SPAM FORGED FROM ISSUE
Today we realize a serious problem. My version is 11.4.6 x64
We use properly "reject if originators domain is local and not authorized". B/W list is normal. And they are not in the whitelist! Also I know well Icewarp administrator area.
I think spammers can change "From" field to "To" field., Forged from issue..
For example;
Someone send a message FROM david@manifesto55.com, SMTP log;
192.185.143.234 [1F8C] 03:52:09 Connected, local IP=151.253.44.111:25
192.185.143.234 [1F8C] 03:52:09 >>> 220-mail.mydomain.com ESMTP MYSERVER; Thu, 02 May 2019 03:52:09 +0300
192.185.143.234 [1F8C] 03:52:09 <<< EHLO gateway31.websitewelcome.com
192.185.143.234 [1F8C] 03:52:09 >>> 250-mail.mydomain.com Hello gateway31.websitewelcome.com [192.185.143.234], pleased to meet you.
192.185.143.234 [1F8C] 03:52:09 <<< STARTTLS
192.185.143.234 [1F8C] 03:52:09 >>> 220 2.0.0 Ready to start TLS
192.185.143.234 [1F8C] 03:52:10 <<< EHLO gateway31.websitewelcome.com
192.185.143.234 [1F8C] 03:52:10 >>> 250-mail.mydomain.com Hello gateway31.websitewelcome.com [192.185.143.234], pleased to meet you.
192.185.143.234 [1F8C] 03:52:10 <<< MAIL FROM:<david@manifesto55.com> SIZE=271492
192.185.143.234 [1F8C] 03:52:10 >>> 250 2.1.0 <david@manifesto55.com>... Sender ok
192.185.143.234 [1F8C] 03:52:11 <<< RCPT TO:<myname@mydomain.com> ORCPT=rfc822;myname@mydomain.com
192.185.143.234 [1F8C] 03:52:11 >>> 250 2.1.5 <myname@mydomain.com>... Recipient ok
192.185.143.234 [1F8C] 03:52:11 <<< DATA
192.185.143.234 [1F8C] 03:52:11 >>> 354 Enter mail, end with "." on a line by itself
192.185.143.234 [1F8C] 03:52:12 <<< 271461 bytes (overall data transfer speed=260018 B/s)
192.185.143.234 [1F8C] 03:52:12 Start of mail processing
192.185.143.234 [1F8C] 03:52:14 *** <david@manifesto55.com> <myname@mydomain.com> 1 271456 00:00:03 OK 201905020352110426
192.185.143.234 [1F8C] 03:52:14 >>> 250 2.6.0 271456 bytes received in 00:00:03; Message id 201905020352110426 accepted for delivery
But FROM area different incoming message header;
Received: from cm17.websitewelcome.com (cm17.websitewelcome.com [100.42.49.20])
by gateway31.websitewelcome.com (Postfix) with ESMTP id 76B991D835
for <myname@mydomain.com>; Wed, 1 May 2019 19:51:36 -0500 (CDT)
Received: from br120.hostgator.com.br ([192.185.176.168])
by cmsmtp with SMTP
id LzwlhbME190onLzwlhjeXd; Wed, 01 May 2019 19:51:36 -0500
Received: from [106.120.14.185] (port=50248 helo=[])
by br120.hostgator.com.br with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256)
(Exim 4.91)
(envelope-from <david@manifesto55.com>)
id 1hLzwW-000vr0-Fd
for myname@mydomain.com; Wed, 01 May 2019 21:51:35 -0300
Received: from gateway31.websitewelcome.com (gateway31.websitewelcome.com [192.185.143.234])
by mail.mydomain.com (MYSERVER) with ESMTP (SSL) id 201905020352110426
for <myname@mydomain.com>; Thu, 02 May 2019 03:52:11 +0300
From: <myname@mydomain.com>
To: <myname@mydomain.com>
Subject: myname
Date: Thu, 2 May 2019 03:51:21 +0300
Organization: Vuyca
Message-ID: <xcsfjrf50629137.07629181@manifesto55.com>
MIME-Version: 1.0
Also I try https://esupport.icewarp.com/index.php?/Knowledgebase/Article/View/413/0/how-to-block-spoofing content rule. But It's not related this issue.. And block banking and important sites..
And I have 100+ different example of this forging issue..
Can anyone give a suggestion? Or New version of ICEWARP is solve this problem?
-
You have an example of this implementation on the web https://colageno-hidrolizado.org In it you can see the correct code and the lines in which you have made a mistake.
regards
Please sign in to leave a comment.
Comments
2 comments