Hi Dirk, Well, there are often a few things that can be done, although normally you need to also consider email is one of the (if not the) most insecure methods of communication.
Simple things which some you may have enabled already include: - Limiting the IP ranges that can send email (of course can be spoofed, but it requires more work from the scammer side) - Authenticated sending (to ensure they do not send via your server, if they do then look for the account being exploited) - SPF records can help a little too I believe (have nto played too much with them) Note: I am no expert myself but the above should get you pointed in the right direction to start with. I am sure there are other ways to harden the security like with RBLs, SPAM filetering such as SPAM ASSASIN, etc. I suppose some geo blocking may also help, which would go more hand in hand with the initial comment on limiting the IP ranges. As always, staff training on cyber threats in invaluable. Hope this helps for the future. I suspect someone with more knowledge will reply also soon enough, but thought this may provide a little light reading to start with. Regards Brian On 25/1/18, 11:07 pm, "Blueonyx on behalf of Dirk Estenfeld" <blueonyx-boun...@mail.blueonyx.it on behalf of dirk.estenf...@blackpoint.de> wrote: Hello, we have one customer who was victim of a CEO fraud. Some of his employees got a message from the email address of the CEO with the order to send xx money to a specific bank account. He did :( Now we found out that it is possible to send email with sendmail at centos/blueonyx (also other distributions) from an existing email address to an existing email address. Example: telnet 208.77.xx.xx 25 Trying 208.77.xx.xx... Connected to 208.77.xx.xx Escape character is '^]'. 220 sol ESMTP Sendmail Ready; Thu, 25 Jan 2018 06:37:59 -0500 EHLO blackpoint.de 250-sol.xxx Hello ns3.xxx [xx.xx.xx.xx], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:mst...@solxxx.net 250 2.1.0 mst...@solxxx.net... Sender ok RCPT TO: mst...@solxxx.net 451 4.7.1 Greylisting in action, please come back later RCPT TO: mst...@solxxx.net 250 2.1.5 mst...@solxxx.net... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Some content for example send money to yx . 250 2.0.0 w0PBbxN1026335 Message accepted for delivery QUIT 221 2.0.0 sol.xxx closing connection Connection closed by foreign host. Unfortunately it is not only possible from the same to the same user. It is also possible from an (at the server existing) email address to an (at the server existing) email address. Does someone else did see something similar. In my opinion in days with CEO fraud it is a security issue. Do someone know how to change settings in sendmail to prevent this behaviour? Best regards, Dirk Estenfeld --- blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C56e10a12e452489a42a508d563ec26b1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524788260239525&sdata=tl8seiVBMOO9wh%2FP4m26lvJXDYDddKjSdZI9UsY29DE%3D&reserved=0 _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx