English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Incoming Emaill address
-
Hello,
Where would we find the incoming IP of email when looking at the source?
Our domain was spoofed and we're trying to see the details.
Thank you.
-
If anyone could shed some light, I see the email is has the ip from some European country, but its also(?) saying it's not the correct return address. it also shows HELO 10.88.0.4(???). Also, we use a email gateway but that info seems to be missing on this source. Just trying to understanding. Any help would be greatly appreaciated.
-
Arron Staff
The X-MDRemoteIP: header shows that MDaemon received the message from 34.77.39.149.
The EHLO/HELO value can be anything the sender wants it to be, in this case they set it to "[10.88.0.4]"
It does not appear that this message went through the gateway. Are ports 25, 366, or 465 open from the internet to your MDaemon server?
What is the value in the From header? I assume its an email address for an account in MDaemon? Or atleast the domain portion exists in MDaemon? Was it spoofed or did they use the display name portion of the From header to try to trick the recipient?
From: "joe smith"<joe@localdomain.com>
vs
From: "Real User <realmailbox@realdomain.com>"<fakeuser@fakedomain.com>
Just based on what I see in the headers, I'm assuming SMTP ports are open from the internet to MDaemon. If you do not want people to be able to connect directly to your MDaemon, close the SMTP ports at the firewall. If your users need to be able to connect to MDaemon to send email from the internet through your MDaemon, open port 587, and have everyone use it to send mail. Its an SMTP port that requires authentication. Other options for sending would be to use ActiveSync or Webmail when not on the local network.
Implement SPF, DKIM, and DMARC. If the From header has your domain in the email address, and you have SPF, DKIM, and DMARC impelented and MDaemon is checking them, then the message could not be DMARC aligned and would have been routed based on the p= value in your DMARC policy and based on how MDaemon is setup for DMARC failures.
Enable IP Shielding, configure the domain/ip pairs correctly and checkbox the box for Check FROM header address against IP Shield. (Security / Security Manager / Sender Authentication / IP Shield) Also make sure the "Do not apply IP Shield to authenticated sessions" is enabled and make sure everyone and everything that sends legitimate email through MDaemon is authenticating when sending. Even on the local network.
Enable From Header Screening (Security / Security Manager / Screening / From Header Screening) This can either always put the actual email address in the display name portion of the From header, or it can replace an email address in the display name when it doesn't match the actual address.
I hope that helps, let us know if you have more questions.
-
WOW!
Thank you so much for taking the time to explain.
It was spoofed. Our domain was used which was why we asked. We get the fake display name alot but never our domain.
We will digest this info and go from there.
again, Thank you so much. I really appreciated.
