1 Topic by alex.w

  • alex.w
  • Member
  • Offline
  • Registered: 2016-12-29
  • Posts: 10

Topic: Phishing Mail Got Through User Mailbox

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Ubuntu 14.04 x64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====
Hi All,
I am investigating phishing mail got through user mailbox. It seems the mail using admin@norton.com only on envelope. But the mail actually sent using legitimate email hr@focusworld2u.com via gamma.rocksoft.net. Can anybody give me information how to block this kind of spoofing in iredmail? Right now my solution is increase SPF_SOFTFAIL score to 3.
Here's the mail header and mail content (i replaced my domain with example.com and the user account with somebody):
############
Mail header:
############
Return-Path: <admin@norton.com>
Delivered-To: somebody@example.com
Received: from mx.example.com (localhost.localdomain [127.0.0.1])
                by mx.example.com (Postfix) with ESMTP id 9DC3167C55E8
                for <somebody@example.com>; Wed,  4 Jan 2017 12:32:33 +0700 (WIB)
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Flag: NO
X-Spam-Score: 6.18
X-Spam-Level: ******
X-Spam-Status: No, score=6.18 tagged_above=2 required=6.31
                tests=[DEAR_EMAIL=1.15, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105,
                RDNS_NONE=1.274, SPF_SOFTFAIL=2, TO_NO_BRKTS_NORDNS_HTML=0.65]
                autolearn=no autolearn_force=no
Received: from mx.example.com ([127.0.0.1])
                by mx.example.com (mx.example.com [127.0.0.1]) (amavisd-new, port 10024)
                with ESMTP id EfeCElI8M04o for <somebody@example.com>;
                Wed,  4 Jan 2017 12:32:31 +0700 (WIB)
Received: from gamma.rocksoft.net (unknown [202.71.110.98])
                by mx.example.com (Postfix) with ESMTPS id D0B4067C55E4
                for <somebody@example.com>; Wed,  4 Jan 2017 12:32:30 +0700 (WIB)
Received: from [37.9.57.117] (port=30067 helo=DESKTOP-VK4L4E7)
                by gamma.rocksoft.net with esmtpsa (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
                (Exim 4.87)
                (envelope-from <admin@norton.com>)
                id 1cODr0-002i1Y-MG
                for somebody@example.com; Tue, 03 Jan 2017 09:25:35 +0800
Message-ID: <0426bec3-42738-46830593024306@desktop-vk4l4e7>
Reply-To: "cPanel Admin" <admin@norton.com>
From: "cPanel Admin" <admin@norton.com>
To: somebody@example.com
Subject: Problem with your webhosting account - somebody@example.com
Date: Tue, 3 Jan 2017 01:25:24 +0000
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Mailer: Power Sending Sockets v5.1
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gamma.rocksoft.net
X-AntiAbuse: Original Domain - example.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - norton.com
X-Get-Message-Sender-Via: gamma.rocksoft.net: authenticated_id: hr@focusworld2u.com
X-Authenticated-Sender: gamma.rocksoft.net: hr@focusworld2u.com
X-Source:
X-Source-Args:
X-Source-Dir:

############
Mail content:
############
Return-Path: <admin@norton.com>
Reply-To: "cPanel Admin" <admin@norton.com>
From: "cPanel Admin" <admin@norton.com>
To: <somebody@example.com>
Subject: Problem with your webhosting account - somebody@example.com
Date: Tue, 3 Jan 2017 08:25:24 +0700
Message-ID: <0426bec3-42738-46830593024306@desktop-vk4l4e7>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_001E_01D2672F.C5D54D20"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdJmS/LYJ89rAUC5SRGruZngdrXxkg==

This is a multi-part message in MIME format.

------=_NextPart_000_001E_01D2672F.C5D54D20
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Dear somebody@example.com,

Your cPanel webhosting account has been transmitting viruses to our servers
and will be deactivated permanently if not resolved.

In respect to the above, you are urgently required to sanitize your
webhosting account with Norton E-mail Scanner; otherwise, your access to
cPanel webhosting services will be deactivated

Click <http://kakapermata.com/ftp8ujei882jfe21bc8irfe229811b>  here now to
scan and sanitize your webhosting account

Note that failure to sanitize your webhosting account immediately will lead
to permanent deactivation without warning.






Please move this message to your inbox and click the link if you found it
into your spam mail because the link cannot open in your spam.

We are very sorry for the inconveniences this might have caused you and we
assure you that everything will return to normal as soon as you have
sanitized your webhosting account.

cPanel Admin




------=_NextPart_000_001E_01D2672F.C5D54D20
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<meta http-equiv=3D"Content-Language" content=3D"en-us">
<meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dwindows-1252">
<title>New Page 3</title>
</head>

<body>

<p><font face=3D"Arial">Dear somebody@example.com,<br>
<br>
Your cPanel webhosting account has been transmitting viruses to our =
servers and
will be deactivated permanently if
not resolved.<br>
<br>
In respect to the above, you are urgently required to sanitize your =
webhosting
account with
Norton E-mail Scanner; otherwise, your access to cPanel webhosting =
services
will be deactivated <br>
<br>
<b><a =
href=3D"http://kakapermata.com/ftp8ujei882jfe21bc8irfe229811b">Click
here now to scan and sanitize your webhosting account</a></b><br>
<br>
Note that failure to sanitize your webhosting account immediately will =
lead to
permanent deactivation without
warning.<br>

<br>
<h2><span style=3D"font-family: Verdana; font-size: 12px;"></span></h2>
</body>
</html>

<div id=3D"yui_3_16_0_ym19_1_1477877804832_12799">
<h3 id=3D"yui_3_16_0_ym19_1_1477877804832_12798"><span =
id=3D"yui_3_16_0_ym19_1_1477877804832_12797" style=3D"font-family: =
Arial;"><span id=3D"yui_3_16_0_ym19_1_1477877804832_12796">Please move =
this message to your inbox and click the link if you found it into your =
spam mail because the link cannot open in your spam.</span></span></h3>
</div>

We are very sorry for the inconveniences this might have caused you and =
we
assure you that everything will return to normal as soon as you have =
sanitized
your webhosting account.<br>
<br>
cPanel
Admin<br>
</font><br>
&nbsp;</p>

</body>

</html>

------=_NextPart_000_001E_01D2672F.C5D54D20--

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Phishing Mail Got Through User Mailbox

Cannot help with only one email. But here're some tips:

*) You can block its IP address.
*) If many emails contain same mail header, e.g. "Return-Path: <admin@norton.com>", you can block them with Postfix "header_checks" parameter in /etc/postfix/main.cf.
*) The score (6.18) is near required spam score (6.31), you can try to decrease the required spam score in Amavisd config file (parameter "$sa_tag2_level_deflt") to catch them.

3 Reply by alex.w

  • alex.w
  • Member
  • Offline
  • Registered: 2016-12-29
  • Posts: 10

Re: Phishing Mail Got Through User Mailbox

Zhang,
Thank you. I will add  "Return-Path: <admin@norton.com>" to /etc/postfix/header_checks. Since this is the only phishing mail sender reported by users.

4 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: Phishing Mail Got Through User Mailbox

use blacklist is easier
http://www.iredmail.org/docs/amavisd.wblist.html