MDaemon fake field From and Fishing.
-
Hello,
Installed MDaemon v21.5.2 as corporate mail The other day we ran into a problem.
The company's MDaemon was subjected to a phishing attack.
Essence: the attack was carried out from an almost similar domain: original - m.......com fake - m.......ru
As a result, users received a letter on behalf of it@m.......ru
with a request to update 1C and a corresponding link to a non-existent helpdesk
copied by the first page from ours. In fact, in the from field, the user saw the address it@m.......com and when
trying to answer he also sent a letter to our address, but the letter came from the address it@m.......ruLogical messages and message parsing looked something like this:
Wed 2023-01-25 09:19:03.101: Session 44801078; child 0002
Wed 2023-01-25 09:19:03.101: Accepting SMTP connection from 23.23.23.23:44523 to 10.10.10.10:25
Wed 2023-01-25 09:19:03.103: --> 220 mail.m.......com ESMTP Wed, 25 Jan 2023 09:19:03 +0300
Wed 2023-01-25 09:19:03.160: <-- helo m.......ru
Wed 2023-01-25 09:19:03.160: --> 250 mail.m.......com Hello m.......ru [23.23.23.23], pleased to meet you
Wed 2023-01-25 09:19:03.225: <-- mail from: it@m.......ru
Wed 2023-01-25 09:19:03.225: Performing PTR lookup (23.23.23.23.IN-ADDR.ARPA)
Wed 2023-01-25 09:19:03.268: * DNS server reports domain name unknown
Wed 2023-01-25 09:19:03.268: * No PTR records found
Wed 2023-01-25 09:19:03.268: ---- End PTR results
Wed 2023-01-25 09:19:03.268: Performing IP lookup (m.......ru)
Wed 2023-01-25 09:19:03.366: * D=m.......ru TTL=(359) A=[24.24.24.24]
Wed 2023-01-25 09:19:03.366: ---- End IP lookup results
Wed 2023-01-25 09:19:03.366: Performing IP lookup (m.......ru)
Wed 2023-01-25 09:19:03.367: * D=m.......ru TTL=(359) A=[24.24.24.24]
Wed 2023-01-25 09:19:03.563: ---- End IP lookup results
Wed 2023-01-25 09:19:03.564: Performing SPF lookup (m.......ru / 23.23.23.23)
Wed 2023-01-25 09:19:03.711: * Result: none; no SPF record in DNS
Wed 2023-01-25 09:19:03.711: ---- End SPF results
Wed 2023-01-25 09:19:03.711: --> 250 2.1.0 Sender OK
Wed 2023-01-25 09:19:03.796: <-- rcpt to: real.user@m.......com
Wed 2023-01-25 09:19:03.798: --> 250 2.1.5 Recipient OK
Wed 2023-01-25 09:19:03.875: <-- data
Wed 2023-01-25 09:19:03.876: --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2023-01-25 09:19:04.015: Message size: 4139 bytes
Wed 2023-01-25 09:19:04.015: Performing DKIM verification
Wed 2023-01-25 09:19:04.015: * File: d:\mdaemon\queues\temp\md5001000096970.tmp
Wed 2023-01-25 09:19:04.015: * Message-ID: n/a
Wed 2023-01-25 09:19:04.016: * Result: neutral
Wed 2023-01-25 09:19:04.016: ---- End DKIM results
Wed 2023-01-25 09:19:04.080: Message creation successful: d:\mdaemon\queues\inbound\md5001009587680.msg
Wed 2023-01-25 09:19:04.080: --> 250 2.6.0 Ok, message saved
Wed 2023-01-25 09:19:04.080: <-- quit
Wed 2023-01-25 09:19:04.080: --> 221 2.0.0 See ya in cyberspace
Wed 2023-01-25 09:19:04.080: SMTP session successful (Bytes in/out: 4150/285)
Wed 2023-01-25 09:19:09.132: ----------
Wed 2023-01-25 09:19:09.138: MDaemon AntiVirus processing d:\mdaemon\queues\local\md5001022562098.msg...
Wed 2023-01-25 09:19:09.138: * Message return-path: it@m.......ru
Wed 2023-01-25 09:19:09.138: * Message from: it@m.......com
Wed 2023-01-25 09:19:09.138: * Message to: real.user@m.......com
Wed 2023-01-25 09:19:09.138: * Message subject: ВАЖНАЯ ИНФОРМАЦИЯ
Wed 2023-01-25 09:19:09.138: * Message ID:
Wed 2023-01-25 09:19:09.138: Start MDaemon AntiVirus results (Cyren AV)
Wed 2023-01-25 09:19:09.138: * Address is in virus scanning exclusion list - skipping virus scan
Wed 2023-01-25 09:19:09.142: End of MDaemon AntiVirus results
Wed 2023-01-25 09:19:09.142: ----------
Wed 2023-01-25 09:19:09.138: Content Filter processing d:\mdaemon\queues\local\md5001022562098.msg...
Wed 2023-01-25 09:19:09.138: * Message return-path: it@m.......ru
Wed 2023-01-25 09:19:09.138: * Message from: it@m.......com
Wed 2023-01-25 09:19:09.138: * Message to: real.user@m.......com
Wed 2023-01-25 09:19:09.138: * Message subject: ВАЖНАЯ ИНФОРМАЦИЯ
Wed 2023-01-25 09:19:09.138: * Message ID:
Wed 2023-01-25 09:19:09.138: Start Content Filter results
Wed 2023-01-25 09:19:09.138: * Address excluded from restricted attachment processing
Wed 2023-01-25 09:19:09.143: * Matched 0 of 5 active rules
Wed 2023-01-25 09:19:09.143: End of Content Filter results
Wed 2023-01-25 09:19:09.143: ----------A letter was dropped into the folder for the user already with the changed from
Wed 2023-01-25 09:19:09.356: ----------
Wed 2023-01-25 09:19:09.379: LOCAL message: pd5001022562098.msg
Wed 2023-01-25 09:19:09.379: * From: <it@m.......com>
Wed 2023-01-25 09:19:09.379: * To: <real.user@m.......com>
Wed 2023-01-25 09:19:09.379: * Subject: ВАЖНАЯ ИНФОРМАЦИЯ
Wed 2023-01-25 09:19:09.379: * Message-ID:
Wed 2023-01-25 09:19:09.379: * Archived: (archives)\m.......com\out\it@m.......com\arc5001000000037.msg
Wed 2023-01-25 09:19:09.379: * Archived: (archives)\m.......com\in\real.user@m.......com\arc5001000000004.msg
Wed 2023-01-25 09:19:09.379: * Size: 5148; <d:\mdaemon\users\m.......com\real.user\md5001000015284.msg>
Wed 2023-01-25 09:19:09.379: ----------User email header
Return-path: <it@m.......ru>
Authentication-Results: mail.m.......com;
spf=none smtp.mailfrom=it@m.......ru;
iprev=fail reason="no records found" policy.iprev=23.23.23.23 (PTR 24.24.24.24.IN-ADDR.ARPA);
iprev=fail reason="does not match" policy.iprev=23.23.23.23 (HELO m.......ru);
iprev=fail reason="has no MX" policy.iprev=23.23.23.23 (MAIL it@m.......ru)
Received: by mail.m.......com with ESMTP id md5001009594002.msg; Wed, 25 Jan 2023 14:19:18 +0300
X-Spam-Processed: mail.m.......com, Wed, 25 Jan 2023 14:19:18 +0300
(not processed: recipient real.user@m.......com in exclude file)
X-MDRemoteIP: 23.23.23.23
X-MDHelo: m.......ru
X-MDArrival-Date: Wed, 25 Jan 2023 14:19:18 +0300
X-Rcpt-To: real.user@m.......com
X-MDRcpt-To: real.user@m.......com
X-Return-Path: it@m.......ru
X-Envelope-From: it@m.......ru
X-MDaemon-Deliver-To: real.user@m.......com
From: <it@m.......com>
Sender: <it@m.......com>
To: <real.user@m.......com>
Subject: ВАЖНАЯ ИНФОРМАЦИЯ
MIME-Version: 1.0
Content-Type: text/html;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-MDCFSigsAdded: m.......com
X-MDArchive-Copy: 1Having studied with colleagues the settings of MDaemon in search of a solution, or rather,
preventing address spoofing. So we didn't get the desired result. There was an attempt to fix this through the From Screening Header setting specified in the screenshot,
but it didn’t help (as if it didn’t work)
P.S.
According to the logs, SpanAssasin did not work - this issue is resolved,
but it does not exclude the problem with the From substitution
-
Tyler Staff
The From Header modification will expose senders who are trying to spoof the display name by placing the address inside of the display name. In your message source, there is not a display name in the from header, meaning then there's nothing to change.
From: <it@m.......com>
If the From header was the following:
From: "Local User" <it@m.......com>
Then MDaemon would rebuild the From header exposing the address in the "Display Name."
From: "Local User (it@m.......com)" <it@m.......com>
In this case, I would use the content filter or the sender block list. If your MDaemon domain is company.com and these senders are using company.ru, then you can block anything coming from *@company.ru with the sender block list. Open MDaemon and select Security > Security Manager > Screening > Sender Block list.
And/Or, you can create a content filter rule and use the "If EXTERNAL Sender..." condition and "Add a warning to the top of the message" action to make local users aware that the message is not local and to take caution replying or opening links or what ever verbage you'd like.
-
Arron Staff
Another option would be to enable DMARC and create a DMARC policy for your domain. This would require that you were also using SPF and DKIM, but it would prevent messages that used your domain in the From header from being delivered unlesls they passed SPF or were DKIM signed by your domain.
This would also allow your server to be protected from similar things happening with other domains, assuming the other domain had SPF, DKIM, and DMARC configured. And it would allow other servers to be protected from similar attacks occurring using your domain name.
If you'd like help setting up SPF, DKIM and DMARC, please let us know.
-
@Tyler
If I understand correctly, it is impossible to display the original From header from which the mail was sent in the header of the letter? And filter only through BlackList or content filter?
-
Could you provide recommendations for setting up DKIM DMARC?
-
Arron Staff
The only adjustment I would make to the settings provided in the screen shot would be to check the box for "Filter messages which fail the DMARC test into spam folders."
In addition to enabling DMARC verification in MDaemon you'll also need to create your DMARC policy in DNS. Here is an article with more information on setting up DMARC.
https://knowledge.mdaemon.com/how-to-enable-dmarc-and-configure-records
In order for DMARC to work well, you should also have an SPF record setup for your domain in DNS and have your server configured to sign all outbound mail with a DKIM signature. Here is an article on setting up MDaemon to sign messages with DKIM.
https://knowledge.mdaemon.com/configure-dkim-signing
To enable DKIM verification on inbound mail, open MDaemon and go to Security / Security Manager / Sender Authentication / DKIM Verification, check the boxes for Enable DKIM Verification, Do not verify messages from authenticated sessions, and Do not verify messages from trusted IPs.
Let me know if you have any questions.
-
@Arron Thanks for the help.
We have configured this DKIM/DMARC function, it works correctly.
There were a few more questions, but I asked them in an open ticket to your colleague.
-
Arron Staff
Great! Let me know if there is anything else I can help with.