Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam to/from own address - faked sender
  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Hi,

today some of my users got spam which looks to be sent by their own. LogFile:

[27/Jan/2016 07:05:47] Recv: Queue-ID: 56a85e3a-0002ef83, Service: SMTP, From: <firstname.lastname@domain.de>, To: <firstname.lastname<_at_>domain.de>, Size: 1734, Sender-Host: 223.25.197.242, Subject: Meine Pussy nass, Msg-Id: <D55180EF23043E4CC81976BA9DA7D551@LEREGD4Q3>
[27/Jan/2016 07:05:48] Sent: Queue-ID: 56a85e3a-0002ef83, Recipient: <firstname.lastname<_at_>domain.de>, Result: delivered, Status: 2.0.0 , Remote-Host: 127.0.0.1, Msg-Id: <D55180EF23043E4CC81976BA9DA7D551@LEREGD4Q3>


The sender Host is somwehere in the world so it seems that the sender just faked the sender address. We've set up SPF for our own domain.de - and check's against that of course. If SPF fails then it should add at least 4 points to the spam value which means it should be tagged as spam. Found no hacking traces for these accounts - no login signs from that IP.

Why do such messages pass without? Where to look at for other settings?!

Thanks for hints!

[Updated on: Wed, 27 January 2016 11:28]

  •  
freakinvibe

Messages: 1488
Karma: 57
Send a private message to this user
I use the following setting and it works well

Configuration > Security > Sender Policy

"User must authenticate in order to send a message from a local domain" = Tick

[Updated on: Fri, 29 January 2016 13:36]


Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Will try this... but that message comes not from local domain but from outside. Someone else external faked a local address and local kerio accepted it.
  •  
freakinvibe

Messages: 1488
Karma: 57
Send a private message to this user
That's exactly what that setting does: If someone from the outside is trying to put your local domain as the sender of a message, he can only do that if he authenticates. Of course a spammer cannot authenticate, so the message will be rejected.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Ah OK, thanks! I thought it is for authenticating even from the inside! I'll give it a try!
  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Doesn't work fully - unfortunately.

Activated all of these settings here but excluded the group "local clients" which contains my LAN's, some external own servers *and* the standard kerio settings networks 10.0.0.0 - 127.0.0.1.

But I still get messages like:

[29/Mar/2016 19:55:14] Recv: Queue-ID: 56fac181-0002e1ea, Service: SMTP, From: <ab@domain.de>, To: <ab@domain.de>, Size: 4884, Sender-Host: 201.85.122.2, Subject: CCE29032016_00035, Msg-Id: <6936708F-B0F4-43CF-1C06-F174A3C04016<_at_>domain.de>
[29/Mar/2016 19:55:15] Sent: Queue-ID: 56fac181-0002e1ea, Recipient: <full.name@domain.de>, Result: delivered, Status: 2.0.0 , Remote-Host: 127.0.0.1, Msg-Id: <6936708F-B0F4-43CF-1C06-F174A3C04016<_at_>domain.de>


The last host is shown as 127.0.0.1 - does this fail here in this case?

[Updated on: Wed, 30 March 2016 10:10]

  •  
freakinvibe

Messages: 1488
Karma: 57
Send a private message to this user
This works for me. If a foreign host (in your case 201.85.122.2) tries to send you mail and indicates your own domain as sender, it will not accept it. I should see in the security log:

[30/Mar/2016 11:55:11] Relay attempt from IP address 201.85.122.2, mail from <ab@domain.de> to <ab<_at_>domain.de> rejected


The sending mail server will see this error message:

Quote:
550 5.7.1 Relaying to <ab<_at_>domain.de> denied (authentication required)


Nothing would appear in the normal mail log.

Are you sure you have correctly added IP addresses and ranges in your IP exclusion group?

If you let me know a test email address in a PM so I can try to send you a fake email and then see in the logs if it fails or not.

[Updated on: Wed, 30 March 2016 12:12]


Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Hell I found the error: Within the "local clients" group I define a range instead of a network - so I accidently accepted the whole range from 172.18.0.0 - 255.255.255.0 which contains the external IP above...

I tested it with this tool: https://www.wormly.com/test_smtp_server

I tracked it down by deactivating every single object within the "local clients". Then I stumbled over that network setting. The only shown difference in the table is the "-" instead of the "/".

What a pitty... OK. now faked own addresses should not pass anymore!

Thanks Smile
  •  
freakinvibe

Messages: 1488
Karma: 57
Send a private message to this user
Cool, I am glad you got it sorted.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
Previous Topic: Renaming Resources - How To?
Next Topic: KOFF stoped sync after database was recovered
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed May 24 10:04:08 CEST 2017

Total time taken to generate the page: 0.01143 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.