email spoofing
Question asked by dean brown - 3/14/2015 at 7:09 AM
Unanswered
A couple of users got a similar spam email overnight. Here's the header: (key names changed)
Return-Path: <user@domain.com>
Received: from p314026-ipngn200507niho.hiroshima.ocn.ne.jp (p314026-ipngn200507niho.hiroshima.ocn.ne.jp [123.223.165.26]) by mx1.domain.com with SMTP;
   Sat, 14 Mar 2015 08:39:15 -0400
Message-ID: <837863502936215069342196@domain.com>
From: "user@domain.com" <user@domain.com>
To: <user@domain.com>
Subject: Pharmacy here
Date: 15 Mar 2015 05:29:26 +0800
MIME-Version: 1.0
Content-type: text/plain;
 charset="iso-8859-1"
Content-transfer-encoding: 7bit
X-Mailer: Vylctbif qsbctbw
X-CTCH-RefId: str=0001.0A010203.55042040.0085,ss=4,sh,re=0.001,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: SPF_None, Commtouch 30 [value: Confirmed], ISpamAssassin 0 [raw: 0], DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
 
From the log: (key names changed)
 
08:39:12 [123.223.165.26][5118556] rsp: 220 mx1.domain.com
08:39:12 [123.223.165.26][5118556] connected at 2015-03-14 8:39:12 AM
08:39:12 [123.223.165.26][5118556] cmd: EHLO p314026-ipngn200507niho.hiroshima.ocn.ne.jp
08:39:12 [123.223.165.26][5118556] rsp: 250-mx1.domain.com Hello [123.223.165.26]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
08:39:13 [123.223.165.26][5118556] cmd: MAIL From:<user@domain.com>
08:39:14 [123.223.165.26][5118556] rsp: 250 OK <user@domain.com> Sender ok
08:39:14 [123.223.165.26][5118556] cmd: RCPT To:<user@domain.com>
08:39:14 [123.223.165.26][5118556] rsp: 250 OK <user@domain.com> Recipient ok
08:39:15 [123.223.165.26][5118556] cmd: DATA
08:39:15 [123.223.165.26][5118556] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
08:39:15 [123.223.165.26][5118556] rsp: 250 OK
08:39:15 [123.223.165.26][5118556] Data transfer succeeded, writing mail to 190996397.eml
08:39:15 [123.223.165.26][5118556] cmd: QUIT
08:39:15 [123.223.165.26][5118556] rsp: 221 Service closing transmission channel
08:39:15 [123.223.165.26][5118556] disconnected at 2015-03-14 8:39:15 AM
 
Does this mean the password has been guessed?

13 Replies

Reply to Thread
0
Bruce Barnes Replied
if you post your real domain we can test to see what's going on.  Masking the data does no good because we can't do anything with the information and give you an informative response.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
dean brown Replied
Thanks - navcast.com
0
dean brown Replied
Thanks - the domain is navcast.com
I've checked for open relay at dnsstuff.com (and it passes the check)
0
dean brown Replied
Any ideas?
 
Does this line in the log mean that the correct login was used: (meaning the password has been guessed?)
 
08:39:12 [123.223.165.26][5118556] rsp: 250-mx1.navcast.com Hello [123.223.165.26] 250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8 BITMIME 250 OK
 
Thanks?
1
Bruce Barnes Replied
You may have been JO JOBBED, but there was no login - the mail was received from another server.
 
Here's what an SMTP log will show when someone authenticates:
 
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 220 securemail.chicagonettech.com (<=== NAME OF MX SERVER ACCEPTING MESSAGE) 
Mon, 16 Mar 2015 14:15:24 +0000 UTC | SmarterMail Enterprise 13.3.5535.16496 (Day, Date, Month, Year and Time - set in UTC or ZULU time zone to assist in troubleshooting so all times will be the same, no matter what time zone the server sending or receiving the e-mail message is in - this can be configured by the SmarterMail server operator)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] connected at 3/16/2015 9:15:24 AM (date and time of connection in LOCAL SERVER TIME)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: EHLO WORKSTATION (shows name of workstation or device sending message)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 250-securemail.chicagonettech.com Hello [173.165.112.149]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: STARTTLS
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 220 Start TLS negotiation
(TLS encryption negotiation for consecction - requires SmarterMail ENTERPRISE, an SSL certificate and using IIS)

[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: WORKSTATION (shows name of workstation of device sending message)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 250-securemail.chicagonettech.com Hello [173.165.112.149]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: AUTH LOGIN
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 334 VXNlcm5hbWU6
[2015.03.16] 09:15:24 [173.165.112.149][48348077] Authenticating as bbarnes@chicagonettech.com (this is the e-mail addres used to log into the SmarterMail server)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 334 UGFzc3dvcmQ6
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 235 Authentication successful (the sender used a valid password and the process will continue)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] Authenticated as bbarnes@chicagonettech.com (this is who sent the message)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: MAIL FROM: <bbarnes@chicagonettech.com> (this is the REPLY TO address contained in the message - should almost always match MAIL FROM address)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 250 OK <bbarnes@chicagonettech.com> Sender ok (the sender is OK and authorized to send via this mail server)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: RCPT TO: <REDACTED@comcast.net> (who the message is being sent to)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 250 OK <REDACTED@comcast.net> Recipient ok (we don't have that e-mail address in any deny list, so it's OK to accept the message)
[2015.03.16] 09:15:24 [173.165.112.149][48348077] cmd: DATA
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.03.16] 09:15:24 [173.165.112.149][48348077] rsp: 250 OK
[2015.03.16] 09:15:24 [173.165.112.149][48348077] Data transfer succeeded, writing mail to 71114155.eml
[2015.03.16] 09:15:26 [173.165.112.149][48348077] cmd: QUIT
[2015.03.16] 09:15:26 [173.165.112.149][48348077] rsp: 221 Service closing transmission channel
[2015.03.16] 09:15:26 [173.165.112.149][48348077] disconnected at 3/16/2015 9:15:26 AM
 
Unless you see something like that in your log, the message probably did not originate from your SmarterMail server.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
dean brown Replied
Thanks for all the info! And how do you block it?
 
Also, what does this mean: (from the email header)
X-SmarterMail-Spam: SPF_None, Commtouch 30 [value: Confirmed], ISpamAssassin 0 [raw: 0], DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
Why is it a Trusted Sender?
0
dean brown Replied
Any ideas?
0
Steve Reid Replied
It means it has been added to the trusted senders list at the domain level. So you may need to login as the domain admin and remove it from trusted senders. Searching could have helped you out sooner.
0
Manuel Replied
Hello,
from yesterday I have same problem with many mailbox :|
GRAFFITI — It's Communication
Riva del Garda (TN), I-38066 – Località Pasina 46
Milano, I-20129 - via Lamberto De Bernardi 1
Verona, I-37134 - via Legnago 126
San Francisco, US-94111 California – 275 Battery St, Suite 2600
website: www.graffiti.it
0
dean brown Replied
I've tightened up the spf records and it's still let the spoofed mail through:
 
X-SmarterMail-Spam: SPF_Fail, Spamhaus - XBL, UCEProtect Level 1, Reverse DNS Lookup, Commtouch 30 [value: Confirmed], ISpamAssassin 0 [raw: 0], DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
 
There are no entries in the Trusted Senders or Whitelist lists
0
dean brown Replied
There are no entries in the Trusted Senders list
0
Steve Reid Replied
It's not going to matter what changes you do to your SPF. Clearly the socres for failed test are not being applied. Smartermail doesn't list X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain) for nothing... There must be a trusted sender.
0
dean brown Replied
I wish it was that easy - there are no Trusted Senders at all at the domain level. I've checked at the user level too.

Reply to Thread