Email and information helpfull to have in the headers/logs for police enquiries

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Email and information helpfull to have in the headers/logs for police enquiries

Ghislain Adnet
hi,

 We participated in some police enquiries about emails sent to blackmail people and get the source IP. The ISP answered
that they use proxy systems and they requires IP+port to be able to track the source. We just helped the case but it
sparkle the idea that i better start to log the tcp port as well on  my servers logs.


 In postfix the IP is logged but not the TCP port. To be ahead in future legal issues i wanted to know if there is a way
to :

- add the TCP port to the log messages
- add the  tcp port to a header in the mail (so it stick to it)


 i did not find in the mailling list archive or the googlebrain or the doc any way to do that. Perhaps a very simple
milter but i also did not find a logging milter (but they seems hard to find those milters anyway). Any ideas or
experience doing that ?


best regards,
Ghislain.
Reply | Threaded
Open this post in threaded view
|

Re: Email and information helpfull to have in the headers/logs for police enquiries

Karol Augustin
On 2018-01-30 16:44, Ghislain Adnet wrote:

> hi,
>
>  We participated in some police enquiries about emails sent to
> blackmail people and get the source IP. The ISP answered
> that they use proxy systems and they requires IP+port to be able to
> track the source. We just helped the case but it
> sparkle the idea that i better start to log the tcp port as well on
> my servers logs.
>
>
>  In postfix the IP is logged but not the TCP port. To be ahead in
> future legal issues i wanted to know if there is a way
> to :
>
> - add the TCP port to the log messages
> - add the  tcp port to a header in the mail (so it stick to it)
>
>
>  i did not find in the mailling list archive or the googlebrain or the
> doc any way to do that. Perhaps a very simple
> milter but i also did not find a logging milter (but they seems hard
> to find those milters anyway). Any ideas or
> experience doing that ?
>
>
> best regards,
> Ghislain.

I don't know why it is important to you to log the port number so if you
could explain I would be grateful. You can deploy postscreen, which is a
good idea anyway and you will have port numbers in the logs:

Jan 30 17:12:09 mail postfix/postscreen[20169]: CONNECT from
[2607:f8b0:4001:c0b::234]:38670 to
[2a05:d018:76d:5af6:d050:9b30:6bf7:df98]:25
Jan 30 17:12:09 mail postfix/postscreen[20169]: WHITELISTED
[2607:f8b0:4001:c0b::234]:38670
Jan 30 17:12:09 mail postfix/smtpd[20618]: connect from
mail-it0-x234.google.com[2607:f8b0:4001:c0b::234]

Jan 30 17:07:11 mail postfix/postscreen[20169]: CONNECT from
[137.135.42.190]:1072 to [10.1.0.20]:25
Jan 30 17:07:11 mail postfix/postscreen[20169]: BLACKLISTED
[137.135.42.190]:1072
Jan 30 17:07:11 mail postfix/postscreen[20169]: DISCONNECT
[137.135.42.190]:1072

Jan 30 17:15:07 mail postfix/postscreen[20169]: CONNECT from
[168.100.1.3]:45124 to [10.1.0.20]:25
Jan 30 17:15:07 mail postfix/postscreen[20169]: PASS OLD
[168.100.1.3]:45124
Jan 30 17:15:07 mail postfix/smtpd[20618]: connect from
camomile.cloud9.net[168.100.1.3]

Which reminds me to whitelist 168.100.1.3.

Karol


--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: Email and information helpfull to have in the headers/logs for police enquiries

Micah Anderson-2
Karol Augustin <[hidden email]> writes:

> On 2018-01-30 16:44, Ghislain Adnet wrote:
>> hi,
>>
>>  We participated in some police enquiries about emails sent to
>> blackmail people and get the source IP. The ISP answered
>> that they use proxy systems and they requires IP+port to be able to
>> track the source. We just helped the case but it
>> sparkle the idea that i better start to log the tcp port as well on
>> my servers logs.
>>
>>
>>  In postfix the IP is logged but not the TCP port. To be ahead in
>> future legal issues i wanted to know if there is a way
>> to

Unless you are required by law to log additional information, it is
generally better to log as little information as necessary.

Reply | Threaded
Open this post in threaded view
|

Re: Email and information helpfull to have in the headers/logs for police enquiries

Viktor Dukhovni
In reply to this post by Ghislain Adnet


> On Jan 30, 2018, at 11:44 AM, Ghislain Adnet <[hidden email]> wrote:
>
> In postfix the IP is logged but not the TCP port. To be ahead in future legal issues i wanted to know if there is a way
> to :
>
> - add the TCP port to the log messages
> - add the  tcp port to a header in the mail (so it stick to it)


http://www.postfix.org/postconf.5.html#smtpd_client_port_logging

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Email and information helpfull to have in the headers/logs for police enquiries

Andrew Sullivan
In reply to this post by Karol Augustin
On Tue, Jan 30, 2018 at 05:27:40PM +0000, Karol Augustin wrote:
>
> I don't know why it is important to you to log the port number so if you
> could explain I would be grateful.

It's because of a Large Scale Nat using address+port.  The same
address is given out to more than one ISP customer along with a range
of ports that they may use, and you can only identify the customer by
knowing both the address and the range of ports they're using.  This
will become more common in the future.

> You can deploy postscreen, which is a
> good idea anyway and you will have port numbers in the logs:

Yes, a good idea anyway.

Best regards,

A

--
Andrew Sullivan
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Email and information helpfull to have in the headers/logs for police enquiries

Ghislain Adnet
In reply to this post by Viktor Dukhovni
Le 30/01/2018 à 19:26, Viktor Dukhovni a écrit :

>
> http://www.postfix.org/postconf.5.html#smtpd_client_port_logging
>

oh this one i did not found before thanks a lot i gonna try it asap.

Karol : yes this is not a law that ask me to log them but it is important to me that if a bad guy blackmail or threaten
a client of mine i can track the ip+port so ISP can go up the chain to expose him. having ip+port is nothing more than
ip we had for years before the ipv4 lack and Nat system started to appear so this is no more than we done since years.
Just adapt it to the current situation.

Karol: thanks, will have a look at postscreen too


Thanks for all your answers.

Best regards,
Ghislain.