1

Topic: This spam came through to my InBox - how did it get through?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

0.9.7/MySQL/Apache/No Pro

I received an email stating that I'd been hacked and to send bitcoin

The body of the email was an image, not text

I pulled the header info from the email.  I have changed my personal email information to "myInboxEmail@mydomain.com" and used this info in each place it otherwise occurred in the email.  I changed the name of my server to mail.mymailserver.com from the actual (but again correct in the email I received) name of the mail server.

Here's the header:

Return-Path: <nor-am@thelakebc.ca>
Delivered-To: myInboxEmail@mydomain.com
Received: from mail.mymailserver.com (localhost.localdomain [127.0.0.1])
    by mail.mymailserver.com (Postfix) with ESMTP id 2FF963A4213D
    for <myInboxEmail@mydomain.com>; Tue, 2 Apr 2019 12:26:03 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at 
Authentication-Results: mail.mymailserver.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=thelakebc.ca
Received: from mail.mymailserver.com ([127.0.0.1])
    by mail.mymailserver.com (mail.mymailserver.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 4ZN-zT3K5gh1 for <myInboxEmail@mydomain.com>;
    Tue, 2 Apr 2019 12:25:56 -0400 (EDT)
Received: from thelakebc.ca (mail.thelakebc.ca [207.58.179.62])
    by mail.mymailserver.com (Postfix) with ESMTPS id 971543A4213C
    for <myInboxEmail@mydomain.com>; Tue, 2 Apr 2019 12:25:56 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=thelakebc.ca; s=default; h=From:Subject:Message-ID:To:Date:MIME-Version:
    Content-Type:List-ID:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=B4r72B+B1qvBuKfBJjF3oT7BLi9PIQv5jVB6WhxYaFI=; b=y3dR+mVx/Zk++vNgSK7xD8xw8i
    wi3rSDQTPtKaclWejRj5/8mYIb+qr83qRPIzF683ixdwXC+1tcU6ObJKo80NzHgMAiHOmNkC9nQmE
    XaKEcpv+pGgu7XoxLA2g7ioQ3+Hv/uvUYUmpnQaL1YsU3vY3Wjigkp8TsZLSfsZvvyqA=;
Received: from [91.240.125.60] (port=34588 helo=[])
    by vps.cpelectronics.ca with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256)
    (Exim 4.87)
    (envelope-from <nor-am@thelakebc.ca>)
    id 1hBEsX-0007Nl-RI
    for myInboxEmail@mydomain.com; Tue, 02 Apr 2019 01:34:50 -0700
X-Complaints-To: <abuse@mail.thelakebc.ca>
X-Sender-Info: <nor-am@thelakebc.ca>
List-ID: <66961988.thelakebc.ca>
X-Abuse-Reports-To: <abuse@thelakebc.ca>
Content-Type: multipart/related;
    boundary="50B2B43-B85-F228-C7F32C9D7-1ADA"
MIME-Version: 1.0
Date: Tue, 2 Apr 2019 10:34:45 +0200
Abuse-Reports-To: <abuse@thelakebc.ca>
To: myInboxEmail@mydomain.com
Message-ID: <9E38E31F-5715388-jfye@thelakebc.ca>
Subject: andrew
From: <myInboxEmail@mydomain.com>
X-aid: 8694287668
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.cpelectronics.ca
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - thelakebc.ca
X-Get-Message-Sender-Via: vps.cpelectronics.ca: authenticated_id: nor-am@thelakebc.ca
X-Authenticated-Sender: vps.cpelectronics.ca: nor-am@thelakebc.ca
X-Source: 
X-Source-Args: 
X-Source-Dir:

Shouldn't my spam filter have trapped this?  Is there something I should look at to see if maybe antispam/clamav are NOT running?


Thanks.


Andrew

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: This spam came through to my InBox - how did it get through?

This is a well-known, world-wide frequent, hard to tackle SPAM.

Since the real sender (return-path) is outside your domain, it won't be denied with "sender has to be authenticated". This guy only claims to have sent the message from your account, which is not true. Just the "From" is faked, which can be done easily.

If anyone knows how to tackle it, please come forward. :-)

3

Re: This spam came through to my InBox - how did it get through?

Hi,

I have the same issue as your - see here - - https://forum.iredmail.org/post68504.html#p68504

I am trying to get/find the short version of the log too iRedmail team can find a fix/fine tune to stop these emails.

Mathew

hws wrote:

This is a well-known, world-wide frequent, hard to tackle SPAM.

Since the real sender (return-path) is outside your domain, it won't be denied with "sender has to be authenticated". This guy only claims to have sent the message from your account, which is not true. Just the "From" is faked, which can be done easily.

If anyone knows how to tackle it, please come forward. :-)