[MDaemon-L] Mail Server kami dihack?

Fri, 26 Jun 2015 23:09:07 -0700 

Selamat siang pak Syafril,

Mohon solusinya terkait kasus kami sebagai berikut:
1. Mulanya terjadi percakapan email antara user kami (r...@ggindonesia.co.id) dengan pihak supplier (lauki.za...@expeditors.com)
2. Di tengah percakapan, tiba-tiba ada email balasan dari pihak lain yang menyaru sebagai user kami dan user supplier. Email tersebut adalah:
lauki.za...@expedtors.com (tanpa huruf "i" pada domain expeditors.com, menyaru sebagai lauki.za...@expeditors.com), dan 
   r...@ggindonesia.net (menyaru sebagai r...@ggindonesia.co.id)
3. Kedua user palsu tersebut menyela perbincangan untuk mengarahkan pembayaran ke akun tertentu milik user palsu tersebut. Satu diantaranya menggunakan bahasa indonesia tidak lazim seperti versi google translate.
Sangat jelas terlihat bahwa hal itu kami yakin semacam tindakan hacker. Bagaimana hal ini bisa terjadi dan bagaimana mengatasinya? 

Berikut salah satu log smtp in dari lauki.za...@expedtors.com

Fri 2015-06-26 03:23:52.829: ----------
Fri 2015-06-26 03:21:50.103: [145672] Session 145672; child 0001
Fri 2015-06-26 03:21:50.103: [145672] Accepting SMTP connection from 64.98.42.134:42941 to 202.43.114.202:25 Fri 2015-06-26 03:21:50.103: [145672] --> 220 jakarta.ggindonesia.co.id ESMTP MDaemon 15.0.0; Fri, 26 Jun 2015 03:21:50 +0700 
Fri 2015-06-26 03:21:50.365: [145672] <-- EHLO smtprelay.b.hostedemail.com
Fri 2015-06-26 03:21:50.365: [145672] --> 250-jakarta.ggindonesia.co.id Hello smtprelay.b.hostedemail.com, pleased to meet you 
Fri 2015-06-26 03:21:50.365: [145672] --> 250-ETRN
Fri 2015-06-26 03:21:50.365: [145672] --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Fri 2015-06-26 03:21:50.365: [145672] --> 250-8BITMIME
Fri 2015-06-26 03:21:50.365: [145672] --> 250-ENHANCEDSTATUSCODES
Fri 2015-06-26 03:21:50.365: [145672] --> 250 SIZE
Fri 2015-06-26 03:21:50.623: [145672] <-- MAIL FROM:<lauki.za...@expedtors.com> SIZE=33057 BODY=8BITMIME Fri 2015-06-26 03:21:50.625: [145672] Performing PTR lookup (134.42.98.64.IN-ADDR.ARPA) Fri 2015-06-26 03:21:51.245: [145672] * D=134.42.98.64.IN-ADDR.ARPA TTL=(1440) PTR=[smtprelay0134.b.hostedemail.com] Fri 2015-06-26 03:21:51.245: [145672] * D=134.42.98.64.IN-ADDR.ARPA TTL=(60) PTR=[smtprelay0134.b.hostedemail.com] Fri 2015-06-26 03:21:51.625: [145672] * D=smtprelay0134.b.hostedemail.com TTL=(60) A=[64.98.42.134] Fri 2015-06-26 03:21:51.631: [145672] * D=smtprelay0134.b.hostedemail.com TTL=(60) A=[64.98.42.134] 
Fri 2015-06-26 03:21:51.631: [145672] ---- End PTR results
Fri 2015-06-26 03:21:51.632: [145672] Performing IP lookup (smtprelay.b.hostedemail.com) Fri 2015-06-26 03:21:51.904: [145672] * D=smtprelay.b.hostedemail.com TTL=(60) A=[64.98.36.5] 
Fri 2015-06-26 03:21:51.904: [145672] ---- End IP lookup results
Fri 2015-06-26 03:21:51.906: [145672] Performing IP lookup (expedtors.com)
Fri 2015-06-26 03:21:52.225: [145672] * D=expedtors.com TTL=(5) A=[54.246.123.138] Fri 2015-06-26 03:21:52.433: [145672] * P=010 S=000 D=expedtors.com TTL=(30) MX=[mx.expedtors.com.cust.b.hostedemail.com] Fri 2015-06-26 03:21:52.698: [145672] * D=mx.expedtors.com.cust.b.hostedemail.com TTL=(60) A=[64.98.36.4] 
Fri 2015-06-26 03:21:52.698: [145672] ---- End IP lookup results
Fri 2015-06-26 03:21:52.699: [145672] Performing SPF lookup (expedtors.com / 64.98.42.134) Fri 2015-06-26 03:23:04.131: [145672] * DNS: 45 second wait for DNS response exceeded (DNS Server: 202.43.114.97) 
Fri 2015-06-26 03:23:34.972: [145672] *  Result: none; no SPF record in DNS
Fri 2015-06-26 03:23:34.972: [145672] ---- End SPF results
Fri 2015-06-26 03:23:34.972: [145672] --> 250 2.1.0 Sender OK
Fri 2015-06-26 03:23:35.233: [145672] <-- RCPT TO:<r...@ggindonesia.co.id>
Fri 2015-06-26 03:23:35.235: [145672] --> 250 2.1.5 Recipient OK
Fri 2015-06-26 03:23:35.495: [145672] <-- DATA
Fri 2015-06-26 03:23:35.495: [145672] Creating temp file (SMTP): e:\mdaemon\queues\temp\md50000141480.tmp Fri 2015-06-26 03:23:35.495: [145672] --> 354 Enter mail, end with <CRLF>.<CRLF> 
Fri 2015-06-26 03:23:36.776: [145672] Message size: 33056 bytes
Fri 2015-06-26 03:23:36.777: [145672] Performing DKIM lookup
Fri 2015-06-26 03:23:36.777: [145672] * File: e:\mdaemon\queues\temp\md50000141480.tmp Fri 2015-06-26 03:23:36.777: [145672] * Message-ID: <8fa18c36148f5576cc0751255c7b2...@expedtors.com> 
Fri 2015-06-26 03:23:52.778: [145672] *  Result: neutral
Fri 2015-06-26 03:23:52.778: [145672] ---- End DKIM results
Fri 2015-06-26 03:23:52.781: [145672] Performing DMARC processing
Fri 2015-06-26 03:23:52.781: [145672] * File: e:\mdaemon\queues\temp\md50000141480.tmp Fri 2015-06-26 03:23:52.781: [145672] * Message-ID: <8fa18c36148f5576cc0751255c7b2...@expedtors.com> 
Fri 2015-06-26 03:23:52.781: [145672] *  Author domain: expedtors.com
Fri 2015-06-26 03:23:52.781: [145672] * Organizational domain: expedtors.com 
Fri 2015-06-26 03:23:52.781: [145672] *  Query domain: _dmarc.expedtors.com
Fri 2015-06-26 03:24:55.245: [145672] *    No DMARC policy record found
Fri 2015-06-26 03:24:55.245: [145672] *  Action taken: none
Fri 2015-06-26 03:24:55.245: [145672] *  Result: none
Fri 2015-06-26 03:24:55.245: [145672] ---- End DMARC results
Fri 2015-06-26 03:24:55.833: [145672] Passing message through Outbreak Protection... Fri 2015-06-26 03:24:55.833: [145672] * Message-ID: <8fa18c36148f5576cc0751255c7b2...@expedtors.com> Fri 2015-06-26 03:24:55.833: [145672] * Reference-ID: str=0001.0A15020A.558C639A.0055,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 
Fri 2015-06-26 03:24:55.833: [145672] *  Virus result: 0 - Clean
Fri 2015-06-26 03:24:55.833: [145672] *  Spam result: 1 - Clean
Fri 2015-06-26 03:24:55.833: [145672] *  IWF result: 0 - Clean
Fri 2015-06-26 03:24:55.833: [145672] ---- End Outbreak Protection results
Fri 2015-06-26 03:24:55.834: [145672] Passing message through Spam Filter (Size: 33056)... Fri 2015-06-26 03:25:02.160: [145672] * 1.5 SUBJ_ALL_CAPS Subject is all capitals Fri 2015-06-26 03:25:02.160: [145672] * -4.7 BAYES_00 BODY: Bayes spam probability is 0 to 1% 
Fri 2015-06-26 03:25:02.160: [145672] *      [score: 0.0000]
Fri 2015-06-26 03:25:02.160: [145672] * 0.0 HTML_MESSAGE BODY: HTML included in message Fri 2015-06-26 03:25:02.160: [145672] * 0.0 LOTS_OF_MONEY Huge... sums of money Fri 2015-06-26 03:25:02.160: [145672] * 1.9 MONEY_FROM_41 Lots of money from Africa Fri 2015-06-26 03:25:02.160: [145672] * 0.0 T_MONEY_PERCENT X% of a lot of money for you Fri 2015-06-26 03:25:02.160: [145672] * 0.0 FILL_THIS_FORM Fill in a form with personal information Fri 2015-06-26 03:25:02.160: [145672] * 0.0 FORM_FRAUD Fill a form and a fraud phrase 
Fri 2015-06-26 03:25:02.160: [145672] ---- End SpamAssassin results
Fri 2015-06-26 03:25:02.160: [145672] Spam Filter score/req: -1.20/12.0
Fri 2015-06-26 03:25:02.419: [145672] Message creation successful: e:\mdaemon\queues\inbound\md50005233099.msg Fri 2015-06-26 03:25:02.419: [145672] --> 250 2.6.0 Ok, message saved <Message-ID: <8fa18c36148f5576cc0751255c7b2...@expedtors.com>> 
Fri 2015-06-26 03:25:02.420: [145672] <-- QUIT
Fri 2015-06-26 03:25:02.420: [145672] --> 221 2.0.0 See ya in cyberspace
Fri 2015-06-26 03:25:02.420: [145672] SMTP session successful (Bytes in/out: 33203/470) 
Fri 2015-06-26 03:25:02.420: ----------

Best rgds,
Alim 

--
--[MDaemon-L]------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com
Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com
Versi terakhir MD 15.0.3, SP 4.5.1, BES 2.0.2, OC 3.5, SG 3.0.2

Kirim email ke