CSDN邮件病毒?

Posted on Edited on Word count in article: 4.4k Reading time ≈ 4 mins.

各位的用户注意一下来自CSDN的邮件 可能含有病毒。 今天上午收到一封来自CSDN的邮件。

标题引起了我的注意。并且它还带有一个附件。没有正文内容。查看了一下信头

1
2
3
4
5
6
7
8
Received: from csdn.net (unknown [218.93.225.174])
	by mx3 (Coremail) with SMTP id NcCowEC5+mIspLJSghUHAQ--.1389S2;
	Thu, 19 Dec 2013 15:45:50 +0800 (CST)
From: [email protected]
To: --
Subject: nyboealdzx
Date: Thu, 19 Dec 2013 15:46:39 +0800
MIME-Version: 1.0

这个看起来是从csdn.net那个域发送过来的。不过unknown意味着没有进行签名。后来觉得是不是CSDN的邮件都是这样的?然后查看了之前几个CSDN邮件的信头:

这个是邀我参加开源中国的邀请邮件:

1
2
3
4
5
6
7
8
9
10
Received: from mx151.csdn.net (unknown [124.193.87.153])
	by mx49 (Coremail) with SMTP id Y8CowEApI079esJR1SMTCw--.1499S2;
	Thu, 20 Jun 2013 11:46:05 +0800 (CST)
Received: by mx151.csdn.net (Postfix, from userid 0)
	id 99C7E40A18; Thu, 20 Jun 2013 11:39:21 +0800 (CST)
Content-Type: multipart/mixed; boundary="===============2088245834=="
MIME-Version: 1.0
Subject: =?GB2312?B?Q1NETsnnx/izz9H7xPqyzrzTILXasMu97KGwv6rUtNbQufq/qtS0ysC956GxuN+35cLbzLM=?=
From: CSDN<[email protected]>
To: --

这个看起来是一个csdn的子域发送过来的。然后查看了另外一个csdn的邮件,这个是赠送图书的。这封信来自于mail.csdn.net, 但是真实发出的是

1
gaoshan-PC (unknown [192.168.4.111])

下面是详细内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Received: from mail.csdn.net (unknown [211.103.135.164])
	by mx18 (Coremail) with SMTP id RMCowECpvUNu1uhRmXtoAQ--.527S2;
	Fri, 19 Jul 2013 14:02:22 +0800 (CST)
Received: from localhost (localhost.mail.csdn.net [127.0.0.1])
	by mail.csdn.net (EMOS V1.5 (Postfix)) with ESMTP id 258322A18013;
	Fri, 19 Jul 2013 13:52:23 +0800 (CST)
X-Virus-Scanned: amavisd-new at csdn.net
Received: from mail.csdn.net ([127.0.0.1])
	by localhost (mail.csdn.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id rSjhuVYKv6Ko; Fri, 19 Jul 2013 13:52:22 +0800 (CST)
Received: from gaoshan-PC (unknown [192.168.4.111])
	by mail.csdn.net (EMOS V1.5 (Postfix)) with ESMTPA id B01A967E0582;
	Fri, 19 Jul 2013 13:52:22 +0800 (CST)
Date: Fri, 19 Jul 2013 14:02:21 +0800
From: admin <[email protected]>
Reply-To: admin <[email protected]>
Subject: =?gb2312?B?Q1NETtH7xPqyzrzTobDQtMrpxsC1w7y8yvXNvMrp067PwtTYt9ahsbKpv83XqLzSoaKw5tb316jK9Lvutq8=?=
Disposition-Notification-To: admin <[email protected]>

另外我怀着好奇心,查看一下其他邮箱从QQ那边发来邮件。注意其中含有DKIM签名。这个是验证域用的。里面可以看到来自qq.com。这就可以放心,这封邮件至少不是伪造的。但是很可惜,这里签名用错了。

Received: from smtpbg15.qq.com (unknown [183.60.61.204])
	by mx45 (Coremail) with SMTP id X8CowEB5TGDld7FRy8pfBQ--.918S2;
	Fri, 07 Jun 2013 14:04:21 +0800 (CST)

虽然下面是qq域的DKIM签名,但是上面还是显示unknown, 这是因为DKIM签名的域是qq.com但是发送的域是smtpbg15.qq.com

1
2
3
4
5
6
7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s0907;
	t=1370585061; bh=vXVivKNEwifo2iLclSc6hbMDASAhfzVUi+Zil5icxDU=;
	h=X-QQ-STYLE:From:To:Subject:Message-ID:Mime-Version:Content-Type:
	 Content-Transfer-Encoding;
	b=Wy8ROvt1N4Z0L/+sVpRbP6Kw9zPPWFy70mdtYBjd48snQhmbV6g+4atAE83epDHNY
	 rDw2m+sjY2yQScbkdHlvRLfpgI42uiHe2s1tDCzktKLMhOkKfoKVUuokYxy6E38
X-QQ-STYLE: 1

又看了一下国外的邮件。这封是Apple的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Received: by 10.52.240.19 with SMTP id vw19csp6991vdc;
        Thu, 19 Dec 2013 09:53:37 -0800 (PST)
X-Received: by 10.182.199.70 with SMTP id ji6mr2349588obc.36.1387475616772;
        Thu, 19 Dec 2013 09:53:36 -0800 (PST)
Return-Path: <[email protected]>
Received: from msbadger0406.apple.com (msbadger0406.apple.com. [17.254.6.147])
        by mx.google.com with ESMTP id kv3si3864744obb.149.2013.12.19.09.53.36
        for --;
        Thu, 19 Dec 2013 09:53:36 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 17.254.6.147 as permitted sender) client-ip=17.254.6.147;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 17.254.6.147 as permitted sender) [email protected];
       dkim=pass [email protected];
       dmarc=pass (p=REJECT dis=NONE) header.from=insideapple.apple.com
DKIM-Signature: v=1; a=rsa-sha1; d=insideapple.apple.com; s=insideapple2048; c=relaxed/simple;
	q=dns/txt; [email protected]; t=1387475613;
	h=From:Subject:Date:To:MIME-Version:Content-Type;
	bh=Bv+phsUVfuOBtsYL10tJhisQ4Wo=;
	b=ZH+peisWOL02/c8ekXM3LGk1LQeRGXQecRnvRreYqL+neIvqQw/dZL8kzTxUC/mf
	NMLqzVTil0qwoqnxSDzxNX4vRdqszeQsJRXZh2dvZQhJZ6hDeHc0Jh0AaWPQPN3Z
	M1tRvtGkdek2VzH8sU7pAPT6lB+4SEFtHvBIFUi+aQ/yoqHGEfsSs9qwgK3iAHtl
	1Sc+5GcTdebDUExWoA/qpc4JOGSi9qbBZUN5zsqncRHiiSHtW8qc+onJYR1EpGuQ
	S4mOKFIozNP3r7YYt9GCP6gXKkcRnrAqeWUTExSx041B1lDY+hzNLCcvq881Jp8H
	LaMhQIxfwT+OS6O4wopSIA==;

SPF, DKIM非常详细,并且最重要的是 DKIM签名的域就是发送域。所以有这样一句:

1
Received: from msbadger0406.apple.com (msbadger0406.apple.com. [17.254.6.147])

这样的邮件是安心可以点击的邮件。各种unknown域的邮件,大部分是可以造假的。

后来我又从其他邮箱中找到了各种来自豆瓣,知乎,三巨头 阿里,百度,QQ的邮件。所有的邮件中要么没有DKIM,要么DKIM的域和发送的域不一致。导致都是unknown的IP地址。这样的邮件大部分可以伪造,想想如果CSDN/支付宝/百度/腾讯,让你提交个身份证 Or 地址电话什么的。大概也会有人连想都不想直接点开链接,下载其中的附件。所以,国内的email环境实在是不安全。以后,看到CSDN发送过来的邮件,还是三思而后打开吧…