subject:"\[MDaemon\-L\] Email Mencurigakan"

[Mdaemon-L] Email mencurigakan.

2023-11-13 Terurut Topik Syafril Hermansyah via Mdaemon-L


On 11/13/23 15:31, evirusnadi via Mdaemon-L wrote:

Tetapi kalau semua user merasakan hal yang sama, maka global
administrator bisa block dengan memasukkan sender  kedalam
blocklist by sender.

http://mdaemon.dutaint.co.id/mdaemon/23.5/sf_black_list.html


Saya coba menggunakan cara ini. Tapi lumayan banyak mail address yang harus 
diblock.
Karena hampir tiap hari ada yang mengirimkan email dengan alamat yang berbeda.



Spam dari free public domain memang lebih sulit di block, karena 
blocknya harus per sender address (satu persatu) bukan per domain base.

Masukkan saja satu persatu ke blocklist by sende, nantikan juga beres.

Pilihan lain, antispam dibuat lebih aggressive.
Bisa dengan mengaktifkan nilai Spamscore lebih tinggi atau DNSBL lebih 
banyak atau pengaktifan spamhaus DQS.


Misalkan untuk spam score yang ini


Mon 2023-11-13 12:58:39.007: [14117743] *  1.0 FREEMAIL_REPLY From and body 
contain different freemails


Edit \\mdaemon\spamassasin\rules\local.cf

tambahkan di baris kosong terbawah

score FREEMAIL_REPLY 3.0

lalu restart antispam

http://mdaemon.dutaint.co.id/mdaemon/23.5/sf_spam_filtering.html

klik "Restart Spam Filter"

penambahan DNSBL

http://mdaemon.dutaint.co.id/mdaemon/23.5/sf_options.html

Is DNS service available? = Test (atau Yes).

spamhaus DQS lihat

https://www.youtube.com/watch?v=orH8BcElRv8=1s



--
syafril

Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 23.5.1 Beta C
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

The life so short, the craft so long to learn.
--- Hippocrates


--
--[mdaemon-l]--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.com
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 23.5.0, SecurityGateway 9.5.0

[Mdaemon-L] Email mencurigakan.

2023-11-13 Terurut Topik evirusnadi via Mdaemon-L

Dear Pak Syafril,

> Tetapi kalau semua user merasakan hal yang sama, maka global
> administrator bisa block dengan memasukkan sender  kedalam
> blocklist by sender.
> 
> http://mdaemon.dutaint.co.id/mdaemon/23.5/sf_black_list.html

Saya coba menggunakan cara ini. Tapi lumayan banyak mail address yang harus 
diblock.
Karena hampir tiap hari ada yang mengirimkan email dengan alamat yang berbeda.

Terima kasih.



Best Regards,
Rusnadi

--
--[mdaemon-l]--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.com
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 23.5.0, SecurityGateway 9.5.0

[Mdaemon-L] Email mencurigakan.

2023-11-13 Terurut Topik Syafril Hermansyah via Mdaemon-L


On 11/13/23 14:28, evirusnadi via Mdaemon-L wrote:

Apakah email dibawah ini valid?


Iya valid, sender address/domain dan sender host nya sesuai dengan 
kriteria internet mail yang baik.



User mengeluhkan banyaknya email yang tidak dikenal seperti ini.



Jika user/recipient merasa bahwa mail itu adalah spam/phising maka di 
block saja dengan memasukkan sender address kedalam Webmail blacklist 
contact.

Atau diforward as attachment dan tujukan ke blockl...@ipsi.co.id

Tetapi kalau semua user merasakan hal yang sama, maka global 
administrator bisa block dengan memasukkan sender  kedalam 
blocklist by sender.


http://mdaemon.dutaint.co.id/mdaemon/23.5/sf_black_list.html


--
syafril

Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 23.5.1 Beta C
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

Bodily exercise, when compulsory, does no harm to the body; but 
knowledge which is acquired under compulsion obtains no hold on the mind.

--- Plato, The Republic


--
--[mdaemon-l]--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.com
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 23.5.0, SecurityGateway 9.5.0

[Mdaemon-L] Email mencurigakan.

2023-11-12 Terurut Topik evirusnadi via Mdaemon-L

Dear Pak Syafril,

 

Apakah email dibawah ini valid?

User mengeluhkan banyaknya email yang tidak dikenal seperti ini.

Mohon pencerahannya.

 

Terima kasih.

 

 

Mon 2023-11-13 12:58:37.810: [14117743] <-- MAIL
FROM: SIZE=8092

Mon 2023-11-13 12:58:37.823: [14117743] Performing PTR lookup
(42.210.85.209.IN-ADDR.ARPA)

Mon 2023-11-13 12:58:37.855: [14117743] *  D=42.210.85.209.IN-ADDR.ARPA
TTL=(1440) PTR=[mail-ot1-f42.google.com]

Mon 2023-11-13 12:58:37.874: [14117743] *  D=mail-ot1-f42.google.com
TTL=(19) A=[209.85.210.42]

Mon 2023-11-13 12:58:37.874: [14117743]  End PTR results

Mon 2023-11-13 12:58:37.876: [14117743] Performing IP lookup
(mail-ot1-f42.google.com)

Mon 2023-11-13 12:58:37.880: [14117743] *  D=mail-ot1-f42.google.com
TTL=(19) A=[209.85.210.42]

Mon 2023-11-13 12:58:37.880: [14117743]  End IP lookup results

Mon 2023-11-13 12:58:37.889: [14117743] Performing IP lookup (gmail.com)

Mon 2023-11-13 12:58:37.892: [14117743] *  D=gmail.com TTL=(3)
A=[142.250.4.19]

Mon 2023-11-13 12:58:37.892: [14117743] *  D=gmail.com TTL=(3)
A=[142.250.4.18]

Mon 2023-11-13 12:58:37.892: [14117743] *  D=gmail.com TTL=(3)
A=[142.250.4.83]

Mon 2023-11-13 12:58:37.892: [14117743] *  D=gmail.com TTL=(3)
A=[142.250.4.17]

Mon 2023-11-13 12:58:37.897: [14117743] *  P=005 S=004 D=gmail.com TTL=(48)
MX=[gmail-smtp-in.l.google.com]

Mon 2023-11-13 12:58:37.897: [14117743] *  P=010 S=001 D=gmail.com TTL=(48)
MX=[alt1.gmail-smtp-in.l.google.com]

Mon 2023-11-13 12:58:37.897: [14117743] *  P=020 S=002 D=gmail.com TTL=(48)
MX=[alt2.gmail-smtp-in.l.google.com]

Mon 2023-11-13 12:58:37.897: [14117743] *  P=030 S=003 D=gmail.com TTL=(48)
MX=[alt3.gmail-smtp-in.l.google.com]

Mon 2023-11-13 12:58:37.897: [14117743] *  P=040 S=000 D=gmail.com TTL=(48)
MX=[alt4.gmail-smtp-in.l.google.com]

Mon 2023-11-13 12:58:37.902: [14117743] *  D=gmail-smtp-in.l.google.com
TTL=(0) A=[142.251.10.27]

Mon 2023-11-13 12:58:37.906: [14117743] *  D=alt1.gmail-smtp-in.l.google.com
TTL=(2) A=[173.194.202.26]

Mon 2023-11-13 12:58:37.910: [14117743] *  D=alt2.gmail-smtp-in.l.google.com
TTL=(4) A=[142.250.141.27]

Mon 2023-11-13 12:58:37.914: [14117743] *  D=alt3.gmail-smtp-in.l.google.com
TTL=(0) A=[142.250.115.26]

Mon 2023-11-13 12:58:37.919: [14117743] *  D=alt4.gmail-smtp-in.l.google.com
TTL=(4) A=[64.233.171.27]

Mon 2023-11-13 12:58:37.919: [14117743]  End IP lookup results

Mon 2023-11-13 12:58:37.919: [14117743] Performing SPF lookup
(mail-ot1-f42.google.com / 209.85.210.42)

Mon 2023-11-13 12:58:37.986: [14117743] *  Result: none; no SPF record in
DNS

Mon 2023-11-13 12:58:37.986: [14117743]  End SPF results

Mon 2023-11-13 12:58:37.986: [14117743] Performing SPF lookup (gmail.com /
209.85.210.42)

Mon 2023-11-13 12:58:37.986: [14117743] *  Policy (cache): v=spf1
redirect=_spf.google.com

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
redirect=_spf.google.com: 

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
redirect=_spf.google.com: performing lookup

Mon 2023-11-13 12:58:37.986: [14117743] *Policy (cache): v=spf1
include:_netblocks.google.com include:_netblocks2.google.com
include:_netblocks3.google.com wlinclude:antispamcloud.com
wlinclude:spamexpert.com ~all

Mon 2023-11-13 12:58:37.986: [14117743] *Evaluating
include:_netblocks.google.com: performing lookup

Mon 2023-11-13 12:58:37.986: [14117743] *  Policy (cache): v=spf1
ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20
ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16
ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~al

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:35.190.247.0/24: no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:64.233.160.0/19: no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating ip4:66.102.0.0/20:
no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:66.249.80.0/20: no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:72.14.192.0/18: no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating ip4:74.125.0.0/16:
no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:108.177.8.0/21: no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:173.194.0.0/16: no match

Mon 2023-11-13 12:58:37.986: [14117743] *  Evaluating
ip4:209.85.128.0/17: match

Mon 2023-11-13 12:58:37.986: [14117743] *Evaluating
include:_netblocks.google.com: match

Mon 2023-11-13 12:58:37.986: [14117743] *  Result: pass

Mon 2023-11-13 12:58:37.986: [14117743]  End SPF results

Mon 2023-11-13 12:58:37.987: [14117743] --> 250 2.1.0 Sender OK

Mon 2023-11-13 12:58:37.987: [14117743] <-- RCPT TO:

Mon 2023-11-13 12:58:37.991: [14117743] Performing DNS-BL lookup
(209.85.210.42 - connecting IP)

Mon 2023-11-13 12:58:38.010: [14117743] *  cbl.abuseat.org - passed

Mon 2023-11-13 12:58:38.268: [14117743] *  b.barracudacentral.org - passed

Mon

[MDaemon-L] Email Mencurigakan

2017-07-05 Terurut Topik Agus Tarpindo

YTH Pak Syafril

> 
> Ya.
> 
> Tambahan, SPF hostnya tidak mencantumkan IP 210.167.162.97 sehingga
> memperkuat bukti bahwa sendernya spammer (abuse host).
> 
> 
> > Wed 2017-07-05 14:35:49.310: 09: [899877] *Evaluating
> include:spf1.ocn.ne.jp: no match
> > Wed 2017-07-05 14:35:49.329: 09: [899877] *Evaluating
> include:spf2.ocn.ne.jp: no match
> > Wed 2017-07-05 14:35:49.348: 09: [899877] *Evaluating
> include:spf3.ocn.ne.jp: no match
> > Wed 2017-07-05 14:35:49.348: 09: [899877] *  Evaluating
> > include:spf.ocn.ne.jp: no match
> 
> 
> 

Baik Pak, terima kasih sekali atas iinformasinya..

Best regards, 
Agus 


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email Mencurigakan

2017-07-05 Terurut Topik Agus Tarpindo

YTH Pak Syafril

Mohon maaf Pak, email yang sebelumnya lupa di attach file nya.

Siang ini user saya menerima email (mohon cek attachment), namun user saya
tidak mengenali email address email tersebut. Apakah ini spam / virus Pak?
apakah sender terpercaya atau tidak ya Pak?

Kalau saya lihat log SMTP in ada spam pada hasilnya  “Wed 2017-07-05 14:35:
54.707: 11: [899877] *  Spam result: 1 - Clean”

Berikut log lengkapnya. Mohon bantuan pencerahan dan penanganannya. Terima
kasih



Wed 2017-07-05 14:35:50.794: 01: --

Wed 2017-07-05 14:35:48.377: 05: [899877] Session 899877; child 0003

Wed 2017-07-05 14:35:48.377: 05: [899877] Accepting SMTP connection from
[210.167.162.97:53476] to [202.78.202.4:25]

Wed 2017-07-05 14:35:48.380: 03: [899877] --> 220 mail.os-selnajaya.com
ESMTP Wed, 05 Jul 2017 14:35:48 +0700

Wed 2017-07-05 14:35:48.501: 02: [899877] <-- EHLO
97.96h.162.167.210.in-addr.arpa

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-mail.os-selnajaya.com
Hello 97.96h.162.167.210.in-addr.arpa, pleased to meet you

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-ETRN

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-AUTH LOGIN CRAM-MD5 PLAIN

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-8BITMIME

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-ENHANCEDSTATUSCODES

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-STARTTLS

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250 SIZE 2560

Wed 2017-07-05 14:35:48.783: 02: [899877] <-- MAIL FROM:
 >

Wed 2017-07-05 14:35:48.786: 05: [899877] Performing PTR lookup (97.162.167.
210.IN-ADDR.ARPA)

Wed 2017-07-05 14:35:49.062: 05: [899877] *
D=97.96h.162.167.210.IN-ADDR.ARPA TTL=(831)
PTR=[zz2014420240D2A7A261.userreverse.dion.ne.jp]

Wed 2017-07-05 14:35:49.062: 05: [899877] *  Gathering A records...

Wed 2017-07-05 14:35:49.086: 05: [899877] *
D=zz2014420240D2A7A261.userreverse.dion.ne.jp TTL=(9) A=[210.167.162.97]

Wed 2017-07-05 14:35:49.086: 05: [899877]  End PTR results

Wed 2017-07-05 14:35:49.088: 09: [899877] Performing SPF lookup (lagoon.ocn.
ne.jp / 210.167.162.97)

Wed 2017-07-05 14:35:49.106: 09: [899877] *  Policy: v=spf1 a
include:spf.ocn.ne.jp ~all

Wed 2017-07-05 14:35:49.196: 09: [899877] *  Evaluating a: no match

Wed 2017-07-05 14:35:49.196: 09: [899877] *  Evaluating
include:spf.ocn.ne.jp: performing lookup

Wed 2017-07-05 14:35:49.215: 09: [899877] *Policy: v=spf1
include:spf1.ocn.ne.jp include:spf2.ocn.ne.jp include:spf3.ocn.ne.jp ~all

Wed 2017-07-05 14:35:49.215: 09: [899877] *Evaluating
include:spf1.ocn.ne.jp: performing lookup

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Policy: v=spf1
ip4:60.37.40.0/24 ip4:60.37.51.0/24 ip4:118.23.100.0/24 ip4:118.23.108.0/23
ip4:118.23.180.0/24 ip4:180.8.110.0/23 ip4:122.28.14.0/23 ip4:122.28.30.0/24
ip4:125.170.92.0/24 ~all

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:60.37.40.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:60.37.51.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:118.23.100.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:118.23.108.0/23: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:118.23.180.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:180.8.110.0/23: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:122.28.14.0/23: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:122.28.30.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:125.170.92.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating ~all: match

Wed 2017-07-05 14:35:49.310: 09: [899877] *Evaluating
include:spf1.ocn.ne.jp: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *Evaluating
include:spf2.ocn.ne.jp: performing lookup

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Policy: v=spf1 ip4:125.206.
148.0/24 ip4:125.206.187.0/24 ip4:222.146.51.0/24 ip4:180.37.203.0/24
ip4:122.1.235.0/24 ip4:118.23.178.0/24 ip4:114.147.58.0/24
ip4:153.128.50.0/24 ip4:153.149.228.0/26 ~all

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating ip4:125.206.148.
0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating ip4:125.206.187.
0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:222.146.51.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:180.37.203.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:122.1.235.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:118.23.178.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:114.147.58.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:153.128.50.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *

[MDaemon-L] Email Mencurigakan

2017-07-05 Terurut Topik Syafril Hermansyah

On 05/07/17 16:28, Agus Tarpindo wrote:
>> Identitas sender host typical spammer.
>> Mestinya akan ditolak oleh MDaemon jika HELO check diaktifkan.

> Mohon maaf Pak, tadi saya ada kirim email yang kedua Pak. Karena email yang 
> pertama lupa attachmentnya, apakah jawaban ini sudah mewakili pengecekan 
> terhadap attachment email yang kedua Pak?


Ya.

Tambahan, SPF hostnya tidak mencantumkan IP 210.167.162.97 sehingga
memperkuat bukti bahwa sendernya spammer (abuse host).


> Wed 2017-07-05 14:35:49.310: 09: [899877] *Evaluating 
> include:spf1.ocn.ne.jp: no match
> Wed 2017-07-05 14:35:49.329: 09: [899877] *Evaluating 
> include:spf2.ocn.ne.jp: no match
> Wed 2017-07-05 14:35:49.348: 09: [899877] *Evaluating 
> include:spf3.ocn.ne.jp: no match
> Wed 2017-07-05 14:35:49.348: 09: [899877] *  Evaluating 
> include:spf.ocn.ne.jp: no match











-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 17.0.2-64, SP 5.1-64
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

Instruction does much, but encouragement everything.
--- Johann Wolfgang von Goethe


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email Mencurigakan

2017-07-05 Terurut Topik Agus Tarpindo

YTH Pak Syafril

>
> Identitas sender host typical spammer.
> Mestinya akan ditolak oleh MDaemon jika HELO check diaktifkan.
> 
> http://mdaemon.dutaint.co.id/mdaemon/17.0.1/index.html?security--
> reverse_lookup.htm
> 
> 
> [x] Perform lookup on HELO/EHLO domain
> [x] Refuse to accept mail if a lookup returns 'domain not found'
> [x] ...send 501 error code (normally sends 451 error code) [x] ...and then
> close the connection [x] Exempt authenticated sessions
> 
> 
> Kalau sudah pakai MD 16.x keatas bisa diaktifkan lengkap seperti disini
> 
> 
> http://www.mail-archive.com/mdaemon-l@dutaint.com/msg31023.html
> http://www.mail-archive.com/mdaemon-l@dutaint.com/msg31024.html
> http://www.mail-archive.com/mdaemon-l@dutaint.com/msg31029.html
> 
 
Mohon maaf Pak, tadi saya ada kirim email yang kedua Pak. Karena email yang 
pertama lupa attachmentnya, apakah jawaban ini sudah mewakili pengecekan 
terhadap attachment email yang kedua Pak?
Bagaimana kira-kira Pak?  


Best regards, 

Agus


--
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email Mencurigakan

2017-07-05 Terurut Topik Syafril Hermansyah

On 05/07/17 14:57, Agus Tarpindo wrote:
> Siang ini user saya menerima email (mohon cek attachment), namun user
> saya tidak mengenali email address email tersebut. Apakah ini spam /
> virus Pak? apakah sender terpercaya atau tidak ya Pak?


> Wed 2017-07-05 14:35:48.377: 05: [899877] Accepting SMTP connection from 
> [210.167.162.97:53476] to [202.78.202.4:25]
> 
> Wed 2017-07-05 14:35:48.501: 02: [899877] <-- EHLO 
> 97.96h.162.167.210.in-addr.arpa


Identitas sender host typical spammer.
Mestinya akan ditolak oleh MDaemon jika HELO check diaktifkan.

http://mdaemon.dutaint.co.id/mdaemon/17.0.1/index.html?security--reverse_lookup.htm


[x] Perform lookup on HELO/EHLO domain
[x] Refuse to accept mail if a lookup returns 'domain not found'
[x] ...send 501 error code (normally sends 451 error code)
[x] ...and then close the connection
[x] Exempt authenticated sessions


Kalau sudah pakai MD 16.x keatas bisa diaktifkan lengkap seperti disini


http://www.mail-archive.com/mdaemon-l@dutaint.com/msg31023.html
http://www.mail-archive.com/mdaemon-l@dutaint.com/msg31024.html
http://www.mail-archive.com/mdaemon-l@dutaint.com/msg31029.html




-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 17.0.2-64, SP 5.1-64
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

I am who I am today because of the mistakes I made yesterday.
--- The Prolific Penman


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email Mencurigakan

2017-07-05 Terurut Topik Agus Tarpindo

YTH Pak Syafril

Siang ini user saya menerima email (mohon cek attachment), namun user saya
tidak mengenali email address email tersebut. Apakah ini spam / virus Pak?
apakah sender terpercaya atau tidak ya Pak?

Kalau saya lihat log SMTP in ada spam pada hasilnya  "Wed 2017-07-05
14:35:54.707: 11: [899877] *  Spam result: 1 - Clean"

Berikut log lengkapnya. Mohon bantuan pencerahan dan penanganannya. Terima
kasih

 

Wed 2017-07-05 14:35:50.794: 01: --

Wed 2017-07-05 14:35:48.377: 05: [899877] Session 899877; child 0003

Wed 2017-07-05 14:35:48.377: 05: [899877] Accepting SMTP connection from
[210.167.162.97:53476] to [202.78.202.4:25]

Wed 2017-07-05 14:35:48.380: 03: [899877] --> 220 mail.os-selnajaya.com
ESMTP Wed, 05 Jul 2017 14:35:48 +0700

Wed 2017-07-05 14:35:48.501: 02: [899877] <-- EHLO
97.96h.162.167.210.in-addr.arpa

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-mail.os-selnajaya.com
Hello 97.96h.162.167.210.in-addr.arpa, pleased to meet you

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-ETRN

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-AUTH LOGIN CRAM-MD5 PLAIN

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-8BITMIME

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-ENHANCEDSTATUSCODES

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250-STARTTLS

Wed 2017-07-05 14:35:48.501: 03: [899877] --> 250 SIZE 2560

Wed 2017-07-05 14:35:48.783: 02: [899877] <-- MAIL FROM:


Wed 2017-07-05 14:35:48.786: 05: [899877] Performing PTR lookup
(97.162.167.210.IN-ADDR.ARPA)

Wed 2017-07-05 14:35:49.062: 05: [899877] *
D=97.96h.162.167.210.IN-ADDR.ARPA TTL=(831)
PTR=[zz2014420240D2A7A261.userreverse.dion.ne.jp]

Wed 2017-07-05 14:35:49.062: 05: [899877] *  Gathering A records...

Wed 2017-07-05 14:35:49.086: 05: [899877] *
D=zz2014420240D2A7A261.userreverse.dion.ne.jp TTL=(9) A=[210.167.162.97]

Wed 2017-07-05 14:35:49.086: 05: [899877]  End PTR results

Wed 2017-07-05 14:35:49.088: 09: [899877] Performing SPF lookup
(lagoon.ocn.ne.jp / 210.167.162.97)

Wed 2017-07-05 14:35:49.106: 09: [899877] *  Policy: v=spf1 a
include:spf.ocn.ne.jp ~all

Wed 2017-07-05 14:35:49.196: 09: [899877] *  Evaluating a: no match

Wed 2017-07-05 14:35:49.196: 09: [899877] *  Evaluating
include:spf.ocn.ne.jp: performing lookup

Wed 2017-07-05 14:35:49.215: 09: [899877] *Policy: v=spf1
include:spf1.ocn.ne.jp include:spf2.ocn.ne.jp include:spf3.ocn.ne.jp ~all

Wed 2017-07-05 14:35:49.215: 09: [899877] *Evaluating
include:spf1.ocn.ne.jp: performing lookup

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Policy: v=spf1
ip4:60.37.40.0/24 ip4:60.37.51.0/24 ip4:118.23.100.0/24 ip4:118.23.108.0/23
ip4:118.23.180.0/24 ip4:180.8.110.0/23 ip4:122.28.14.0/23 ip4:122.28.30.0/24
ip4:125.170.92.0/24 ~all

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:60.37.40.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:60.37.51.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:118.23.100.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:118.23.108.0/23: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:118.23.180.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:180.8.110.0/23: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:122.28.14.0/23: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:122.28.30.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating
ip4:125.170.92.0/24: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *  Evaluating ~all: match

Wed 2017-07-05 14:35:49.310: 09: [899877] *Evaluating
include:spf1.ocn.ne.jp: no match

Wed 2017-07-05 14:35:49.310: 09: [899877] *Evaluating
include:spf2.ocn.ne.jp: performing lookup

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Policy: v=spf1
ip4:125.206.148.0/24 ip4:125.206.187.0/24 ip4:222.146.51.0/24
ip4:180.37.203.0/24 ip4:122.1.235.0/24 ip4:118.23.178.0/24
ip4:114.147.58.0/24 ip4:153.128.50.0/24 ip4:153.149.228.0/26 ~all

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:125.206.148.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:125.206.187.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:222.146.51.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:180.37.203.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:122.1.235.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:118.23.178.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:114.147.58.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:153.128.50.0/24: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating
ip4:153.149.228.0/26: no match

Wed 2017-07-05 14:35:49.329: 09: [899877] *  Evaluating ~all:

[MDaemon-L] Email mencurigakan

2017-06-20 Terurut Topik Syafril Hermansyah

On 21/06/17 10:11, Ahmad Ardiansyah wrote:
> apakah ini headers yang dimaksud pak?


> X-MDAV-Processed: mail.kompas.tv, Tue, 20 Jun 2017 17:55:25 +0700
> Return-path: 
> Authentication-Results: mail.kompas.tv
>   iprev=pass policy.iprev=10.0.0.5 reason="white listed" (HELO 
> kaya-bdmaria34-fo.b.astral.ro);
>   iprev=pass policy.iprev=10.0.0.5 reason="white listed" (MAIL 
> termini...@dhl-invoice.com)
> Received: from kaya-bdmaria34-fo.b.astral.ro by mail.kompas.tv (MDaemon PRO 
> v17.0.2) 
>   with ESMTP id md5664804.msg; Tue, 20 Jun 2017 17:55:23 +0700


Ya benar ini message headernya.
Spam berhasil masuk karena ada kesalahan setting firewall sehingga
antispam berbasis IP tidak berfungsi.
Perbaiki setting firewallnya agar spam macam itu tidak akan bisa masuk
ke MDaemon Anda.


http://www.mail-archive.com/mdaemon-l@dutaint.com/msg36868.html

http://www.mail-archive.com/mdaemon-l@dutaint.com/msg41343.html




-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 17.0.2-64, SP 5.1-64
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

The life so short, the craft so long to learn.
--- Hippocrates













-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email mencurigakan

2017-06-20 Terurut Topik Ahmad Ardiansyah

2017-06-21 3:02 GMT+07:00 Syafril Hermansyah :

> On 2017-06-20 22:52, Ahmad Ardiansyah wrote:
> > Beberapa hari ini user kami termasuk saya mendapatkan email seperti ini
>
> > Apakah ini spam or virus ya pak?
>
>
> Kelihatannya itu phising spam.
> Apakah ada kesamaan (pola) dari sender , sender host atau
> lampiran filenya?
> Diblock saja berdasar pola itu.
>
> Kalau bisa diberikan message headernya dan ternyata polanya ada dikesamaan
> sender host, maka saya akan ikut block di hostscreening.
>

apakah ini headers yang dimaksud pak?

X-MDAV-Processed: mail.kompas.tv, Tue, 20 Jun 2017 17:55:25 +0700
Return-path: 
Authentication-Results: mail.kompas.tv
iprev=pass policy.iprev=10.0.0.5 reason="white listed" (HELO
kaya-bdmaria34-fo.b.astral.ro);
iprev=pass policy.iprev=10.0.0.5 reason="white listed" (MAIL
termini...@dhl-invoice.com)
Received: from kaya-bdmaria34-fo.b.astral.ro by mail.kompas.tv
(MDaemon PRO v17.0.2)
with ESMTP id md5664804.msg; Tue, 20 Jun 2017 17:55:23 +0700
X-Spam-Level:
X-Spam-Status: No, score=0.00 required=5.0
X-Spam-Report:
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 T_TVD_MIME_NO_HEADERS BODY: No description available.
X-Spam-Processed: mail.kompas.tv, Tue, 20 Jun 2017 17:55:23 +0700
(processed during SMTP session)
X-MDOP-RefID: 
str=0001.0A150202.5948FF20.00A5,ss=1,re=0.000,recu=0.000,reip=0.000,vtr=str,vl=0,cl=1,cld=1,fgs=0
(_st=1 _vt=0 _iwf=0)
X-MDArrival-Date: Tue, 20 Jun 2017 17:55:23 +0700
X-Rcpt-To: ahmad.ardians...@kompas.tv
X-MDRcpt-To: ahmad.ardians...@kompas.tv
X-Return-Path: termini...@dhl-invoice.com
X-Envelope-From: termini...@dhl-invoice.com
X-MDaemon-Deliver-To: ahmad.ardians...@kompas.tv
Received: from [100.198.152.47] (account lardne...@dhl-invoice.com
HELO luqawilu.dhl-invoice.com)
by kaya-bdmaria34-fo.b.astral.ro (Exim 4.89)
with ESMTPA id 6rj0gf1pdcb5505.7.20170620125525 for
ahmad.ardians...@kompas.tv; Tue, 20 Jun 2017 12:55:25 +0200
From: alison.ackr...@brnet.de
Subject: F VAT
To: 
Cc: 
Message-ID: 
Date: Tue, 20 Jun 2017 12:55:25 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=-Part_4156874_80351403.8168655628760

---Part_4156874_80351403.8168655628760
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

---Part_4156874_80351403.8168655628760
Content-Type: text/html;
charset=3D"iso-8859-2"
Content-Transfer-Encoding: quoted-printable

salam,

Ardiansyah

-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email mencurigakan

2017-06-20 Terurut Topik Syafril Hermansyah

On 2017-06-20 22:52, Ahmad Ardiansyah wrote:
> Beberapa hari ini user kami termasuk saya mendapatkan email seperti ini

> Apakah ini spam or virus ya pak?


Kelihatannya itu phising spam.
Apakah ada kesamaan (pola) dari sender , sender host atau lampiran 
filenya?
Diblock saja berdasar pola itu.

Kalau bisa diberikan message headernya dan ternyata polanya ada dikesamaan
sender host, maka saya akan ikut block di hostscreening.


-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, MDaemon 17.0.2-64, SP 5.1.0-64
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

I believe in two principles: Your attitude is more important than your
capabilities. Similarly, your decision is more important than your capabilities!
-- Jack Ma


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] Email mencurigakan

2017-06-20 Terurut Topik Ahmad Ardiansyah

Pak syafril,

Beberapa hari ini user kami termasuk saya mendapatkan email seperti ini


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1



Apakah ini spam or virus ya pak?

Salam,
Ardiansyah

Sent from my iPhone
-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 17.0.2, SP 5.1.0, OC 4.5.0, SG 4.5.1

[MDaemon-L] EMAIL MENCURIGAKAN

2017-02-08 Terurut Topik Agus Tarpindo

Ok baik Pak, terima kasih pencerahannya

Best regards, 

Agus 
IT




PT. OS Selnajaya Indonesia
Total Integrated Support

Address: 19th Floor Mid Plaza I Bld, 
Jl. Jend. Sudirman Kav. 10-11, Jakarta, Indonesia
Mobile: -
Tel: +62 21-572 7214
Fax: +62 21-573 9482
Email: agus.tarpi...@os-selnajaya.com
Website: www.os-selnajaya.com

Part of : Outsourcing Inc - www.outsourcing.co.jp

** 
This message and any attachments are confidential and intended solely for
the addressees. If you receive this message in error, please delete it and
immediately notify the sender. 
If the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized use, copying or dissemination is prohibited. 
E-mails are susceptible to alteration. Neither Outsourcing Inc nor any of
its subsidiaries or affiliates shall be liable for the message if altered,
changed or falsified.

-Original Message-
From: MDaemon-L@dutaint.com [mailto:MDaemon-L@dutaint.com] On Behalf Of
Syafril Hermansyah
Sent: 09 Februari 2017 11:23
To: Milis Komunitas MDaemon Indonesia
Subject: [MDaemon-L] EMAIL MENCURIGAKAN

On 09/02/17 10:26, Agus Tarpindo wrote:

---
Kalau reply jangan membuat thread baru dan sisakan kutipan teks asli yang
sesuai agar diskusinya fokus.

https://www.netmeister.org/news/learn2quote1.html

https://wiki.openstack.org/wiki/MailingListEtiquette#Replies

selalu gunakan bottom posting style atau inline reply untuk kemudahan dibaca
orang lain.
Lihat contoh berikut ini

https://brooksreview.net/wp-content/uploads/2011/01/message-4.png

atau lengkapnya disini

https://brooksreview.net/2011/01/interleaved-email/


Di outlook 2013/2016 sudah ada fitur inline reply, tinggal diaktifkan.

http://www.tech-recipes.com/rx/30892/outlook-2013-disable-the-inline-reply-f
eature/

kalau masih pakai outlook kuno, maka ubah settingnya seperti ini

https://www.slipstick.com/outlook/email/to-use-internet-style-quoting/

https://www.msoutlook.info/question/401


> Saya coba masukkan hasilnya seperti gambar diatachment Pak bukan 
> seperti link yang Bapak kasih, saya klik di "IP addresses" tapi sender 
> ID tetap muncul menjadi sub "ALL IP".

Itu karena pakai MDaemon versi kuno sehingga menu dan fiturnya berbeda.
Hostscreening menangani baik blacklist maupun whitelist kalau hanya untuk
blacklist sudah memadai di MD versi lama, jangan pakai script (wildcard,
regular expression etc) yang nantinya perlu whitelist.

> Apabila saya langsung masukkan lalu klik add maka munculnya juga 
> ditempat yang sama Pak.

> apakah cara saya ini sudah betul Pak ? Lalu tinggal klik apply dan OK 
> ya Pak?


Ya, sudah ok.




--
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, MDaemon 17.0-64 Beta B, SP 5.1.0-64 Harap tidak cc:
atau kirim ke private mail untuk masalah MDaemon.

The only way to do great work is to love what you do. If you haven't found
it yet, keep looking. Don't settle.
--- Steve Jobs


--
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke
mdaemon-l-unsubscr...@dutaint.com Versi terakhir MD 16.5.2, SP 5.1.0, OC
4.0.1, SG 4.0.1





-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.1.0, OC 4.0.1, SG 4.0.1

[MDaemon-L] EMAIL MENCURIGAKAN

2017-02-08 Terurut Topik Syafril Hermansyah

On 09/02/17 10:26, Agus Tarpindo wrote:

---
Kalau reply jangan membuat thread baru dan sisakan kutipan teks asli
yang sesuai agar diskusinya fokus.

https://www.netmeister.org/news/learn2quote1.html

https://wiki.openstack.org/wiki/MailingListEtiquette#Replies

selalu gunakan bottom posting style atau inline reply untuk kemudahan
dibaca orang lain.
Lihat contoh berikut ini

https://brooksreview.net/wp-content/uploads/2011/01/message-4.png

atau lengkapnya disini

https://brooksreview.net/2011/01/interleaved-email/


Di outlook 2013/2016 sudah ada fitur inline reply, tinggal diaktifkan.

http://www.tech-recipes.com/rx/30892/outlook-2013-disable-the-inline-reply-feature/

kalau masih pakai outlook kuno, maka ubah settingnya seperti ini

https://www.slipstick.com/outlook/email/to-use-internet-style-quoting/

https://www.msoutlook.info/question/401


> Saya coba masukkan hasilnya seperti gambar diatachment Pak bukan seperti
> link yang Bapak kasih, saya klik di "IP addresses" tapi sender ID tetap
> muncul menjadi sub "ALL IP".

Itu karena pakai MDaemon versi kuno sehingga menu dan fiturnya berbeda.
Hostscreening menangani baik blacklist maupun whitelist kalau hanya
untuk blacklist sudah memadai di MD versi lama, jangan pakai script
(wildcard, regular expression etc) yang nantinya perlu whitelist.

> Apabila saya langsung masukkan lalu klik add
> maka munculnya juga ditempat yang sama Pak. 

> apakah cara saya ini sudah betul Pak ? Lalu tinggal klik apply dan OK ya
> Pak?


Ya, sudah ok.




-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, MDaemon 17.0-64 Beta B, SP 5.1.0-64
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

The only way to do great work is to love what you do. If you haven’t
found it yet, keep looking. Don’t settle.
--- Steve Jobs


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.1.0, OC 4.0.1, SG 4.0.1

[MDaemon-L] EMAIL MENCURIGAKAN

2017-02-08 Terurut Topik Syafril Hermansyah

On 09/02/17 09:10, Agus Tarpindo wrote:
> Mohon analisa email log berikut, apakah email ini berbahaya atau tidak?


> Thu 2017-02-09 07:16:16.283: 02: [665148] <-- EHLO 
> deer-blue-521a4e94a094a855.znlc.jp

> Thu 2017-02-09 07:16:16.749: 02: [665148] <-- MAIL FROM: 
> SIZE=369460

Ini spam dari open relay server.


> Bagaimana cara memblok email tersebut agar tidak bisa kirim ke kami lagi?


Masukkan sender identity (deer-blue-521a4e94a094a855.znlc.jp) kedalam
hostscreening.

http://mdaemon.dutaint.co.id/mdaemon/16.5/index.html?security--host_screening.htm



-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, MDaemon 17.0-64 Beta B, SP 5.1.0-64
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

Challenges are what make life interesting and overcoming them is what
makes life meaningful.
--- Joshua J. Marine


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.1.0, OC 4.0.1, SG 4.0.1

[MDaemon-L] EMAIL MENCURIGAKAN

2017-02-08 Terurut Topik Agus Tarpindo

YTH Pak Syafril

Mohon analisa email log berikut, apakah email ini berbahaya atau tidak?

Bagaimana cara memblok email tersebut agar tidak bisa kirim ke kami lagi?

Mohon bantuan dan pencerahannya Pak..

 

Thu 2017-02-09 07:15:07.659: 01: --

Thu 2017-02-09 07:16:16.188: 05: [665148] Session 665148; child 0001

Thu 2017-02-09 07:16:16.188: 05: [665148] Accepting SMTP connection from
[210.229.226.120:36728] to [202.78.202.4:25]

Thu 2017-02-09 07:16:16.189: 03: [665148] --> 220 mail.os-selnajaya.com
ESMTP Thu, 09 Feb 2017 07:16:16 +0700

Thu 2017-02-09 07:16:16.283: 02: [665148] <-- EHLO
deer-blue-521a4e94a094a855.znlc.jp

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250-mail.os-selnajaya.com
Hello deer-blue-521a4e94a094a855.znlc.jp, pleased to meet you

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250-ETRN

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250-AUTH LOGIN CRAM-MD5 PLAIN

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250-8BITMIME

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250-ENHANCEDSTATUSCODES

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250-STARTTLS

Thu 2017-02-09 07:16:16.283: 03: [665148] --> 250 SIZE 2560

Thu 2017-02-09 07:16:16.373: 02: [665148] <-- STARTTLS

Thu 2017-02-09 07:16:16.374: 03: [665148] --> 220 2.7.0 Ready to start TLS

Thu 2017-02-09 07:16:16.565: 01: [665148] SSL negotiation successful (TLS
1.2, 3072 bit key exchange, 128 bit AES encryption)

Thu 2017-02-09 07:16:16.658: 02: [665148] <-- EHLO
deer-blue-521a4e94a094a855.znlc.jp

Thu 2017-02-09 07:16:16.658: 03: [665148] --> 250-mail.os-selnajaya.com
Hello deer-blue-521a4e94a094a855.znlc.jp, pleased to meet you

Thu 2017-02-09 07:16:16.658: 03: [665148] --> 250-ETRN

Thu 2017-02-09 07:16:16.658: 03: [665148] --> 250-AUTH LOGIN CRAM-MD5 PLAIN

Thu 2017-02-09 07:16:16.658: 03: [665148] --> 250-8BITMIME

Thu 2017-02-09 07:16:16.658: 03: [665148] --> 250-ENHANCEDSTATUSCODES

Thu 2017-02-09 07:16:16.658: 03: [665148] --> 250 SIZE 2560

Thu 2017-02-09 07:16:16.749: 02: [665148] <-- MAIL
FROM: SIZE=369460

Thu 2017-02-09 07:16:16.751: 05: [665148] Performing PTR lookup
(120.226.229.210.IN-ADDR.ARPA)

Thu 2017-02-09 07:16:16.767: 05: [665148] *  D=120.226.229.210.IN-ADDR.ARPA
TTL=(9) PTR=[deer-blue-521a4e94a094a855.znlc.jp]

Thu 2017-02-09 07:16:16.767: 05: [665148] *  Gathering A records...

Thu 2017-02-09 07:16:16.784: 05: [665148] *
D=deer-blue-521a4e94a094a855.znlc.jp TTL=(43) A=[210.229.226.120]

Thu 2017-02-09 07:16:16.784: 05: [665148]  End PTR results

Thu 2017-02-09 07:16:16.785: 09: [665148] Performing SPF lookup (zebra.lt /
210.229.226.120)

Thu 2017-02-09 07:16:16.804: 09: [665148] *  Policy: v=spf1
include:_mail1.zebra.lt include:_mail2.zebra.lt ~all

Thu 2017-02-09 07:16:16.804: 09: [665148] *  Evaluating
include:_mail1.zebra.lt: performing lookup

Thu 2017-02-09 07:16:17.140: 09: [665148] *Policy: v=spf1
ip4:212.59.0.7/32 ip4:212.59.31.119/32 ip4:212.59.31.87/32
ip4:212.59.31.115/32 ip4:195.12.167.68/32 ip4:195.12.167.69/32
ip4:195.12.167.70/32 ip4:212.59.31.76/32 ip4:212.59.31.84/32
ip4:212.59.31.85/32 ip4:212.59.31.91/32 ip4:

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating ip4:212.59.0.7/32:
no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.119/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.87/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.115/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:195.12.167.68/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:195.12.167.69/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:195.12.167.70/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.76/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.84/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.85/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.91/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating
ip4:212.59.31.94/32: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *Evaluating ~all: match

Thu 2017-02-09 07:16:17.140: 09: [665148] *  Evaluating
include:_mail1.zebra.lt: no match

Thu 2017-02-09 07:16:17.140: 09: [665148] *  Evaluating
include:_mail2.zebra.lt: performing lookup

Thu 2017-02-09 07:16:17.158: 09: [665148] *Policy: v=spf1
ip4:212.59.0.7/32 ip4:82.135.235.4/32 ip4:82.135.235.5/32
ip4:82.135.235.6/32 ip4:82.135.235.7/32 ?all

Thu 2017-02-09 07:16:17.158: 09: [665148] *Evaluating ip4:212.59.0.7/32:
no match

Thu 2017-02-09 07:16:17.158: 09: [665148] *Evaluating
ip4:82.135.235.4/32: no match

Thu 2017-02-09 07:16:17.158: 09: [665148] *Evaluating
ip4:82.135.235.5/32: no match

Thu 2017-02-09 07:16:17.158: 09: [665148] *Evaluating
ip4:82.135.235.6/32: no match

Thu 2017-02-09

[MDaemon-L] Email Mencurigakan

2016-12-19 Terurut Topik Anjas Wahyu Nurhayanto

> Yang forward itu file apa, pakai format apa?
> Sepertinya itu image/picture file, apakah screenshoot?

filenya ternyata *.msg--default extension file saat forward as
attachment dari outlook 2016, Pak. bukan *.eml. Mohon maaf.

> Sender server itu relayhost server, settingnya mengikuti kaidah
> legalistas internet mail.
> Kalau mau diblock, masukan sender address kedalam sender blacklist.
>
> http://mdaemon.dutaint.co.id/mdaemon/16.5/index.html?security--sender-blacklist.htm
>
> atau recipient memasukkan sender address kedalam blacklist contact di
> webmail.

baik, Pak. sementara saya coba dulu opsi ini.
-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.0.1, OC 4.0.1, SG 4.0.1

[MDaemon-L] Email Mencurigakan

2016-12-19 Terurut Topik Syafril Hermansyah

On 20/12/16 08:29, Anjas Wahyu Nurhayanto wrote:
>> Bisa dengan cara forward as attachment message itu kesini atau simpan
>> messagenya ke local disk sebagai *.eml lalu lampirkan kesini.
> terlampir adalah LOG SMTP (in) dan message yang diforward ke saya.

Yang forward itu file apa, pakai format apa?
Sepertinya itu image/picture file, apakah screenshoot?


> Mon 2016-12-19 09:57:10.126: [207116] <-- EHLO smtp90.iad3a.emailsrvr.com
> Mon 2016-12-19 09:57:10.381: [207116] <-- MAIL 
> FROM: SIZE=5525

Sender server itu relayhost server, settingnya mengikuti kaidah
legalistas internet mail.
Kalau mau diblock, masukan sender address kedalam sender blacklist.

http://mdaemon.dutaint.co.id/mdaemon/16.5/index.html?security--sender-blacklist.htm

atau recipient memasukkan sender address kedalam blacklist contact di
webmail.




-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, MDaemon 16.5.2-64, SP 5.1.0-64 Beta B
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

You have to learn the rules of the game. And then you have to play
better than anyone else.
--- Albert Einstein


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.0.1, OC 4.0.1, SG 4.0.1

[MDaemon-L] Email Mencurigakan

2016-12-19 Terurut Topik Anjas Wahyu Nurhayanto

> Perlihatkan source mailnya.
> Bisa dengan cara forward as attachment message itu kesini atau simpan
> messagenya ke local disk sebagai *.eml lalu lampirkan kesini.

terlampir adalah LOG SMTP (in) dan message yang diforward ke saya.

-- 


Anjas Wahyu Nurhayanto
iPower Communications

-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.0.1, OC 4.0.1, SG 4.0.1

Mon 2016-12-19 09:57:09.867: [207116] Session 207116; child 0001
Mon 2016-12-19 09:57:09.867: [207116] Accepting SMTP connection from 
173.203.187.90:54206 to 10.0.0.1:25
Mon 2016-12-19 09:57:09.870: [207116] --> 220 mail.aksball.co.id ESMTP MDaemon 
16.5.1; Mon, 19 Dec 2016 09:57:09 +0700
Mon 2016-12-19 09:57:10.126: [207116] <-- EHLO smtp90.iad3a.emailsrvr.com
Mon 2016-12-19 09:57:10.126: [207116] --> 250-mail.aksball.co.id Hello 
smtp90.iad3a.emailsrvr.com [173.203.187.90], pleased to meet you
Mon 2016-12-19 09:57:10.126: [207116] --> 250-ETRN
Mon 2016-12-19 09:57:10.126: [207116] --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Mon 2016-12-19 09:57:10.126: [207116] --> 250-8BITMIME
Mon 2016-12-19 09:57:10.126: [207116] --> 250-ENHANCEDSTATUSCODES
Mon 2016-12-19 09:57:10.126: [207116] --> 250 SIZE
Mon 2016-12-19 09:57:10.381: [207116] <-- MAIL FROM: 
SIZE=5525
Mon 2016-12-19 09:57:10.383: [207116] Performing PTR lookup 
(90.187.203.173.IN-ADDR.ARPA)
Mon 2016-12-19 09:57:10.402: [207116] *  D=90.187.203.173.IN-ADDR.ARPA 
TTL=(1415) PTR=[smtp90.iad3a.emailsrvr.com]
Mon 2016-12-19 09:57:10.424: [207116] *  D=smtp90.iad3a.emailsrvr.com 
TTL=(1439) A=[173.203.187.90]
Mon 2016-12-19 09:57:10.424: [207116]  End PTR results
Mon 2016-12-19 09:57:10.426: [207116] Performing IP lookup 
(smtp90.iad3a.emailsrvr.com)
Mon 2016-12-19 09:57:10.447: [207116] *  D=smtp90.iad3a.emailsrvr.com 
TTL=(1399) A=[173.203.187.90]
Mon 2016-12-19 09:57:10.447: [207116]  End IP lookup results
Mon 2016-12-19 09:57:10.450: [207116] Performing IP lookup (jcf.gov.jm)
Mon 2016-12-19 09:57:10.470: [207116] *  D=jcf.gov.jm TTL=(55) 
A=[208.131.169.101]
Mon 2016-12-19 09:57:10.490: [207116] *  P=010 S=000 D=jcf.gov.jm TTL=(36) 
MX=[mx1.emailsrvr.com]
Mon 2016-12-19 09:57:10.490: [207116] *  P=020 S=001 D=jcf.gov.jm TTL=(36) 
MX=[mx2.emailsrvr.com]
Mon 2016-12-19 09:57:10.510: [207116] *  D=mx1.emailsrvr.com TTL=(0) 
A=[108.166.43.1]
Mon 2016-12-19 09:57:10.530: [207116] *  D=mx2.emailsrvr.com TTL=(1) 
A=[108.166.43.2]
Mon 2016-12-19 09:57:10.530: [207116]  End IP lookup results
Mon 2016-12-19 09:57:10.531: [207116] Performing SPF lookup (jcf.gov.jm / 
173.203.187.90)
Mon 2016-12-19 09:57:11.162: [207116] *  Result: none; no SPF record in DNS
Mon 2016-12-19 09:57:11.162: [207116]  End SPF results
Mon 2016-12-19 09:57:11.162: [207116] --> 250 2.1.0 Sender OK
Mon 2016-12-19 09:57:11.417: [207116] <-- RCPT TO:
Mon 2016-12-19 09:57:11.421: [207116] Performing DNS-BL lookup (173.203.187.90 
- connecting IP)
Mon 2016-12-19 09:57:11.444: [207116] *  zen.spamhaus.org - passed
Mon 2016-12-19 09:57:11.444: [207116]  End DNS-BL results
Mon 2016-12-19 09:57:11.453: [207116] --> 250 2.1.5 Recipient OK
Mon 2016-12-19 09:57:11.709: [207116] <-- DATA
Mon 2016-12-19 09:57:11.710: [207116] Creating temp file (SMTP): 
d:\mdaemon\queues\temp\md5151719.tmp
Mon 2016-12-19 09:57:11.710: [207116] --> 354 Enter mail, end with .
Mon 2016-12-19 09:57:12.287: [207116] Message size: 5525 bytes
Mon 2016-12-19 09:57:12.288: [207116] Performing DKIM lookup
Mon 2016-12-19 09:57:12.288: [207116] *  File: 
d:\mdaemon\queues\temp\md5151719.tmp
Mon 2016-12-19 09:57:12.288: [207116] *  Message-ID: n/a
Mon 2016-12-19 09:57:12.288: [207116] *  Result: neutral
Mon 2016-12-19 09:57:12.288: [207116]  End DKIM results
Mon 2016-12-19 09:57:12.291: [207116] Performing DMARC processing
Mon 2016-12-19 09:57:12.291: [207116] *  File: 
d:\mdaemon\queues\temp\md5151719.tmp
Mon 2016-12-19 09:57:12.291: [207116] *  Message-ID: n/a
Mon 2016-12-19 09:57:12.291: [207116] *  Author domain: jcf.gov.jm
Mon 2016-12-19 09:57:12.291: [207116] *  Organizational domain: jcf.gov.jm
Mon 2016-12-19 09:57:12.291: [207116] *  Query domain: _dmarc.jcf.gov.jm
Mon 2016-12-19 09:57:14.080: [207116] *No DMARC policy record found
Mon 2016-12-19 09:57:14.080: [207116] *  Action taken: none
Mon 2016-12-19 09:57:14.080: [207116] *  Result: none
Mon 2016-12-19 09:57:14.080: [207116]  End DMARC results
Mon 2016-12-19 09:57:14.082: [207116] Passing message through AntiVirus (Size: 
5525)...
Mon 2016-12-19 09:57:14.091: [207116] *  Message is clean (no viruses found)
Mon 2016-12-19 09:57:14.091: [207116]  End AntiVirus results
Mon 2016-12-19 09:57:14.336: [207116] Passing

[MDaemon-L] Email Mencurigakan

2016-12-19 Terurut Topik Syafril Hermansyah

On 20/12/16 08:02, Anjas Wahyu Nurhayanto wrote:
> Hari ini klien mendapati email semacam ini (terlampir). Apa kiranya
> yang harus saya lakukan agar email semacam ini tidak lagi bisa
> diterima?

Perlihatkan source mailnya.
Bisa dengan cara forward as attachment message itu kesini atau simpan
messagenya ke local disk sebagai *.eml lalu lampirkan kesini.




-- 
syafril
---
Syafril Hermansyah
MDaemon-L Moderators, MDaemon 16.5.2-64, SP 5.1.0-64 Beta B
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

Pada punggung setiap orang terdapat sebuah etiket yang menjadi dasar
bagi orang lain untuk menilai dirinya sendiri - dan hanya dia sendiri
yang tidak melihatnya
-- Paul Brulet, born 1866


-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.0.1, OC 4.0.1, SG 4.0.1

[MDaemon-L] Email Mencurigakan

2016-12-19 Terurut Topik Anjas Wahyu Nurhayanto

Dear, Pak Syafril

Hari ini klien mendapati email semacam ini (terlampir). Apa kiranya
yang harus saya lakukan agar email semacam ini tidak lagi bisa
diterima?

-- 


Anjas Wahyu Nurhayanto
iPower Communications

-- 
--MDaemon-L--
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir MD 16.5.2, SP 5.0.1, OC 4.0.1, SG 4.0.1

From: Erdha [mailto:er...@aksball.co.id] 
Sent: Monday, December 19, 2016 10:40 AM
To: 'Budi AKS'
Cc: 'Heni'
Subject: FW: DHL EXPRESS PARCEL ARRIVAL NOTICE

fyi

From: nore...@dhl.cn [mailto:orane.came...@jcf.gov.jm] 
Sent: Monday, December 19, 2016 9:57 AM
To: er...@aksball.co.id
Subject: DHL EXPRESS PARCEL ARRIVAL NOTICE


Hi er...@aksball.co.id,
Your parcel h

as arrived at 
about 09:20:29 GMT.
Courier was unable to 
deliver
 the

 parcel to you
 due to some error.
Here is the
 delivery status 
for your parcel.
tracking.pl?LAN=FRE=FR_FRE= er...@aksball.co.id
Thank you,
DHL.Express <<<
 

Note: Kindly use your mail to access file online.

--
Terms & Conditions
Tracking FAQs

[Mdaemon-L] Email mencurigakan.

[Mdaemon-L] Email mencurigakan.

[Mdaemon-L] Email mencurigakan.

[Mdaemon-L] Email mencurigakan.

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email mencurigakan

[MDaemon-L] Email mencurigakan

[MDaemon-L] Email mencurigakan

[MDaemon-L] Email mencurigakan

[MDaemon-L] EMAIL MENCURIGAKAN

[MDaemon-L] EMAIL MENCURIGAKAN

[MDaemon-L] EMAIL MENCURIGAKAN

[MDaemon-L] EMAIL MENCURIGAKAN

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

[MDaemon-L] Email Mencurigakan

23 matches

Site Navigation

Mail list logo

Footer information