[mdaemon-l] Penyusup Mdaemon Server

2020-05-27 Terurut Topik Ivan 

On 27/05/20 10:17, Arif Santoso wrote:


Dear All,

Ada user dengan alamat pengirim dari email server. Padahal user 
tersebut tidak ada.


From: eaglehighplantations.com>


kok bisa ya, saya cari di log smtp (in) juga nggak ada.

Mohon pencerahan nya.

Rgds,

Arif

Menarik utk dibahas nih Pak, kalo boleh di share message headernya dan 
Log SMTP In+Out utk dibedah oleh pak Syafril


--
--[mdaemon-l]--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 20.0.0, SecurityGateway 6.5.2

[mdaemon-l] Penyusup Mdaemon Server

2020-05-27 Terurut Topik Syafril Hermansyah 
On 28/05/20 10.06, Arif Santoso wrote:
>> Perlihatkan message headernya kesini.
> User sudah delete email nya. kalau log nya dapat ini gimana pak?


smtp-in log tidak memperlihatkan From  hanya MAIL FROM (Sender)
, hanya message header (atau routing log) yang akan memperlihatkan From


> Wed 2020-05-27 10:17:15.926: <-- MAIL
> FROM:


Lihat diatas, sender  = MAIL FROM  adalah
bounces+726700-8a68-corsec=eaglehighplantations@sendgrid.net.

Internet mail pada umumnya isian address di MAIL FROM = Sender = Reply-To
address adalah sama, tetapi kalau mail dikirim melalui List Server maka bisa
berbeda.
Demikian pula jika original sender sengaja mengubah isian reply-to address yang
berbeda dengan From .
Kedua cara diatas umumnya digunakan oleh spammer untuk kirim phising spam.

Phising spam dari domain milik sendiri hanya bisa diatasi dengan antispoofing
domain (SPF, DKIM atau DMARC berbasis SPF dan atau DKIM).

Lihat caranya mengaktifkan SPF record dan verifikasinya di

https://www.mail-archive.com/mdaemon-l@dutaint.com/msg46096.html

sementara DKIM record lihat disini

https://www.mail-archive.com/mdaemon-l@dutaint.com/msg44709.html







-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 20.0-64 bit
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

Never give up on anything.
If you fail, try, try and try again.
You are learning the best ways of doing things.
--- Lailah Gifty Akita


-- 
--[mdaemon-l]--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 20.0.0, SecurityGateway 6.5.2

[mdaemon-l] Penyusup Mdaemon Server

2020-05-27 Terurut Topik Arif Santoso 
>Perlihatkan message headernya kesini.

User sudah delete email nya. kalau log nya dapat ini gimana pak?

Wed 2020-05-27 10:17:05.171: Session 175268; child 0006
Wed 2020-05-27 10:17:05.171: Accepting SMTP connection from
198.37.158.104:59087 to 10.99.0.1:25
Wed 2020-05-27 10:17:05.200: --> 220 mail.eaglehighplantations.com ESMTP
MDaemon 19.5.1; Wed, 27 May 2020 10:17:05 +0700
Wed 2020-05-27 10:17:05.609: <-- EHLO csnrwzsv.outbound-mail.sendgrid.net
Wed 2020-05-27 10:17:05.639: EHLO/HELO response delayed 10 seconds
Wed 2020-05-27 10:17:15.657: --> 250-mail.eaglehighplantations.com Hello
csnrwzsv.outbound-mail.sendgrid.net [198.37.158.104], pleased to meet you
Wed 2020-05-27 10:17:15.657: --> 250-ETRN
Wed 2020-05-27 10:17:15.657: Location Screening hiding AUTH from country
United States
Wed 2020-05-27 10:17:15.657: --> 250-8BITMIME
Wed 2020-05-27 10:17:15.657: --> 250-ENHANCEDSTATUSCODES
Wed 2020-05-27 10:17:15.657: --> 250-STARTTLS
Wed 2020-05-27 10:17:15.657: --> 250 SIZE 1536
Wed 2020-05-27 10:17:15.926: <-- MAIL
FROM:
Wed 2020-05-27 10:17:15.927: Performing PTR lookup
(104.158.37.198.IN-ADDR.ARPA)
Wed 2020-05-27 10:17:15.982: * D=104.158.37.198.in-addr.arpa TTL=(15)
PTR=[csnrwzsv.outbound-mail.sendgrid.net]
Wed 2020-05-27 10:17:16.033: * D=csnrwzsv.outbound-mail.sendgrid.net
TTL=(15) A=[198.37.158.104]
Wed 2020-05-27 10:17:16.033:  End PTR results
Wed 2020-05-27 10:17:16.033: Performing IP lookup
(csnrwzsv.outbound-mail.sendgrid.net)
Wed 2020-05-27 10:17:16.067: * D=csnrwzsv.outbound-mail.sendgrid.net
TTL=(15) A=[198.37.158.104]
Wed 2020-05-27 10:17:16.067:  End IP lookup results
Wed 2020-05-27 10:17:16.069: Performing IP lookup (sendgrid.net)
Wed 2020-05-27 10:17:16.087: * D=sendgrid.net TTL=(1) A=[167.89.123.54]
Wed 2020-05-27 10:17:16.087: * D=sendgrid.net TTL=(1) A=[167.89.115.56]
Wed 2020-05-27 10:17:16.105: * P=010 S=000 D=sendgrid.net TTL=(1)
MX=[mx2.sendgrid.net]
Wed 2020-05-27 10:17:16.105: * P=020 S=001 D=sendgrid.net TTL=(1)
MX=[mx.sendgrid.net]
Wed 2020-05-27 10:17:16.123: * D=mx2.sendgrid.net TTL=(1) A=[167.89.123.50]
Wed 2020-05-27 10:17:16.123: * D=mx2.sendgrid.net TTL=(1) A=[167.89.118.48]
Wed 2020-05-27 10:17:16.141: * D=mx.sendgrid.net TTL=(1) A=[167.89.123.50]
Wed 2020-05-27 10:17:16.141: * D=mx.sendgrid.net TTL=(1) A=[167.89.118.48]
Wed 2020-05-27 10:17:16.141:  End IP lookup results
Wed 2020-05-27 10:17:16.147: Performing SPF lookup
(csnrwzsv.outbound-mail.sendgrid.net / 198.37.158.104)
Wed 2020-05-27 10:17:16.197: * Result: none; no SPF record in DNS
Wed 2020-05-27 10:17:16.197:  End SPF results
Wed 2020-05-27 10:17:16.197: Performing SPF lookup (sendgrid.net /
198.37.158.104)
Wed 2020-05-27 10:17:16.200: * Policy: v=spf1 ip4:167.89.0.0/17
ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ip4:198.21.0.0/21
ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16
wlinclude:ptpn2.com ~all
Wed 2020-05-27 10:17:16.200: * Evaluating ip4:167.89.0.0/17: no match
Wed 2020-05-27 10:17:16.200: * Evaluating ip4:208.117.48.0/20: no match
Wed 2020-05-27 10:17:16.200: * Evaluating ip4:50.31.32.0/19: no match
Wed 2020-05-27 10:17:16.200: * Evaluating ip4:198.37.144.0/20: match
Wed 2020-05-27 10:17:16.200: * Result: pass
Wed 2020-05-27 10:17:16.200:  End SPF results
Wed 2020-05-27 10:17:16.200: --> 250 2.1.0 Sender OK
Wed 2020-05-27 10:17:16.486: <-- RCPT TO:
Wed 2020-05-27 10:17:16.500: Performing DNS-BL lookup (198.37.158.104 -
connecting IP)
Wed 2020-05-27 10:17:16.574: * zen.spamhaus.org - passed
Wed 2020-05-27 10:17:16.574:  End DNS-BL results
Wed 2020-05-27 10:17:16.637: --> 250 2.1.5 Recipient OK
Wed 2020-05-27 10:17:17.202: <-- DATA
Wed 2020-05-27 10:17:17.210: Creating temp file (SMTP):
c:\mdaemon\queues\temp\md5769706.tmp
Wed 2020-05-27 10:17:17.210: --> 354 Enter mail, end with .
Wed 2020-05-27 10:17:17.222: Message size: 4002 bytes
Wed 2020-05-27 10:17:17.224: Performing DKIM lookup
Wed 2020-05-27 10:17:17.224: * File:
c:\mdaemon\queues\temp\md5769706.tmp
Wed 2020-05-27 10:17:17.224: * Message-ID:
<20200526221802.e4323fb57349a...@eaglehighplantations.com>
Wed 2020-05-27 10:17:17.311: * DKIM-Signature 1: v=1; a=rsa-sha256;
c=relaxed/relaxed; d=sendgrid.me; s=smtpapi; 
Wed 2020-05-27 10:17:17.311: * Verification result: good signature
Wed 2020-05-27 10:17:17.312: * Result: pass
Wed 2020-05-27 10:17:17.312:  End DKIM results
Wed 2020-05-27 10:17:17.323: Passing message through Spam Filter (Size:
4002)...
Wed 2020-05-27 10:17:17.729: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The
query to URIBL was
Wed 2020-05-27 10:17:17.729: * blocked. See
Wed 2020-05-27 10:17:17.729: *
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
Wed 2020-05-27 10:17:17.729: * for more information.
Wed 2020-05-27 10:17:17.729: * [URIs: eaglehighplantations.com]
Wed 2020-05-27 10:17:17.729: * 0.3 HEADER_FROM_DIFFERENT_DOMAINS From and
EnvelopeFrom 2nd level
Wed 2020-05-27 10:17:17.729: * mail domains are different
Wed 2020-05-27 10:17:17.729: * 0.0