Postfix users receive spam pretending to be sent from their accounts.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix users receive spam pretending to be sent from their accounts.

Janis
Postfix users receive spam pretending to be sent from their accounts.

in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
                        mysql:/etc/postfix/mysql_virtual_alias_maps.cf

smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_sender_login_mismatch,

I also have extensive rbl and other spam checks in main.cf which work, but
this slips through it anyway (see msg source)
*If I test it from my other server *

root@othermail:~# mail -s test1 -a "From: [hidden email]"
[hidden email] < /dev/null

*The message gets rejected in log with*
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1
<[hidden email]>: Sender address rejected: not logged in;
from=<[hidden email]> to=<[hidden email]>

I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock

But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks.
Should I install amavis? It seems so trivial to block spam which pretend to
be sent as a spoofed message from oneself but yet I can't block it. Any
suggestions? Thanks.


*Message source looks like this:*
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from mail.mydomain.tld (localhost [127.0.0.1])
        by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
        for <[hidden email]>; Fri,  5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld;
s=201902;
        t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
        h=Date:Subject:To:From:List-Help:From;
        b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
         6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
         LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp
(orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
        by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
        for <[hidden email]>; Fri,  5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br]
(170.83.215.114-static.host.megalink.net.br [170.83.215.114])
        by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id
1C8A2BDEE
        for <[hidden email]>; Fri,  5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: <[hidden email]>
X-Complaints-To: [hidden email]
Subject: [SPAM] user1
Message-ID: <[hidden email]>
To: [hidden email]
Content-Type: multipart/related;
 boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: <[hidden email]>
User-Agent: Roundcube Webmail/0.6
List-Help:

<http://www.kousaikan.com/lists/?p=preferences&amp;uid=7oivc5xd99g9y6j9mcp0iztxw78pnnhu>
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason:
gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP

*Log file:*
 Apr  5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from
orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr  5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection
established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]:
TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr  5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704:
client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr  5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704:
message-id=<[hidden email]>
Apr  5 17:16:49 mydomain.tld opendkim[539]: 36A99300704:
orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr  5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr  5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr  5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704:
from=<[hidden email]>, size=257396, nrcpt=1 (queue active)
Apr  5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from:
127.0.0.1
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from
localhost[127.0.0.1]
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0:
client=localhost[127.0.0.1], orig_queue_id=36A99300704,
orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from
orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1
mail=1 rcpt=1 data=1 quit=1 commands=7
Apr  5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0:
message-id=<[hidden email]>
Apr  5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0:
from=<[hidden email]>, size=257617, nrcpt=1 (queue active)
Apr  5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.9,
delays=2.3/0.01/0.06/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
73A553008B0)
Apr  5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704: removed
Apr  5 17:16:49 mydomain.tld clamsmtpd: 1009A6: from=[hidden email],
to=[hidden email], status=CLEAN
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11829]: disconnect from
localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1
commands=7
Apr  5 17:16:50 mydomain.tld postfix/virtual[11832]: 73A553008B0:
to=<[hidden email]>, relay=virtual, delay=0.58, delays=0.51/0.01/0/0.06,
dsn=2.0.0, status=sent (delivered to maildir)
Apr  5 17:16:50 mydomain.tld postfix/qmgr[11471]: 73A553008B0: removed





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Viktor Dukhovni
On Mon, Apr 08, 2019 at 08:02:41AM -0700, Janis wrote:

> in main.cf I have put:
> smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
>                         mysql:/etc/postfix/mysql_virtual_alias_maps.cf
>
> smtpd_sender_restrictions = permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_sender_login_mismatch,

That's an *envelope sender* check.

> *The message gets rejected in log with*
> NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1
> <[hidden email]>: Sender address rejected: not logged in;
> from=<[hidden email]> to=<[hidden email]>

This message forges the envelope sender.

> Return-Path: <[hidden email]>

This message does not forge a local envelope sender (RFC2821.MAIL command).

> Delivered-To: [hidden email]
> Message-ID: <[hidden email]>
> To: [hidden email]
> From: <[hidden email]>

It forges the header sender (RFC2822.From header).  Note that your
own post to this list will be Cc'd to your mailbox from outside,
bearing your email address as the message author.  (It will have
the list as "RFC2822.Sender").  So you generally should not block
external messages solely on the presence of a "From" address in
one of your domains.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Ralph Seichter-2
In reply to this post by Janis
* Janis:

> Should I install amavis? It seems so trivial to block spam which
> pretend to be sent as a spoofed message from oneself but yet I can't
> block it.

Postfix's check_sender_access suffices to block forged envelope (!)
sender addresses:

  # pcre:/etc/postfix/sender_access
  /\bi(yourdomain|yourotherdomain)\.tld$/ REJECT

That should be combined with only allowing authenticated email via port
587 (submission).

While this does not prevent somebody forging the "From" header, an
adversary won't be able to forge a DKIM signature for said header.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Dominic Raferd
On Mon, 8 Apr 2019 at 16:22, Ralph Seichter <[hidden email]> wrote:
* Janis:

> Should I install amavis? It seems so trivial to block spam which
> pretend to be sent as a spoofed message from oneself but yet I can't
> block it.

Postfix's check_sender_access suffices to block forged envelope (!)
sender addresses:

  # pcre:/etc/postfix/sender_access
  /\bi(yourdomain|yourotherdomain)\.tld$/ REJECT

That should be combined with only allowing authenticated email via port
587 (submission).

While this does not prevent somebody forging the "From" header, an
adversary won't be able to forge a DKIM signature for said header.

Regarding forging of 'From' header: using DKIM with an enforced (p=reject) DMARC policy is a way of tackling this effectively. It has the advantage that it will also stop most third parties from receiving fake emails that purport to be sent from your domain(s). But it is a big hammer.

Alternatively block unauthenticated emails that purport to come from your domain by using a header_checks test that runs for unauthenticated emails - by allowing authenticated emails only on different port(s) (587 and/or 465) and having a different cleanup_service_name for unauthenticated emails (i.e. emails sent to port 25). For instance:

/etc/postfix/master.cf (extract):
smtp       inet  n       -       y       -       -       smtpd
  -o cleanup_service_name=cleanup_wild
cleanup_wild unix  n       -       y       -       0 cleanup
  -o header_checks=pcre:/etc/postfix/check_headers_wild.pcre

/etc/postfix/check_headers_wild.pcre (extract):
if /^From:/
# Fake domain in the actual address e.g. From: Fake Sender <[hidden email]>
/(mydomain1\.tld|mydomain2\.tld)>?\s*$/ REJECT From header impersonation (privileged domain in address)
#  Fake domain in text preceding the address e.g. From: [hidden email] <[hidden email]>
/(mydomain1\.tld|mydomain2\.tld)[>"]*? <.*$/ REJECT From header impersonation (privileged domain in text)
endif

This will block own mails to mailing lists (such as this when) when they are repeated back to you (or another using your domain), but this is unlikely to cause problems in practice.
The second regex blocks a type of fake that you did not mention, but is seen in the wild.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Glenn English-2
In reply to this post by Janis
On 4/8/19 9:02 AM, Janis wrote:

> Postfix users receive spam pretending to be sent from their accounts.

I received one of these this morning allegedly from loopback, 127.0.0.1.
I think I may have dealt with it by dropping, in iptables, any email
from localhost and moving the 'accept all localhost' rule to below the
deny checks (one of which is the SMTP check).

The fix in the postfix config might be more efficient, though. And I
haven't seen my fix work yet.

--
Glenn English

Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Janis
In reply to this post by Dominic Raferd
Thank you for quick responses!

Dominic Raferd's reply was the most helpful and a good how-to :)

Just to summarize, how many From sender spoofing methods are there?
1) envelope-sender (What Viktor said)
2) Header From  sender  (What Dominic said)
3) Privileged domain in text sender (What Dominic said)

I used
root@othermail:~# mail -s test1 -a "From: [hidden email]" [hidden email]  < /dev/null

Which, judging by man mail, spoofs Header From, which was blocked with "reject_sender_login_mismatch", as Viktor said my spam attacker used Header sender (Is it the same as spoofing Header From or is it something else)

How do I test against these all 3 (4?) spoofing methods? Against which does my method test?
Thanks.


On 08.04.19 18:56, Dominic Raferd wrote:
On Mon, 8 Apr 2019 at 16:22, Ralph Seichter <[hidden email]> wrote:
* Janis:

> Should I install amavis? It seems so trivial to block spam which
> pretend to be sent as a spoofed message from oneself but yet I can't
> block it.

Postfix's check_sender_access suffices to block forged envelope (!)
sender addresses:

  # pcre:/etc/postfix/sender_access
  /\bi(yourdomain|yourotherdomain)\.tld$/ REJECT

That should be combined with only allowing authenticated email via port
587 (submission).

While this does not prevent somebody forging the "From" header, an
adversary won't be able to forge a DKIM signature for said header.

Regarding forging of 'From' header: using DKIM with an enforced (p=reject) DMARC policy is a way of tackling this effectively. It has the advantage that it will also stop most third parties from receiving fake emails that purport to be sent from your domain(s). But it is a big hammer.

Alternatively block unauthenticated emails that purport to come from your domain by using a header_checks test that runs for unauthenticated emails - by allowing authenticated emails only on different port(s) (587 and/or 465) and having a different cleanup_service_name for unauthenticated emails (i.e. emails sent to port 25). For instance:

/etc/postfix/master.cf (extract):
smtp       inet  n       -       y       -       -       smtpd
  -o cleanup_service_name=cleanup_wild
cleanup_wild unix  n       -       y       -       0 cleanup
  -o header_checks=pcre:/etc/postfix/check_headers_wild.pcre

/etc/postfix/check_headers_wild.pcre (extract):
if /^From:/
# Fake domain in the actual address e.g. From: Fake Sender [hidden email]
/(mydomain1\.tld|mydomain2\.tld)>?\s*$/ REJECT From header impersonation (privileged domain in address)
#  Fake domain in text preceding the address e.g. From: [hidden email] [hidden email]
/(mydomain1\.tld|mydomain2\.tld)[>"]*? <.*$/ REJECT From header impersonation (privileged domain in text)
endif

This will block own mails to mailing lists (such as this when) when they are repeated back to you (or another using your domain), but this is unlikely to cause problems in practice.
The second regex blocks a type of fake that you did not mention, but is seen in the wild.


Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

proto
In reply to this post by Viktor Dukhovni
On 08/04/19, Viktor Dukhovni wrote:

>
> It forges the header sender (RFC2822.From header).  Note that your
> own post to this list will be Cc'd to your mailbox from outside,
> bearing your email address as the message author.  (It will have
> the list as "RFC2822.Sender").  So you generally should not block
> external messages solely on the presence of a "From" address in
> one of your domains.
>
> --
> Viktor.

Thanks.
I did exactly the wrong way on my MX...
Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Viktor Dukhovni
In reply to this post by Janis


> On Apr 8, 2019, at 1:30 PM, Ntek, SIA Janis <[hidden email]> wrote:
>
> I used
> root@othermail:~# mail -s test1 -a "From: [hidden email]" [hidden email]  < /dev/null
>
> Which, judging by man mail, spoofs Header From,

True, but irrelevant, the actually relevant detail is that it also
sets the *envelope* sender address (which is a different thing from
any  "Sender" header in the message).  You don't appear to have
learned the difference between email message headers and the message
envelope.  Find a good guide and read it.

> which was blocked with "reject_sender_login_mismatch",

That was the envelope sender, NOT the From header.

> as Viktor said my spam attacker used Header sender

No, your spam attacker used an envelope sender address,
distinct from the "From" header of the message, that did
not run afoul of your rules.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix users receive spam pretending to be sent from their accounts.

Dominic Raferd
In reply to this post by Janis
On Mon, 8 Apr 2019 at 18:31, Ntek, SIA Janis <[hidden email]> wrote:
Thank you for quick responses!

Dominic Raferd's reply was the most helpful and a good how-to :)

Just to summarize, how many From sender spoofing methods are there?
1) envelope-sender (What Viktor said)
2) Addres in Header From  (What Dominic said)
3) Privileged domain in text of *Header From* (What Dominic said)

I don't think there is a definitive list because as soon as there is, those lovely people out there will think of a new way round it.

Here's another type of From header spoof:
From: Dominic Raferd <[hidden email]>

Another trick of theirs is to set From Header text in some encoding because postfix doesn't decode before processing. But spamassassin does.