Loading ...
Sorry, an error occurred while loading the content.

"Dunce Moment" as regards to spoofing email headers (spam)

Expand Messages
  • Ronald MacDonald
    Dear list, It s been a hectic couple of weeks, and I m getting complaints from users after having upgraded to a new system that mails are coming in which have
    Message 1 of 5 , Dec 1, 2008
    • 0 Attachment
      Dear list,

      It's been a hectic couple of weeks, and I'm getting complaints from
      users after having upgraded to a new system that mails are coming in
      which have been spoofed. I see exactly what's going on - a rogue
      system opens up port 25 on my system, tells it the mail's from one of
      the users on the system, and then sends the mail to the same user,
      completely bypassing my content-filter (amavis) as it's not checked
      against the sender or recipient restrictions, somehow.

      However, in one of those "crap, what do I do now" moments, I'm
      confuzzled as to how to get Postfix to realise that the mail *should*
      be checked, since it's coming in from outside the network.

      My postconf -n is as follows:
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      content_filter = smtp-amavis:[127.0.0.1]:10024
      delay_warning_time = 4h
      fallback_transport = virtual
      header_checks = regexp:/etc/postfix/header_checks
      home_mailbox = Maildir/
      inet_interfaces = all
      mailbox_command = /usr/bin/maildrop
      mailbox_size_limit = 0
      mime_header_checks = regexp:/etc/postfix/mime_checks
      mydestination = $myhostname, localhost.$mydomain, localhost
      myhostname = mail.rmacd.com
      mynetworks = 127.0.0.0/8
      myorigin = /etc/mailname
      notify_classes = resource, software, delay
      recipient_delimiter = +
      relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf,
      lists.rmacd.com
      relayhost =
      smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
      smtpd_client_restrictions =
      smtpd_delay_reject = yes
      smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
      smtpd_recipient_restrictions = permit_sasl_authenticated,
      reject_unauth_destination, permit_mynetworks,
      reject_invalid_hostname, reject_unknown_sender_domain
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_security_options = noanonymous
      smtpd_sender_restrictions =
      strict_rfc821_envelopes = yes
      transport_maps = hash:/etc/postfix/transport
      unknown_local_recipient_reject_code = 450
      virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
      virtual_gid_maps = static:1002
      virtual_mailbox_base = /home/vmail
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      virtual_mailbox_limit = 104857600
      virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 1000
      virtual_transport = virtual
      virtual_uid_maps = static:1002

      Any ideas as to what might be the best way to fix this?

      Kind regards,
      Ronald.

      --
      Ronald MacDonald
      http://www.rmacd.com/
    • postfix@bitfreak.org
      ... Thank you for the postconf -n output. Please also provide logs of such email bypassing your content filter. We can t help you trace the email and find
      Message 2 of 5 , Dec 1, 2008
      • 0 Attachment
        Ronald MacDonald wrote:
        > It's been a hectic couple of weeks, and I'm getting complaints from
        > users after having upgraded to a new system that mails are coming in
        > which have been spoofed. I see exactly what's going on - a rogue
        > system opens up port 25 on my system, tells it the mail's from one of
        > the users on the system, and then sends the mail to the same user,
        > completely bypassing my content-filter (amavis) as it's not checked
        > against the sender or recipient restrictions, somehow.
        >
        > However, in one of those "crap, what do I do now" moments, I'm
        > confuzzled as to how to get Postfix to realise that the mail *should*
        > be checked, since it's coming in from outside the network.
        >
        > Any ideas as to what might be the best way to fix this?

        Thank you for the postconf -n output. Please also provide logs of such
        email bypassing your content filter. We can't help you trace the email
        and find the configuration error without them.
      • Ronald MacDonald
        ... Of course! I m sorry. Here s the mail.log entry Nov 30 10:51:07 de003221 postfix-policyd: rcpt=91039, throttle=clear(a), host=83.7.120.131,
        Message 3 of 5 , Dec 1, 2008
        • 0 Attachment
          On 01/12/2008, postfix@... <postfix@...> wrote:
          > Ronald MacDonald wrote:
          ...
          > > However, in one of those "crap, what do I do now" moments, I'm
          > > confuzzled as to how to get Postfix to realise that the mail *should*
          > > be checked, since it's coming in from outside the network.
          > >
          > > Any ideas as to what might be the best way to fix this?
          > >
          >
          > Thank you for the postconf -n output. Please also provide logs of such
          > email bypassing your content filter. We can't help you trace the email and
          > find the configuration error without them.

          Of course! I'm sorry.

          Here's the mail.log entry
          Nov 30 10:51:07 de003221 postfix-policyd: rcpt=91039,
          throttle=clear(a), host=83.7.120.131, from=ronald@...,
          to=ronald@..., size=1668/10240000, quota=1668/250000000,
          count=1/512(136), rcpt=1/3600(136), threshold=0%|0%|0%
          Nov 30 10:51:07 de003221 postfix/cleanup[29357]: 77B106C1F5:
          message-id=<20081130105106.77B106C1F5@...>
          Nov 30 10:51:07 de003221 postfix/qmgr[14572]: 77B106C1F5:
          from=<ronald@...>, size=1995, nrcpt=1 (queue active)
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) ESMTP::10024
          /var/lib/amavis/amavis-20081130T103252-28871: <ronald@...> ->
          <ronald@...> Received: SIZE=1995 from m
          ail.rmacd.com ([127.0.0.1]) by localhost ( [127.0.0.1]) (amavisd-maia,
          port 10024) with ESMTP id 28871-10 for <ronald@...>; Sun, 30 Nov
          2008 10:51:07 +0000 (GMT)
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) Checking:
          [83.7.120.131] <ronald@...> -> <ronald@...>
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) Maia: [check_mail]
          WARNING: Size limit (104857600) > max_allowed_packet (16776192);
          effective size limit is 16775168 bytes
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) p001 1
          Content-Type: text/html, size: 1472 B, name:
          Nov 30 10:51:07 de003221 postfix/smtpd[29247]: disconnect from
          abie131.neoplus.adsl.tpnet.pl[83.7.120.131]
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) wbl: whitelisted
          sender <ronald@...>
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) FWD via SMTP:
          [127.0.0.1]:10025 <ronald@...> -> <ronald@...>
          Nov 30 10:51:07 de003221 postfix/smtpd[29382]: connect from localhost[127.0.0.1]
          Nov 30 10:51:07 de003221 postfix/smtpd[29382]: D27FB6B6AD:
          client=localhost[127.0.0.1]
          Nov 30 10:51:07 de003221 postfix/cleanup[29365]: D27FB6B6AD:
          message-id=<20081130105106.77B106C1F5@...>
          Nov 30 10:51:07 de003221 postfix/qmgr[14572]: D27FB6B6AD:
          from=<ronald@...>, size=2411, nrcpt=1 (queue active)
          Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) Passed CLEAN,
          [83.7.120.131] [83.7.120.131] <ronald@...> ->
          <ronald@...>, Message-ID: <20081130105106.77B106C1F5@m
          ail.rmacd.com>, Hits: -, 718 ms
          Nov 30 10:51:07 de003221 postfix/smtpd[29382]: disconnect from
          localhost[127.0.0.1]
          Nov 30 10:51:08 de003221 authdaemond: received userid lookup request:
          ronald@...
          Nov 30 10:51:08 de003221 authdaemond: authmysql: trying this module
          Nov 30 10:51:08 de003221 authdaemond: SQL query: [SQL QUERY]
          Nov 30 10:51:08 de003221 authdaemond: Authenticated
          Nov 30 10:51:08 de003221 amavis[28871]: (28871-10) TIMING [total 762
          ms] - SMTP EHLO: 5 (1%), SMTP pre-MAIL: 2 (0%), lookup_sql: 5 (1%),
          SMTP pre-DATA-flush: 3 (0%), SMTP DATA: 33 (4%), body_hash: 1 (0%), ma
          ia_connect: 35 (5%), maia_read_system_config: 1 (0%),
          maia_get_mysql_size_limit: 1 (0%), lookup_sql: 4 (1%), mime_decode: 13
          (2%), get-file-type1: 237 (31%), parts_decode: 0 (0%), AV-scan-1: 14
          (2%), spam-wb
          -list: 30 (4%), update_cache: 1 (0%), maia_autocreate_users: 3 (0%),
          maia_store_mail: 48 (6%), maia_set_mail_status: 48 (6%),
          deal_with_mail_size: 1 (0%), maia_record_tests: 3 (0%),
          maia_set_mail_status: 6 (
          1%), fwd-connect: 87 (11%), fwd-mail-from: 5 (1%), fwd-rcpt-to: 4
          (1%), write-header: 5 (1%), fwd-data: 1 (0%), fwd-data-end: 97 (13%),
          fwd-rundown: 1 (0%), main_log_entry: 26 (3%), update_snmp: 3 (0%),
          maia
          _delete_mail: 35 (5%), maia_cleanup: 0 (0%), maia_disconnect: 0 (0%),
          unlink-1-files: 2 (0%), rundown: 1 (0%)
          Nov 30 10:51:08 de003221 amavis[28871]: (28871-10) Requesting process
          rundown after 10 tasks (and 10 sessions)
          Nov 30 10:51:08 de003221 postfix/smtp[29358]: 77B106C1F5:
          to=<ronald@...>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9,
          delays=1.2/0/0.01/0.76, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=2
          8871-10, from MTA: 250 2.0.0 Ok: queued as D27FB6B6AD)
          Nov 30 10:51:08 de003221 postfix/qmgr[14572]: 77B106C1F5: removed
          Nov 30 10:51:08 de003221 amavis[28871]: (28871-10) extra modules
          loaded: Mail/SpamAssassin/Locales.pm,
          Mail/SpamAssassin/Plugin/Bayes.pm,
          Mail/SpamAssassin/Plugin/BodyEval.pm, Mail/SpamAssassin/Plugin/Check.
          pm, Mail/SpamAssassin/Plugin/DNSEval.pm,
          Mail/SpamAssassin/Plugin/HTMLEval.pm,
          Mail/SpamAssassin/Plugin/HTTPSMismatch.pm,
          Mail/SpamAssassin/Plugin/HeaderEval.pm,
          Mail/SpamAssassin/Plugin/ImageInfo.pm, Mail/S
          pamAssassin/Plugin/MIMEEval.pm, Mail/SpamAssassin/Plugin/RelayEval.pm,
          Mail/SpamAssassin/Plugin/URIDetail.pm,
          Mail/SpamAssassin/Plugin/URIEval.pm,
          Mail/SpamAssassin/Plugin/VBounce.pm, Mail/SpamAssassin/Plugi
          n/WLBLEval.pm
          Nov 30 10:51:08 de003221 postfix/pipe[29383]: D27FB6B6AD:
          to=<ronald@...>, relay=maildrop, delay=0.59,
          delays=0.09/0.05/0/0.45, dsn=2.0.0, status=sent (delivered via
          maildrop service)
          Nov 30 10:51:08 de003221 postfix/qmgr[14572]: D27FB6B6AD: removed


          And the corresponding mail headers.
          Return-Path: <ronald@...>
          Delivered-To: ronald@...
          Received: from localhost (localhost [127.0.0.1])
          by mail.rmacd.com (Postfix) with ESMTP id D27FB6B6AD
          for <ronald@...>; Sun, 30 Nov 2008 10:51:07 +0000 (GMT)
          Received: from mail.rmacd.com ([127.0.0.1])
          by localhost ( [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 28871-10
          for <ronald@...>; Sun, 30 Nov 2008 10:51:07 +0000 (GMT)
          Received: from abie131.neoplus.adsl.tpnet.pl
          (abie131.neoplus.adsl.tpnet.pl [83.7.120.131])
          by mail.rmacd.com (Postfix) with SMTP id 77B106C1F5
          for <ronald@...>; Sun, 30 Nov 2008 10:51:06 +0000 (GMT)
          To: <ronald@...>
          Subject: Weiner to explode now!
          From: <ronald@...>
          MIME-Version: 1.0
          Importance: High
          Content-Type: text/html
          Message-Id: <20081130105106.77B106C1F5@...>
          Date: Sun, 30 Nov 2008 10:51:06 +0000 (GMT)
          X-Virus-Scanned: RMacD.com

          Hmm!

          --Ronald.

          --
          Ronald MacDonald
          http://www.rmacd.com/
          0777 235 1655
        • Ronald MacDonald
          ... Ah, umm, my bad. Having noticed that magic word whitelist in the logs, after posting to here, I noticed the user had added themselves to their
          Message 4 of 5 , Dec 1, 2008
          • 0 Attachment
            On 01/12/2008, Ronald MacDonald <ronald@...> wrote:
            > On 01/12/2008, postfix@... <postfix@...> wrote:
            > > Ronald MacDonald wrote:
            > ...
            >
            > > > However, in one of those "crap, what do I do now" moments, I'm
            > > > confuzzled as to how to get Postfix to realise that the mail *should*
            > > > be checked, since it's coming in from outside the network.
            > > >
            > > > Any ideas as to what might be the best way to fix this?
            > > >
            > >
            > > Thank you for the postconf -n output. Please also provide logs of such
            > > email bypassing your content filter. We can't help you trace the email and
            > > find the configuration error without them.
            >
            >
            > Of course! I'm sorry.
            >
            <cut>

            Ah, umm, my bad. Having noticed that magic word "whitelist" in the
            logs, after posting to here, I noticed the user had added themselves
            to their white list.

            And you wonder why they then complain about spam "from themselves"?

            Hhmph.

            Regards,
            Ronald.

            [--for the record, I did a find+replace on the logs to anon the user :) heh ]

            --
            Ronald MacDonald
            http://www.rmacd.com/
            0777 235 1655
          • postfix@bitfreak.org
            ... Amavis sender white-list contains ronald@rmacd.com, so no content inspection was performed.
            Message 5 of 5 , Dec 1, 2008
            • 0 Attachment
              Ronald MacDonald wrote:
              > Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) wbl: whitelisted
              > sender <ronald@...>

              > Nov 30 10:51:07 de003221 amavis[28871]: (28871-10) Passed CLEAN,
              > [83.7.120.131] [83.7.120.131] <ronald@...> ->
              > <ronald@...>, Message-ID:
              > <20081130105106.77B106C1F5@...>, Hits: -, 718 ms

              Amavis' sender white-list contains ronald@..., so no content
              inspection was performed.
            Your message has been successfully submitted and would be delivered to recipients shortly.