On 22/03/2019 23:19, Christian Schmitz wrote:
Hi everyone:
I have a small mail server with fewer emails account, The server is:
Opensuse/Postfix/apache
Today i receive a pishing email Words more or less say that i was hacked, that
he know my passwords blah blah blah and i must pay on bit_coins. The email
content is 100% pishing and no real hacking because sevral reasons:
list@XXX was only created for mailing lists and no other usage
I have not webcam
The hacker not used SASL to get real use of my account.
For forums/website registrations i use mailinator.com
The curious is that email seem at first time writed from me to myself. If my
email is list@xxx the emails say to be list@xxx
So i start a little investigation on LOG file, and all seem that the "hacker"
do not know the passwords. Because the emailer has no SASL autenticated, so
the "hacker"simply spoof the FROM field:
1)First question: how i can filter the spoofed emails. In other words, if the
sender is not authorized to send list@xxx because this emai is managed by ME
Hi Christian,
If you want to stop your domain(s) being spoofed you can try the
following, but note that ;
1) I've blocked authentication on Port 25 (smptd). If you use Port 25
for authentication, don't read on :- as this won't work for you (unless
someone here knows different).
2) This will not stop you receiving opportunistic blackmail messages as
they just as often use compromised accounts without spoofing your email
address or domain. The below will only stop you getting messages
pertaining to be from yourself from the outside world.
Add a line to main.cf (if line and file doesn't already exist) ;
header_checks = pcre:/etc/postfix/header_checks
Create the file 'header_checks' and add following lines to file ;
/^From:.*@yourPrimarydomain.tld/ REJECT Shut the door on your way out!.
/^From:.*@yourSecondarydomainIfYouHaveOne.tld/ REJECT Get lost # (or
whatever polite message you want to send)
DON'T STOP NOW : Leaving the above as it is will have the undesired
effect of also rejecting authenticated mail, so disable header checks
from submission (port 587) and smtps (port 465) in 'master.cf' by adding
an override switch under those sections.
-o receive_override_options=no_header_body_checks'
If you use sendmail, mail or mailx add the override to pickup as well.
I'm only a Postfix novice+, so please someone put me right if I'm wrong
with the above.
I have received many of these threats. I've even got one in Chinese (or
Japanese or something like that)! Most messages contained passwords I'd
used a long long time ago, but others used passwords in recent failed
attempts at auth. I think it must have proved fruitful as more people
seem to be in on the act now. First message I got was very well written,
sent from an IP in Russia, sender claiming he was Romanian and not to be
messed with. In the later offerings, the spelling and grammar seriously
deteriorated.
Best wishes,
Mick.
2)Seccond question :how i can adjust the sender policy to block soft fail SPF?
Thanks you all.
Best Regards.
Christian Schmitz
Info extra 1: LOG: /var/log/mail
connect from mmu.ac.ug[62.75.235.12]
Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
: SPF softfail (Mechanism '~all' matched): Envelope-from: d...@mmu.ac.ug
: handler sender_policy_framework: is decisive.
: Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not
authorized by default to use 'd...@mmu.ac.ug' in 'mfrom' identity, however
domain is not currently prepared for false failures (mechanism '~all'
matched)) receiver=schweb; identity=mailfrom; envelope-from="d...@mmu.ac.ug";
helo=xray144.theg7.com; client-ip=62.75.235.12
client=mmu.ac.ug[62.75.235.12]
message-id=<5s5jp2.2trzrx165hrq...@mail.mmu.ac.ug>
from=<d...@mmu.ac.ug>, size=228789, nrcpt=1 (queue active)
disconnect from mmu.ac.ug[62.75.235.12]
to=<list@XXX>, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0,
status=sent (delivered to maildir)
removed
Info extra 2: when i send a email i get the log of sasl autentication:
client=unknown[192.168.XX.XX], sasl_method=LOGIN, sasl_username=YYY@XXX
Info extra 3: received email header
Return-Path: <d...@mmu.ac.ug>
X-Original-To: list@XXX
Delivered-To: list@XXX
Received-SPF: softfail (mmu.ac.ug: Sender is not authorized by default to
use 'd...@mmu.ac.ug' in 'mfrom' identity, however domain is not currently
prepared for false failures (mechanism '~all' matched)) receiver=schweb;
identity=mailfrom; envelope-from="d...@mmu.ac.ug"; helo=xray144.theg7.com;
client-ip=62.75.235.12
Received: from xray144.theg7.com (mmu.ac.ug [62.75.235.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by schweb.com.ar (schweb.com.ar) with ESMTPS id 9EE12450F4
for <l...@schweb.com.ar>; Fri, 22 Mar 2019 07:41:58 -0300 (ART)
Received: from localhost (localhost [127.0.0.1])
by xray144.theg7.com (Postfix) with ESMTP id 50A1C11A0A4A
for <l...@schweb.com.ar>; Fri, 22 Mar 2019 09:58:35 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at xray144.theg7.com
Received: from xray144.theg7.com ([127.0.0.1])
by localhost (xray144.theg7.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id pFCoeEV4cz8Y for <l...@schweb.com.ar>;
Fri, 22 Mar 2019 09:58:34 +0000 (UTC)
Received: from [IP-45-237-216-17.acesstelecom.com] (unknown [168.196.195.30])
(Authenticated sender: d...@mmu.ac.ug)
by xray144.theg7.com (Postfix) with ESMTPSA id 9097B11A042A
for <l...@schweb.com.ar>; Fri, 22 Mar 2019 09:58:20 +0000 (UTC)
Message-ID: <5s5jp2.2trzrx165hrq...@mail.mmu.ac.ug>
X-Sender-Info: <d...@mmu.ac.ug>
X-Abuse-Reports-To: <ab...@mailer.mmu.ac.ug>
X-Mailer: ZetaMail50
Content-Type: multipart/related;
boundary="7737CA265D6"
MIME-Version: 1.0
Errors-To: 64342856482eb6c5e0f0aa6...@mail.mmu.ac.ug
To: l...@schweb.com.ar
Subject: list
From: <l...@schweb.com.ar>
Date: Fri, 22 Mar 2019 11:41:41 +0100
Organization: Tdmearjjqvslxt
List-ID: <93206451344121874219.mmu.ac.ug>
Status: R
X-Status: NT
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
This is a multi-part message in MIME format
--7737CA265D6
Content-Type: multipart/alternative;
boundary="C596CBF6D5"
--C596CBF6D5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
--C596CBF6D5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
PGh0bWw+PGJvZHk+PGltZyBzcmM9ImNpZDphdHRfaW1nXzgyNzA1MCI+PC9ib2R5PjwvaHRtbD4N
Cg==
--C596CBF6D5--
--7737CA265D6
