[Mdaemon-L] Email Spoofing
On 8/9/23 09:22, Rievo Niemrod Efraim via Mdaemon-L wrote: Bisa di check ke smtp-in log, apakah transaksi mail yang masuk dari internet memicu DMARC verification. Aneh nya pada waktu kejadian itu dmarc Procesing nya seperti tidak jalan kalau di lihat dari log smtp in pada hari kejadian Mon 2023-08-07 11:55:28.694: [00968378] End DKIM results Mon 2023-08-07 11:55:28.695: [00968378] Passing message through AntiVirus (Size: 8603)... Mon 2023-08-07 11:55:28.714: [00968378] * Message is clean (no viruses found) scanned by (IKARUS: clean (0.00303s)) Mon 2023-08-07 11:55:28.714: [00968378] End AntiVirus results Di bandingkan dengan log email dari BCA DMARC Processing nya jalan Mon 2023-08-07 11:55:48.946: [00968484] Performing DMARC processing Mon 2023-08-07 11:55:48.946: [00968484] * File: d:\mdaemon\queues\temp\25\md500100239.tmp Mon 2023-08-07 11:55:48.946: [00968484] * Message-ID: <2007367336.8292957.1691384169124@759f5bc6-5d2c-49d8-4bf7-6a9c> Mon 2023-08-07 11:55:48.946: [00968484] * Author domain: klikbca.com Mon 2023-08-07 11:55:48.946: [00968484] * Organizational domain: klikbca.com Mon 2023-08-07 11:55:48.946: [00968484] * Query domain: _dmarc.klikbca.com Mon 2023-08-07 11:55:48.979: [00968484] *Policy record: v=DMARC1;p=quarantine;rua=mailto:hostmas...@bca.co.id;fo=1 Mon 2023-08-07 11:55:48.981: [00968484] * Verifying report recipient:hostmas...@bca.co.id Mon 2023-08-07 11:55:48.981: [00968484] * Query domain: klikbca.com._report._dmarc.bca.co.id Mon 2023-08-07 11:55:49.012: [00968484] *Policy record: v=DMARC1 Mon 2023-08-07 11:55:49.012: [00968484] *recipienthostmas...@bca.co.id is verified Mon 2023-08-07 11:55:49.012: [00968484] * Checking authentication mechanisms for DMARC alignment Mon 2023-08-07 11:55:49.012: [00968484] *SPF: domain "klikbca.com" passed SPF check; and domain is DMARC aligned Mon 2023-08-07 11:55:49.012: [00968484] *DKIM: domain "klikbca.com" (from d= of signature #1) verified; and domain is DMARC aligned Mon 2023-08-07 11:55:49.012: [00968484] * Result: pass Mon 2023-08-07 11:55:49.012: [00968484] End DMARC results Padahal log di atas tanggal dan waktunya kurang lebih sama, jadi bisa di pastikan bukan karena DMARC Verificationnya tidak aktif pada saat itu Atau mungkin system membaca seakan2 email tersebut memang dari local, sehingga Dmarc procesingnya tidak jalan ??? DMARC verification tidak aktif (bypass) jika sender IP masuk dalam daftar exemption list atau trusted IP saja. [ ] Do not verify messages from trusted IPs Baik Pak sementara Do not verify messages from trusted Ips saya disabled lalu periksa lagi smtp-in log, apakah DMARC verification berjalan. Wed 2023-08-09 08:54:28.471: [01143185] End DKIM results Wed 2023-08-09 08:54:28.476: [01143185] Performing DMARC processing Wed 2023-08-09 08:54:28.476: [01143185] * File: d:\mdaemon\queues\temp\15\md50011.tmp Wed 2023-08-09 08:54:28.476: [01143185] * Message-ID: Wed 2023-08-09 08:54:28.476: [01143185] * Author domain: gmail.com Wed 2023-08-09 08:54:28.476: [01143185] * Organizational domain: gmail.com Wed 2023-08-09 08:54:28.476: [01143185] * Query domain: _dmarc.gmail.com Wed 2023-08-09 08:54:28.476: [01143185] *Policy record (from cache): v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-repo...@google.com Wed 2023-08-09 08:54:28.479: [01143185] * Verifying report recipient: mailauth-repo...@google.com Wed 2023-08-09 08:54:28.479: [01143185] * Query domain: gmail.com._report._dmarc.google.com Wed 2023-08-09 08:54:28.508: [01143185] *Policy record: v=DMARC1 Wed 2023-08-09 08:54:28.508: [01143185] *Recipient mailauth-repo...@google.com is verified Wed 2023-08-09 08:54:28.508: [01143185] * Checking authentication mechanisms for DMARC alignment Wed 2023-08-09 08:54:28.508: [01143185] *SPF: domain "gmail.com" passed SPF check; and domain is DMARC aligned Wed 2023-08-09 08:54:28.509: [01143185] *DKIM: domain "gmail.com" (from d= of signature #1) verified; and domain is DMARC aligned Wed 2023-08-09 08:54:28.509: [01143185] * Result: pass Wed 2023-08-09 08:54:28.509: [01143185] End DMARC results ok. -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. I'm unpredictable, I never know where I'm going until I get there, I'm so random, I'm always growing, learning, changing, I'm never the same person twice. But one thing you can be sure of about me; is I will always do exactly what I want to do. --- C. JoyBell C. -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti
[Mdaemon-L] Email Spoofing
Coba periksa apa isi DMARC exempt list. >>> Apakah ada isian 198.58.114.46? >> >> >>> Tidak ada Pak >> >> >> Ada isian di trusted IP >> >> http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--trusted_ips.html >> >> atau trusted host >> >> http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--trusted_hosts.ht >> ml Selamat Pagi Pak Syafril, saya cek di trusted IPs dan di trusted hosts tidak ada IP atau host email spoofing tersebut > Bisa di check ke smtp-in log, apakah transaksi mail yang masuk dari internet > memicu DMARC verification. Aneh nya pada waktu kejadian itu dmarc Procesing nya seperti tidak jalan kalau di lihat dari log smtp in pada hari kejadian Mon 2023-08-07 11:55:28.694: [00968378] End DKIM results Mon 2023-08-07 11:55:28.695: [00968378] Passing message through AntiVirus (Size: 8603)... Mon 2023-08-07 11:55:28.714: [00968378] * Message is clean (no viruses found) scanned by (IKARUS: clean (0.00303s)) Mon 2023-08-07 11:55:28.714: [00968378] End AntiVirus results Mon 2023-08-07 11:55:28.716: [00968378] Message creation successful: d:\mdaemon\queues\inbound\46\md500127224.msg Mon 2023-08-07 11:55:28.716: [00968378] --> 250 2.6.0 Ok, message saved > Mon 2023-08-07 11:55:28.716: [00968378] <-- QUIT Mon 2023-08-07 11:55:28.716: [00968378] --> 221 2.0.0 See ya in cyberspace Mon 2023-08-07 11:55:28.717: [00968378] SMTP session successful (Bytes in/out: 8729/459) Mon 2023-08-07 11:55:28.718: -- Di bandingkan dengan log email dari BCA DMARC Processing nya jalan Mon 2023-08-07 11:55:48.943: [00968484] End DKIM results Mon 2023-08-07 11:55:48.946: [00968484] Performing DMARC processing Mon 2023-08-07 11:55:48.946: [00968484] * File: d:\mdaemon\queues\temp\25\md500100239.tmp Mon 2023-08-07 11:55:48.946: [00968484] * Message-ID: <2007367336.8292957.1691384169124@759f5bc6-5d2c-49d8-4bf7-6a9c> Mon 2023-08-07 11:55:48.946: [00968484] * Author domain: klikbca.com Mon 2023-08-07 11:55:48.946: [00968484] * Organizational domain: klikbca.com Mon 2023-08-07 11:55:48.946: [00968484] * Query domain: _dmarc.klikbca.com Mon 2023-08-07 11:55:48.979: [00968484] *Policy record: v=DMARC1;p=quarantine;rua=mailto:hostmas...@bca.co.id;fo=1 Mon 2023-08-07 11:55:48.981: [00968484] * Verifying report recipient: hostmas...@bca.co.id Mon 2023-08-07 11:55:48.981: [00968484] * Query domain: klikbca.com._report._dmarc.bca.co.id Mon 2023-08-07 11:55:49.012: [00968484] *Policy record: v=DMARC1 Mon 2023-08-07 11:55:49.012: [00968484] *Recipient hostmas...@bca.co.id is verified Mon 2023-08-07 11:55:49.012: [00968484] * Checking authentication mechanisms for DMARC alignment Mon 2023-08-07 11:55:49.012: [00968484] *SPF: domain "klikbca.com" passed SPF check; and domain is DMARC aligned Mon 2023-08-07 11:55:49.012: [00968484] *DKIM: domain "klikbca.com" (from d= of signature #1) verified; and domain is DMARC aligned Mon 2023-08-07 11:55:49.012: [00968484] * Result: pass Mon 2023-08-07 11:55:49.012: [00968484] End DMARC results Mon 2023-08-07 11:55:49.014: [00968484] Passing message through AntiVirus (Size: 3700)... Mon 2023-08-07 11:55:49.025: [00968484] * Message is clean (no viruses found) scanned by (IKARUS: clean (0.00110s)) Mon 2023-08-07 11:55:49.025: [00968484] End AntiVirus results Mon 2023-08-07 11:55:49.025: [00968484] Passing message through Spam Filter (Size: 3700)... Mon 2023-08-07 11:55:49.229: [00968484] * 0.0 HTML_MESSAGE BODY: HTML included in message Mon 2023-08-07 11:55:49.229: [00968484] * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts Mon 2023-08-07 11:55:49.229: [00968484] End SpamAssassin results Mon 2023-08-07 11:55:49.229: [00968484] Spam Filter score/req: 0.10/12.0 Mon 2023-08-07 11:55:49.233: [00968484] Message creation successful: d:\mdaemon\queues\inbound\49\md500127216.msg Mon 2023-08-07 11:55:49.233: [00968484] --> 250 2.6.0 Ok, message saved > Mon 2023-08-07 11:55:49.268: [00968484] <-- QUIT Mon 2023-08-07 11:55:49.268: [00968484] --> 221 2.0.0 See ya in cyberspace Mon 2023-08-07 11:55:49.268: [00968484] SMTP session successful (Bytes in/out: 4697/4355) Mon 2023-08-07 11:55:49.268: -- Padahal log di atas tanggal dan waktunya kurang lebih sama, jadi bisa di pastikan bukan karena DMARC Verificationnya tidak aktif pada saat itu Atau mungkin system membaca seakan2 email tersebut memang dari local, sehingga Dmarc procesingnya tidak jalan ??? >Jika tidak, disable dulu menu berikut >http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--dmarc_verification.html > [ ] Do not verify messages from trusted IPs Baik Pak sementara Do not verify messages from trusted Ips saya disabled > lalu periksa lagi smtp-in log, apakah DMARC verification berjalan. Wed 2023-08-09 08:54:28.471: [01143185] End DKIM results Wed 2023-08-09 08:54:28.476: [01143185] Performing DMARC processing Wed 2023-08-09 08:54:28.476: [01143185] * File:
[Mdaemon-L] Email Spoofing
On 8/8/23 16:25, Syafril Hermansyah via Mdaemon-L wrote: On 8/8/23 15:00, Rievo Niemrod Efraim via Mdaemon-L wrote: Coba periksa apa isi DMARC exempt list. Apakah ada isian 198.58.114.46? Tidak ada Pak Ada isian di trusted IP http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--trusted_ips.html atau trusted host http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--trusted_hosts.html Bisa di check ke smtp-in log, apakah transaksi mail yang masuk dari internet memicu DMARC verification. Jika tidak, disable dulu menu berikut http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--dmarc_verification.html [ ] Do not verify messages from trusted IPs lalu periksa lagi smtp-in log, apakah DMARC verification berjalan. -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. The only way to do great work is to love what you do. If you haven’t found it yet, keep looking. Don’t settle. --- Steve Jobs -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
On 8/8/23 15:00, Rievo Niemrod Efraim via Mdaemon-L wrote: Coba periksa apa isi DMARC exempt list. Apakah ada isian 198.58.114.46? Tidak ada Pak Ada isian di trusted IP http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--trusted_ips.html atau trusted host http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--trusted_hosts.html -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. I am who I am today because of the mistakes I made yesterday. --- The Prolific Penman -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
> Coba periksa apa isi DMARC exempt list. > Apakah ada isian 198.58.114.46? Tidak ada Pak [cid:image001.png@01D9CA09.04DEFFA0] Salam Rievo
[Mdaemon-L] Email Spoofing
On 8/8/23 14:21, Rievo Niemrod Efraim via Mdaemon-L wrote: Maksudnya baru diaktifkan? Tidak Pak, sudah aktif sebelumnya Di tanggal 2023-08-07 tidak aktif? Sebelum saya cek 2023-08-07 itu sudah aktif Pak DMARC Verificationnya Coba periksa apa isi DMARC exempt list. Apakah ada isian 198.58.114.46? -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. I'm unpredictable, I never know where I'm going until I get there, I'm so random, I'm always growing, learning, changing, I'm never the same person twice. But one thing you can be sure of about me; is I will always do exactly what I want to do. --- C. JoyBell C. -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
>>> DMARC check tidak aktif ya? >> >>> http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--dmarc_verificat >>> ion.html >> >>> [x] Enable DMARC verification and reporting >> >> Saya cek saat ini DMARC nya sudah aktif Pak >Maksudnya baru diaktifkan? Tidak Pak, sudah aktif sebelumnya >Di tanggal 2023-08-07 tidak aktif? Sebelum saya cek 2023-08-07 itu sudah aktif Pak DMARC Verificationnya Salam Rievo
[Mdaemon-L] Email Spoofing
On 8/8/23 10:59, Rievo Niemrod Efraim via Mdaemon-L wrote: DMARC check tidak aktif ya? http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--dmarc_verification.html [x] Enable DMARC verification and reporting Saya cek saat ini DMARC nya sudah aktif Pak Maksudnya baru diaktifkan? Di tanggal 2023-08-07 tidak aktif? -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. Instruction does much, but encouragement everything. --- Johann Wolfgang von Goethe -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
Selamat Pagi pajk Syafril >DMARC check tidak aktif ya? >http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--dmarc_verification.html >[x] Enable DMARC verification and reporting Saya cek saat ini DMARC nya sudah aktif Pak Terima Kasih Rievo
[Mdaemon-L] Email Spoofing
On 8/7/23 16:03, Rievo Niemrod Efraim via Mdaemon-L wrote: Ini kita dapat email spoofing menggunakan domain kami Carikan transaksinya di smtp-in log. Berikut SMTP - IN Log nya Pak Mon 2023-08-07 11:55:24.824: [00968378] <-- MAIL FROM: SIZE=8603 Mon 2023-08-07 11:55:28.041: [00968378] <-- RCPT TO: Mon 2023-08-07 11:55:28.042: [00968378] Performing DNS-BL lookup (198.58.114.46 - connecting IP) Mon 2023-08-07 11:55:28.350: [00968378] * b.barracudacentral.org - passed Mon 2023-08-07 11:55:28.458: [00968378] * zen.spamhaus.org - passed Mon 2023-08-07 11:55:28.458: [00968378] End DNS-BL results Mon 2023-08-07 11:55:28.460: [00968378] --> 250 2.1.5 Recipient OK Mon 2023-08-07 11:55:28.462: [00968378] <-- DATA Mon 2023-08-07 11:55:28.464: [00968378] --> 354 Enter mail, end with . Mon 2023-08-07 11:55:28.693: [00968378] Message size: 8603 bytes Mon 2023-08-07 11:55:28.694: [00968378] Performing DKIM verification Mon 2023-08-07 11:55:28.694: [00968378] * File: d:\mdaemon\queues\temp\22\md500100239.tmp Mon 2023-08-07 11:55:28.694: [00968378] * Message-ID: <20230806214657.ee2f01d012b9a...@ptbmi.com> Mon 2023-08-07 11:55:28.694: [00968378] * Result: neutral Mon 2023-08-07 11:55:28.694: [00968378] End DKIM results DMARC check tidak aktif ya? http://mdaemon.dutaint.co.id/mdaemon/23.0.1/security--dmarc_verification.html [x] Enable DMARC verification and reporting -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. I have not failed. I've just found 10,000 ways that won't work. --- Thomas A. Edison -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
>> Ini kita dapat email spoofing menggunakan domain kami >Carikan transaksinya di smtp-in log. Berikut SMTP - IN Log nya Pak Mon 2023-08-07 11:55:26.847: -- Mon 2023-08-07 11:55:23.563: [00968378] Session 00968378; child 0016 Mon 2023-08-07 11:55:23.563: [00968378] Accepting SMTP connection from 198.58.114.46:58924 to 172.16.0.6:25 Mon 2023-08-07 11:55:23.563: [00968378] Location Screen says connection is from United States, North America Mon 2023-08-07 11:55:23.565: [00968378] --> 220 bb.ptbmi.com ESMTP MDaemon 23.0.1; Mon, 07 Aug 2023 11:55:23 +0700 Mon 2023-08-07 11:55:24.595: [00968378] <-- EHLO mail.iesencial.com Mon 2023-08-07 11:55:24.596: [00968378] --> 250-bb.ptbmi.com Hello mail.iesencial.com [198.58.114.46], pleased to meet you Mon 2023-08-07 11:55:24.596: [00968378] --> 250-ETRN Mon 2023-08-07 11:55:24.596: [00968378] Location Screening hiding AUTH from country United States, North America Mon 2023-08-07 11:55:24.596: [00968378] --> 250-8BITMIME Mon 2023-08-07 11:55:24.596: [00968378] --> 250-ENHANCEDSTATUSCODES Mon 2023-08-07 11:55:24.596: [00968378] --> 250-PIPELINING Mon 2023-08-07 11:55:24.596: [00968378] --> 250-CHUNKING Mon 2023-08-07 11:55:24.596: [00968378] --> 250-STARTTLS Mon 2023-08-07 11:55:24.596: [00968378] --> 250 SIZE Mon 2023-08-07 11:55:24.824: [00968378] <-- MAIL FROM: SIZE=8603 Mon 2023-08-07 11:55:24.832: [00968378] Performing PTR lookup (46.114.58.198.IN-ADDR.ARPA) Mon 2023-08-07 11:55:25.232: [00968378] * D=46.114.58.198.IN-ADDR.ARPA TTL=(60) PTR=[mail.iesencial.com] Mon 2023-08-07 11:55:25.569: [00968378] * D=mail.iesencial.com TTL=(60) A=[198.58.114.46] Mon 2023-08-07 11:55:25.569: [00968378] End PTR results Mon 2023-08-07 11:55:25.571: [00968378] Performing IP lookup (mail.iesencial.com) Mon 2023-08-07 11:55:25.902: [00968378] * D=mail.iesencial.com TTL=(60) A=[198.58.114.46] Mon 2023-08-07 11:55:25.902: [00968378] End IP lookup results Mon 2023-08-07 11:55:25.905: [00968378] Performing IP lookup (ptbmi.com) Mon 2023-08-07 11:55:25.931: [00968378] * D=ptbmi.com TTL=(53) A=[202.148.6.47] Mon 2023-08-07 11:55:25.960: [00968378] * P=005 S=000 D=ptbmi.com TTL=(50) MX=[bb.ptbmi.com] Mon 2023-08-07 11:55:25.991: [00968378] * D=bb.ptbmi.com TTL=(26) A=[202.148.25.131] Mon 2023-08-07 11:55:25.991: [00968378] End IP lookup results Mon 2023-08-07 11:55:25.992: [00968378] Performing SPF lookup (mail.iesencial.com / 198.58.114.46) Mon 2023-08-07 11:55:28.041: [00968378] * Result: none; no SPF record in DNS Mon 2023-08-07 11:55:28.041: [00968378] End SPF results Mon 2023-08-07 11:55:28.041: [00968378] --> 250 2.1.0 Sender OK Mon 2023-08-07 11:55:28.041: [00968378] <-- RCPT TO: Mon 2023-08-07 11:55:28.042: [00968378] Performing DNS-BL lookup (198.58.114.46 - connecting IP) Mon 2023-08-07 11:55:28.350: [00968378] * b.barracudacentral.org - passed Mon 2023-08-07 11:55:28.458: [00968378] * zen.spamhaus.org - passed Mon 2023-08-07 11:55:28.458: [00968378] End DNS-BL results Mon 2023-08-07 11:55:28.460: [00968378] --> 250 2.1.5 Recipient OK Mon 2023-08-07 11:55:28.462: [00968378] <-- DATA Mon 2023-08-07 11:55:28.464: [00968378] --> 354 Enter mail, end with . Mon 2023-08-07 11:55:28.693: [00968378] Message size: 8603 bytes Mon 2023-08-07 11:55:28.694: [00968378] Performing DKIM verification Mon 2023-08-07 11:55:28.694: [00968378] * File: d:\mdaemon\queues\temp\22\md500100239.tmp Mon 2023-08-07 11:55:28.694: [00968378] * Message-ID: <20230806214657.ee2f01d012b9a...@ptbmi.com> Mon 2023-08-07 11:55:28.694: [00968378] * Result: neutral Mon 2023-08-07 11:55:28.694: [00968378] End DKIM results Mon 2023-08-07 11:55:28.695: [00968378] Passing message through AntiVirus (Size: 8603)... Mon 2023-08-07 11:55:28.714: [00968378] * Message is clean (no viruses found) scanned by (IKARUS: clean (0.00303s)) Mon 2023-08-07 11:55:28.714: [00968378] End AntiVirus results Mon 2023-08-07 11:55:28.716: [00968378] Message creation successful: d:\mdaemon\queues\inbound\46\md500127224.msg Mon 2023-08-07 11:55:28.716: [00968378] --> 250 2.6.0 Ok, message saved > Mon 2023-08-07 11:55:28.716: [00968378] <-- QUIT Mon 2023-08-07 11:55:28.716: [00968378] --> 221 2.0.0 See ya in cyberspace Mon 2023-08-07 11:55:28.717: [00968378] SMTP session successful (Bytes in/out: 8729/459) Mon 2023-08-07 11:55:28.718: -- Terima Kasih Rievo
[Mdaemon-L] Email Spoofing
On 8/7/23 13:57, Rievo Niemrod Efraim via Mdaemon-L wrote: Ini kita dapat email spoofing menggunakan domain kami Authentication-Results: bb.ptbmi.com; iprev=pass policy.iprev=198.58.114.46 (PTR mail.iesencial.com); iprev=pass policy.iprev=198.58.114.46 (HELO mail.iesencial.com); iprev=fail reason="does not match" policy.iprev=198.58.114.46 (MAIL hrd.recruitm...@ptbmi.com) Received: from mail.iesencial.com (mail.iesencial.com [198.58.114.46]) by bb.ptbmi.com (MDaemon PRO v23.0.1) with ESMTP id 46-md500127224.msg; Mon, 07 Aug 2023 11:55:29 +0700 From: "hrd.recruitment Email Support (hrd.recruitm...@ptbmi.com)" To: hrd.recruitm...@ptbmi.com Date: 06 Aug 2023 21:46:57 -0700 Message-ID: <20230806214657.ee2f01d012b9a...@ptbmi.com> Carikan transaksinya di smtp-in log. -- syafril Syafril Hermansyah MDaemon-L Moderators, running MDaemon 23.5.0 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. The only way to do great work is to love what you do. If you haven’t found it yet, keep looking. Don’t settle. --- Steve Jobs -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
Selamat Siang Dear Pak Syafril mohon bantuannya Ini kita dapat email spoofing menggunakan domain kami Solusi untuk mengatasinya bagaimana ya Pak ? Mohon pencerahannya Terima Kasih Rievo X-MDAV-Result: clean X-MDAV-Processed: bb.ptbmi.com, Mon, 07 Aug 2023 11:55:29 +0700 Return-path: Authentication-Results: bb.ptbmi.com; iprev=pass policy.iprev=198.58.114.46 (PTR mail.iesencial.com); iprev=pass policy.iprev=198.58.114.46 (HELO mail.iesencial.com); iprev=fail reason="does not match" policy.iprev=198.58.114.46 (MAIL hrd.recruitm...@ptbmi.com) Received: from mail.iesencial.com (mail.iesencial.com [198.58.114.46]) by bb.ptbmi.com (MDaemon PRO v23.0.1) with ESMTP id 46-md500127224.msg; Mon, 07 Aug 2023 11:55:29 +0700 VBR-Info: md=ptbmi.com; mc=all; mv=bb.ptbmi.com; X-Spam-Processed: bb.ptbmi.com, Mon, 07 Aug 2023 11:55:29 +0700 (not processed: message from valid local sender) X-MDRemoteIP: 198.58.114.46 X-MDHelo: mail.iesencial.com X-MDArrival-Date: Mon, 07 Aug 2023 11:55:29 +0700 X-MDOrigin-Country: US, NA X-Rcpt-To: hrd.recruitm...@ptbmi.com X-MDRcpt-To: hrd.recruitm...@ptbmi.com X-Return-Path: prvs=1583e26a03=hrd.recruitm...@ptbmi.com X-Envelope-From: hrd.recruitm...@ptbmi.com X-MDaemon-Deliver-To: hrd.recruitm...@ptbmi.com Received: by mail.iesencial.com (Postfix, from userid 182) id 7130612BCB1; Sun, 6 Aug 2023 22:46:59 -0600 (CST) Received: from conceptcompanies.net (unknown [134.195.139.199]) by mail.iesencial.com (Postfix) with ESMTPSA id 57E4912BC1F for ; Sun, 6 Aug 2023 22:46:57 -0600 (CST) From: "hrd.recruitment Email Support (hrd.recruitm...@ptbmi.com)" To: hrd.recruitm...@ptbmi.com Subject: ( hrd.recruitm...@ptbmi.com ) Mailbox is running out of data storage. Date: 06 Aug 2023 21:46:57 -0700 Message-ID: <20230806214657.ee2f01d012b9a...@ptbmi.com> MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MDCFSigsAdded: ptbmi.com X-MDArchived: bb.ptbmi.com, Mon, 07 Aug 2023 11:55:33 +0700 X-EsetId: 37303A2920DCD05B617665 X-EsetScannerBuild: 58436 X-ESET-AntiSpam: OK;0;calc;2023-08-07 11:56:48;2308071156480011;4E28 X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1691384200;VERSION=7956;MC=1600288283;ID=20960;TRN=0;CRV=0;IPC=134.195.139.199;SP=4;SIPS=1;PI=2;F=0 -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3
[Mdaemon-L] Email Spoofing
On 18/05/21 08.28, Rievo Niemrod E wrote: Ini user kami ada yang menerima email spoofing seakan2 dari admin ptbmi.com padahal bukan Authentication-Results: bb.ptbmi.com; spf=neutral smtp.mailfrom=_spf.mail.yahoo.com; iprev=pass policy.iprev=92.243.26.160 (PTR mail.poslix.store); iprev=pass policy.iprev=92.243.26.160 (HELO mail.poslix.store); iprev=fail reason="does not match" policy.iprev=92.243.26.160 (MAIL lorenzo...@yahoo.com) From: "ptbmi.com (ad...@ptbmi.com)" Mohon infonya apa yang harus di lakukan dan yang harus di perbaiki ? Aktifkan DNS DMARC antispoofing yang align dengan SPF dengan policy=reject atau quarantine. https://www.mail-archive.com/mdaemon-l@dutaint.com/msg46228.html https://www.mail-archive.com/mdaemon-l@dutaint.com/msg46229.html -- syafril Syafril Hermansyah MDaemon-L Moderator, run MDaemon 21.0.2 64bit Beta D Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon. Friendship... is not something you learn in school. But if you haven't learned the meaning of friendship, you really haven't learned anything. --- Muhammad Ali -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir: MDaemon 21.0.1, SecurityGateway 8.0.1
[Mdaemon-L] Email Spoofing
Selamat Pagi Dear Pak Syafril mohon pencerahannya Ini user kami ada yang menerima email spoofing seakan2 dari admin ptbmi.com padahal bukan Mohon infonya apa yang harus di lakukan dan yang harus di perbaiki ? *Terlampir Header email spoofingnya Terima Kasih Rievo N X-MDAV-Result: clean X-MDAV-Processed: bb.ptbmi.com, Mon, 17 May 2021 16:50:07 +0700 Return-path: Authentication-Results: bb.ptbmi.com; spf=neutral smtp.mailfrom=_spf.mail.yahoo.com; iprev=pass policy.iprev=92.243.26.160 (PTR mail.poslix.store); iprev=pass policy.iprev=92.243.26.160 (HELO mail.poslix.store); iprev=fail reason="does not match" policy.iprev=92.243.26.160 (MAIL lorenzo...@yahoo.com) Received-SPF: neutral (bb.ptbmi.com: 92.243.26.160 is neither permitted nor denied by domain yahoo.com) receiver=bb.ptbmi.com; client-ip=92.243.26.160; mechanism=all; envelope-from="lorenzo...@yahoo.com"; helo=mail.poslix.store; Received: from mail.poslix.store (mail.poslix.store [92.243.26.160]) by bb.ptbmi.com (MDaemon PRO v21.0.1) with ESMTPS id 35-md5001000108123.msg; Mon, 17 May 2021 16:50:06 +0700 VBR-Info: md=ptbmi.com; mc=all; mv=bb.ptbmi.com; X-Spam-Flag: YES X-Spam-Level: * X-Spam-Status: Yes, score=9.30 required=5.0 X-Spam-Report: * 1.6 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4990] * 0.3 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends * in digit * [lorenzox50[at]yahoo.com] * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider * [lorenzox50[at]yahoo.com] * 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level * mail domains are different * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.3 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and * EnvelopeFrom freemail headers are different * 3.0 GOOG_STO_NOIMG_HTML Apparently using google content hosting to * avoid URIBL * 2.2 GOOG_STO_EMAIL_PHISH Possible phishing with google hosted * content URI having email address * 1.6 SPOOFED_FREEMAIL No description available. * 0.1 TO_IN_SUBJ To address is in Subject X-Spam-Processed: bb.ptbmi.com, Mon, 17 May 2021 16:50:06 +0700 (processed during SMTP session) X-MDOP-RefID: str=0001.0A673429.60A23C4A.002A,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 (_st=1 _vt=0 _iwf=0) X-MDSPF-Result: neutral (bb.ptbmi.com) X-MDRemoteIP: 92.243.26.160 X-MDHelo: mail.poslix.store X-MDArrival-Date: Mon, 17 May 2021 16:50:06 +0700 X-MDOrigin-Country: France, Europe X-Rcpt-To: y...@ptbmi.com X-MDRcpt-To: y...@ptbmi.com X-Return-Path: lorenzo...@yahoo.com X-Envelope-From: lorenzo...@yahoo.com X-MDaemon-Deliver-To: y...@ptbmi.com Received: by mail.poslix.store (ORVX) with ESMTPSA id 648264CFE0 for ; Mon, 17 May 2021 11:24:47 +0200 (CEST) From: "ptbmi.com (ad...@ptbmi.com)" To: y...@ptbmi.com Subject: Server Management| IT Support Email Shutdown y...@ptbmi.com 17th May 2021 Date: 17 May 2021 09:24:46 + Message-ID: <20210517092446.9b8a1b3692137...@ptbmi.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0012_AD5289F3.505FBF4C" X-MDCFSigsAdded: ptbmi.com --=_NextPart_000_0012_AD5289F3.505FBF4C Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =C2=A0 Server Administrator |=C2=A0IT Support ptbmi.com =C2=A0 =C2=A0 =C2=A0 Hello y...@ptbmi.com We are closing all old versions and non-active users from=20 5/17/2021 9:24:46 a.m.. Please confirm your email address=20 y...@ptbmi.com=C2=A0to keep your account from being deactivated. Confirm Your Email Here=20 (=C2=A0https://firebasestorage.googleapis.com/v0/b/fab3-7876e.appspot.com/o= /fab-ant.html?alt=3Dmedia=3Dc7fee4c1-c871-4eea-9cd5-02feb60dd6ce#yuri= @ptbmi.com=C2=A0) =C2=A0 =C2=A0 Account will be=C2=A0 automatically deleted after 5/17/2021 9:24:46=20 a.m. You can change the frequency of these notifications within=20 your mailbox portal. =C2=A0 =C2=A0 --=_NextPart_000_0012_AD5289F3.505FBF4C Content-Type: text/html Content-Transfer-Encoding: quoted-printable http://www.= w3.org/TR/html4/loose.dtd"> = Server Administrator |IT Support ptbmi.com Hello y...@ptbmi.com We are closing all old versions= and non-active users from 5/17/2021 9:24:46 a.m.. Please confirm your emai= l address y...@ptbmi.comto keep your account from being deactivated.<= /font> https://fire= basestorage.googleapis.com/v0/b/fab3-7876e.appspot.com/o/fab-ant.html?alt= =3Dmediatoken=3Dc7fee4c1-c871-4eea-9cd5-02feb60dd6ce#y...@ptbmi.com" t= arget=3D"_blank" rel=3D"noreferrer nofollow noopener">Confirm Your Email Here Account will be automatic= ally deleted after 5/17/2021 9:24:46 a.m. You can change the frequency
[Mdaemon-L] Email Spoofing
Dear Pak Shafril, Saya mendapatkan informasi dari external user (gmail), dimana pada tanggal 2 April ada pengiriman email mengatasnamakan hrd kami menggunakan alamat email recruitm...@kapalapi.co.id Saya sudah cek di smtp-out dan gateway kami (cisco ronport) tidak ada pengirimain email dari alamat recruitm...@kapalapi.co.id pada tangal 2 April tersebut. Kemarin saya mendapatkan file eml dari recipient, saya lihat kolom from nya benar dikirimkan dari recruitm...@kapalapi.co.id, dan kolom to nya ialah undisclosed-recipients Berikut header dari file eml tersebut: Delivered-To: dewirohmatuli...@gmail.com Received: by 2002:a4a:a609:0:0:0:0:0 with SMTP id e9csp981126oom; Fri, 2 Apr 2021 00:07:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxtKiOPCSp+hCpfb0fQ6sZUA49mRp24V0u43nJwojFYlKNufTMSY1XJzkueg+O+k5oerT39 X-Received: by 2002:a4a:8884:: with SMTP id j4mr10570951ooa.54.1617347252117; Fri, 02 Apr 2021 00:07:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617347252; cv=none; d=google.com; s=arc-20160816; b=nmIP6B/4I3g+dY7GyB3eeXdflPdqOxyK5mg7wY8NehHcB0ilDXl4KdpCnM/Prr4cQE HbZkYxyasXCssix2lQBGVC+O0rNkEgk4wnQGy7mWBpwPGMhFeN+1z6JPSZZ0N2LEz69L YNC/AR0qO2KJVAf46Rbys4hySEZmVyH4GUIhhWwclCrZaiM+xVUmnwAS/jfIgZxqPLg4 sWEGqRimvoNMHN3Ky7WOBGdR+RpbKU32yoZJcabdh/2OTu/B4wutWi5lQP1GIAU6QvpC NruXx5tdhSPBRqbKWD5IT9JVPPDkNd2k78ErV+SAAHDi09pGTTrtJ4m9OfvCIuFW9STm sklw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:message-id:subject:to:from:date:mime-version :dkim-signature; bh=M4vHQcJfQivMYbpzAjGOrhlG35oyPTitL1nZFCeZKRM=; b=ohRiis6ENncJuyxHXE8hEQKUgL7GwE/wJi2Nfew2jT73GaK+kJe8brBK+yqs4DDZcO 4Hw6T3Z+LiffikkOEN7+eajqeMhCEiGsmF0guxfY0MWYHZz+RJf44M52kKN9x4mFP6m5 t8rzEGAio7475UibRvl8W7wjeTEpHBZNAWa6+riB0WqPUTDB4G91fPcE8bWAZzHE6iKS fRHnoti2zGVtNuVdbEN0alrvcBJlWSVRS590n0IsvY81f9R+z5Kqh+wcaVXaSZPA4EFA mq6eeNgSzRQXHV3A3Cj+0ONPAPhzizN1PRbrHikOAdsyyoSssvNmwhoquNDb4BwPYAPF Vl4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@kapalapi.co.id header.s=default header.b=c+EMrai+; spf=fail (google.com: domain of recruitm...@kapalapi.co.id does not designate 69.89.22.63 as permitted sender) smtp.mailfrom=recruitm...@kapalapi.co.id; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kapalapi.co.id Return-Path: Received: from outbound-ss-1398.bluehost.com (outbound-ss-1398.bluehost.com. [69.89.22.63]) by mx.google.com with ESMTPS id y141si7415150oia.194.2021.04.02.00.07.31 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Apr 2021 00:07:32 -0700 (PDT) Received-SPF: fail (google.com: domain of recruitm...@kapalapi.co.id does not designate 69.89.22.63 as permitted sender) client-ip=69.89.22.63; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@kapalapi.co.id header.s=default header.b=c+EMrai+; spf=fail (google.com: domain of recruitm...@kapalapi.co.id does not designate 69.89.22.63 as permitted sender) smtp.mailfrom=recruitm...@kapalapi.co.id; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kapalapi.co.id Received: from cmgw15.unifiedlayer.com (unknown [66.147.244.18]) by soproxy2.mail.unifiedlayer.com (Postfix) with ESMTP id 413441E066D for ; Fri, 2 Apr 2021 01:07:31 -0600 (MDT) Received: from bh-71.webhostbox.net ([162.222.225.153]) by cmsmtp with ESMTP id SDtylx3wffon1SDtylH6TY; Fri, 02 Apr 2021 01:07:31 -0600 X-Authority-Reason: ss=1 X-Authority-Analysis: v=2.4 cv=I8YG+Psg c=1 sm=1 tr=0 ts=6066c2b3 a=eO15P5x6jIc7vv9pe4Dp0w==:117 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=3YhXtTcJ-WEA:10:nop_rcvd_month_year a=Tz28QSSHusoA:10:endurance_base64_authed_username_1 a=1XWaLZrs:8 a=us6ABYU_jLhenyGcZ-YA:9 a=n3BslyFRqc0A:10:nop_pdf a=rls1ZAiwvL0A:10:nop_attachment_filename_extension_2 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapalapi.co.id; s=default; h=Content-Type:Message-ID:Subject:To:From:Date: MIME-Version:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-C c :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe : List-Subscribe:List-Post:List-Owner:List-Archive; bh=M4vHQcJfQivMYbpzAjGOrhlG35oyPTitL1nZFCeZKRM=; b=c+EMrai+NaeCSGb6m/jbcdHX0L cv0NvgbfCnUJ7H5rNVBQURdohaQnmuorIZmWYRJxaJQ5VI3YfZjEzvtwaxku4lezEttuYC8klvJX l I36cUWpN8AmNRf4xRgOKf0QB8PxudYNqe7ARyS7IJl87/p2p8+oyJPyRlMx+oy9+ItZZRpCaUGcc z pCqvhSpKmVTq4WyzZLrlGEwBrg6fC+psOtRoJaOqAScUMX0cz6vEt9mYdU20iVwpVCqj6lQRwHJm F ZeadECGjobW4In+Yj30iqwlnhhRGjnHN2I+uUlT4zM3vm63MVnp1uDMwj4AVshZJU2GHUHEaiDeh L Re7DMA5A==; Received: from bh-71.webhostbox.net ([162.222.225.153]:47400) by bh-71.webhostbox.net with