功能

[root@Localhost ~]# telnet 122.247.58.67 25
Trying 122.247.58.67 25...
Connected to 122.247.58.67 (122.247.58.67).
Escape character is '^]'.
220 CAShub02.abc.com Microsoft ESMTP MAIL Service ready at Sat, 19 Oct 2013 09:07:40 +0800
helo mail.126.com
250 CAShub02.abc.com Hello [116.243.237.134]
mail from:def.yang@126.com

2. 启用了非本域收件人和发件人为空拒收

3. 拒绝外部发件人发往外部发件人的邮件。

以下是请求清除黑名单时，趋势发过来的垃圾邮件样本（我们的邮件服务器IP是：122.247.58.67，域名为：mail.abc.com)。

Spam Sample #1
Received: from [122.247.58.67] by <removed> via sendmail with smtp;
 for 8 recipients; Wed, 16 Oct 2013 20:11:32 -0000
Received: from [123.101.205.154] (port=10436 helo=[192.168.1.07]) by 122.247.58.67 with asmtp id 1rqLaL-0009U-00 for <removed>; Thu, 17 Oct 2013 04:11:34 +0800
Message-ID: <<removed>>
Date: Thu, 17 Oct 2013 04:11:34 +0800
From: "Payroll Reports" <Reports@swpay.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: <<removed>>
Subject: Payroll Report
Content-Type: multipart/mixed;
 boundary="----=_Part_99819_2454256554.7831518313621"
X-Spam: Not detected
X-Mras: Ok

Spam Sample #23
Received: from [122.247.58.67] by <removed> via sendmail with smtp;
 for 1 recipient; Wed, 16 Oct 2013 08:07:07 -0000
Received: from 122.247.58.67(helo=fwbhvioab.wciptwbwvxrns.tv)
 by  with esmtpa (Exim 4.69)
 (envelope-from )
 id 1MMQ8G-7762cc-55
 for eca71cc98019a6d362a@d1ag.com; Wed, 16 Oct 2013 16:07:07 +0800 Received: from 112.240.158.99 (account fraud@aexp.com HELO zcztq.bkrgviovwe.va)
 by  (CommuniGate Pro SMTP 5.2.3)
 with ESMTPA id 247813248 for eca71cc98019a6d362a@d1ag.com; Wed, 16 Oct 2013 16:07:07 +0800
Date: Wed, 16 Oct 2013 16:07:07 +0800
From: "PaymentsAdmin@lloydstsb.co.uk" <PaymentsAdmin@lloydstsb.co.uk>
X-Mailer: The Bat! (v2.00.2) Educational
X-Priority: 3 (Normal)
Message-ID: <<removed>>
To: <<removed>>
Subject: You have received a new debit
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------F3C4D8C142AC57"

Spam Sample #27
Received: from [122.247.58.67] by <removed> via sendmail with smtp;
 for 1 recipient; Wed, 16 Oct 2013 00:42:03 -0000
Received: from Xerox.Device677.adco2.net (10.0.0.197) by adco2.net (10.0.0.59) with Microsoft SMTP Server (TLS) id BY8SI6LK; Wed, 16 Oct 2013 08:42:02 +0800
Received: from Xerox.Device4037.adco2.net (10.57.89.96) by smtp.adco2.net (10.0.0.62) with Microsoft SMTP Server id DU993WU2; Wed, 16 Oct 2013 08:42:02 +0800
Date: Wed, 16 Oct 2013 08:42:02 +0800
From: Xerox WorkCentre <Xerox.Device5@adco2.net>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <W682EBREHYF3HR45Y66X7OIJG283E30GEHQ2OR@adco2.net>
X-MS-Exchange-Organization-AuthSource: MNQZ9GES8YT80U1@adco2.net
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 01
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;4;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <<removed>>
To: <<removed>>
Subject: Scanned Image from a Xerox WorkCentre
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="_005_K4KYL39L66SU20STRT24IKB103LA0BA964ONB5CBF6V332K3355UX1N_"

从这个邮件头中，可以看出你的Message到达目的地经过了哪些邮件服务器。

1.首先请确认你的新的Ip地址已在公网注册，对方可以识别该Ip地址。

2.如果你要查看具体的邮件信息，我建议你通过smtp发送协议日志来查看这些邮件，在使用之前，请启用它。

这里有篇文章供你参考。

配置协议日志记录

http://technet.microsoft.com/zh-cn/library/bb124531(v=exchg.141).aspx

新IP地址只于用户连接INTENET，我们邮件服务器并没有更换IP，这样做的原因是用于判断垃圾邮件从内部PC生产的，还是邮件服务器产生的。

关于协议日志的问题，我们是在收到样本垃圾邮件之后才启用，所以很难确定垃圾邮件路由记录中的地址是否通过连接过我们的邮件服务器。在之后查过记录时，没有发现中继的现象（没有发现发件人和收件人都是组织外邮件记录）。

对于这些垃圾邮件样本，我总感觉不像是从我们的邮件服务器出去的，主要有以下几个原因，不知道分析对不对，如果不对，还请指正，谢谢。

1. 我们的邮件服务器已经禁用匿名用户邮件中继，而且我也测试过已验证用户邮件中继，会报：”550 5.7.1 Client does not have permissions to send as this sender“的错误。

2. Spam Sample #23中Received: from 122.247.58.67(helo=fwbhvioab.wciptwbwvxrns.tv),中HELLO主机名并不是我们的，如果真是我们服务器发送的邮件的话，应该是"Mail.abc.com".

3. Spam Sample #27 中，如果是邮件中继的话，应该会存在122.247.58.67地址相关的邮件接收记录，当然不排除这些记录被删除。

    为了便于比较，我贴了一个我们接收外部邮件的邮件头信息。

Received: from CASHUB02.abc.com (10.10.10.225) by LensCSMail02.abc.com
 (172.16.2.5) with Microsoft SMTP Server (TLS) id 14.2.247.3; Sat, 19 Oct 2013
 08:12:56 +0800
Received: from smtp-v4-jy01-108-175-18-19.mxtoolbox.messagebus.com
 (108.175.18.19) by CAShub02.abc.com (10.10.10.224) with Microsoft SMTP
 Server id 14.3.123.3; Sat, 19 Oct 2013 08:11:08 +0800
Received: from localhost (localhost [127.0.0.1]) by
 smtp-v4-jy01-108-175-18-19.mxtoolbox.messagebus.com (Postfix) with ESMTP id
 2E84FE8095C for <stev@abc.com>; Sat, 19 Oct 2013 00:13:22 +0000