Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Security log (Just want to know if there is a security breach)
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
hello guys, I have this log and I'm quite confused on interpreting the log. Can anyone shed light on this.

Log looks like this:

From: <<email.address>@my_domain.com>, To: <<same_as_from><_at_>my_domain.com>, Size: 1219, Sender-Host: public_ip_i_dont_know, Subject: Good earnings in the int...blah blah


The from and to domain are the same and using my domain name, but those email addresses are random and not any of my users. But sender IP is not my mail public IP.

Question is, the public IP on the log are able to send out mails using my domain name but the IP Address is not my public IP. Is this a security breach? or they are just spoofing my domain name?

Any ideas is greatly appreciated.

Thank you.
  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
Do you see anything in the mail.log?

Carsten Maas
Senior Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
yes there is. anything i should do?

The log is on the mail.log

[Updated on: Mon, 11 April 2016 06:32]

  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
What is the exact output in the mail.log for this specific event?

Carsten Maas
Senior Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
something like this:
[10/Apr/2016 08:02:04] Recv: Queue-ID: 5706f4fb-00015194, Service: SMTP, From: <914736848.46880898807506@my_domain>, To: <914736848.46880898807506<_at_>my_domain>, Size: 1219, Sender-Host: 18.4.29.86,
Subject: Good earnings in the international company, Msg-Id: <98B80AD80E2A6ADCFC4E9C4A6E2E98B8@Q8P8BRILNO>
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
Is that something I should be alarmed of?

The from and to email addresses are directed to my own domain, not to other domain.
  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
Interesting would be the next line.
Do you have a Relay status 2.0.0 like:
[11/Apr/2016 06:08:07] Sent: Queue-ID: 570b2322-000001a8, Recipient: <user<_at_>example.com>, Result: relayed, Status: 2.0.0 ....

Have you also activated "users must authenticate....." under the Sender policy tab in the Security settings?


Carsten Maas
Senior Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
nope i didn't checked the users must authenticate.. should i enable it?

is this a security breach? please advise.
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
next line is:
<#public<_at_>my_domain/xfolderx>, Result: delivered, Status: 2.0.0 , Remote-Host: 127.0.0.1, Msg-Id: <98B80AD80E2A6ADCFC4E9C4A6E2E98B8@Q8P8BRILNO>
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
any updates? please help. Thank you.
  •  
Pavel Dobry (Kerio)

Messages: 5228
Karma: 251
Send a private message to this user
It is not a security breach. It is a wrong configuration of your server and email domain.

1. You don't use SPF so anyone can send an email with spoofed sender email address pretending to be you to anyone else. Including you - http://kb.kerio.com/product/kerio-connect/server-configurati on/antispam/how-do-i-create-an-spf-or-caller-id-record-248.h tml

2. You seem to accept emails for non-existing users in your domain and put them to a public folder.

3. Your server is not configured to verify sender identity - http://kb.kerio.com/product/kerio-connect/server-configurati on/security/configuring-anti-spoofing-in-kerio-connect-1491. html
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
First of all, thank you Pavel for your reply.

SPF was enabled but it was set not to check local clients.

Sender Identity I just enabled.

But the IP Address keep appearing on the security log, it's been there for hours and hours. I already block it from the firewall.

I will try to block the IP on the router itself.

Thanks again.
Previous Topic: Kerio Connect calendar access from Java
Next Topic: Need to restore a single public folder
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Apr 28 23:46:34 CEST 2017

Total time taken to generate the page: 0.01177 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.