1 (edited by daweed 2020-04-28 04:50:59)

Topic: Got hacked ? SPAM passed DKIM check ..

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): v0.9.6
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: Linux mx 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 GNU/Linux
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

First of all, thanks for your work. Worked perfectly for more than 3 years until ...

I received a classical phishing e-mail asking me to send some BTC etc.

I was not taking this seriously until I checked first the e-mail header :

Return-Path: <d@MY-DOMAIN.COM>
Delivered-To: d@MY-DOMAIN.COM
Received: from mx.MY-DOMAIN.COM (localhost [127.0.0.1])
    by mx.MY-DOMAIN.COM (Postfix) with ESMTP id 3FD672C3D12
    for <d@MY-DOMAIN.COM>; Mon, 27 Apr 2020 21:48:40 +0200 (CEST)
Authentication-Results: mx.MY-DOMAIN.COM (amavisd-new); dkim=pass (2048-bit key)
    reason="pass (just generated, assumed good)" header.d=MY-DOMAIN.COM
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=MY-DOMAIN.COM; h=
    x-mailer:content-type:content-type:mime-version:date:date
    :subject:subject:to:from:from:message-id; s=dkim; t=1588016918;
     x=1588880919; bh=bM9uEgxzEUXb3P/Uk9Sy6nvL+anPcKo1fnBQP2VSTPc=; b=
    F1pe0y1F6R7h1YP2ZsXIV6AM9TGuSB6glueP2JVS8Gw8KenWDoI3u5T2Yw+odJ5W
    RykxZjS0mpo/kK5q7oh5MATmwZMP20SEsSTgDYKB3fxFUkw8z+/0lm5L1tEmr1Ld
    CG/kk8X2fYNQkUb1XaHK9GGG0Y5NreiJFYFcry1rUF/Fzvid+h5OYP1yHZ4Bdzed
    nVt7+sSLx8vIjMhVIrK5mlwOBIIZZNMQdAT9vnrmtj1Saoaeq1vFWkz7gGqyHBMw
    IAJzILh9HYPxO8Y+GhNY1nv8wi3oGZB6PAm8xZFbtqO6duLuSMjQLzS0mtUnk9Tc
    sLt9mFoXtkU2hDvGePfZTg==
X-Virus-Scanned: Debian amavisd-new at mx.MY-DOMAIN.COM
Received: from mx.MY-DOMAIN.COM ([127.0.0.1])
    by mx.MY-DOMAIN.COM (mx.MY-DOMAIN.COM [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rQ8rteFOPWMb for <d@MY-DOMAIN.COM>;
    Mon, 27 Apr 2020 21:48:38 +0200 (CEST)
Received: from [190.232.205.120] (localhost [IPv6:::1])
    by mx.MY-DOMAIN.COM (Postfix) with ESMTP id CD6FB2C3D11
    for <d@MY-DOMAIN.COM>; Mon, 27 Apr 2020 21:48:37 +0200 (CEST)



Then postfix logs :


Apr 27 21:48:40 mx amavis[8917]: (08917-03) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [::1]:50186 <d@MY-DOMAIN.COM> -> <d@MY-DOMAIN.COM>, Queue-ID: CD6FB2C3D11, Message-ID: <648599110214856849353564@MY-DOMAIN.COM>, mail_id: rQ8rteFOPWMb, Hits: -1.307, size: 5258, queued_as: 3FD672C3D12, dkim_new=dkim:MY-DOMAIN.COM, 1951 ms, Tests: [ALL_TRUSTED=-1,BAYES_00=-1.9,DATE_IN_PAST_03_06=1.592,HTML_MESSAGE=0.001]
Apr 27 21:48:40 mx postfix/smtp[9319]: CD6FB2C3D11: to=<d@MY-DOMAIN.COM>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.5/0.05/0.01/2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3FD672C3D12)


Then things seems more serious.

I replaced my domain by MY-DOMAIN.COM in the logs, everything else is the same as the original logs.

I can clearly see that the email come from a Somalian (190.232.205.120) IP address (from the logs above).

I checked the .EML file trough a DKIM checker and in fact the email signature is correct.

I'm getting 10/10 on the email score at mail-tester.com (so DKIM is well configured). Everything worked perfectly during 3 years.

I aslo checked the dovecot logs, nothing to report here, juste my local logins (192.168.X.X). So I guess there was no access to my others mails, but I still do not understand how the "hacker" could send that e-mail and pass the DKIM check

Any thoughts ? Do I have to worry about it ? If yes, I suppose I have to reinstall the whole server (never installed anything else than iRedMail on that dedicated home server). If no, how can I fix postfix or spamassassin to block this kind of e-mails (at least not allowing to send real DKIM signed emails to my self ...)

Thanks a lot!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by daweed 2020-04-28 05:51:03)

Re: Got hacked ? SPAM passed DKIM check ..

In addition : I don't know if its relevant, but, since my port 25 is blocked by my ISP at home (as for all of its customers), I have the following script that is mapping my local port 25 to a remote VPS. It just act as a proxy and does not alter in any kind with postfix, but maybe it could explain the "RelayedInternal" log ?

The script :

echo 1 > /proc/sys/net/ipv4/ip_forward

# seem to kiling db : iptables -A POSTROUTING -t nat -j MASQUERADE

redsocks -c /root/redsocks.conf
screen -m -d -S SMTP_OUT autossh -D 42525 -N root@MY_VPS_IP -p 22
screen -m -d -S SMTP_IN autossh -M 65510 -g -R *:25:localhost:26 -N root@ MY_VPS_IP -p 22

iptables -t nat -N REDSOCKS
iptables -t nat -A OUTPUT -p tcp --dport 25 -j REDSOCKS

iptables -t nat -A REDSOCKS -p tcp --dport 25 -j REDIRECT --to-ports 32525

3

Re: Got hacked ? SPAM passed DKIM check ..

1: Please show us related Postfix log of this smtp session, starts from the initial connection.
2: also the iRedAPD log in /var/log/iredapd/iredapd.log.

4

Re: Got hacked ? SPAM passed DKIM check ..

ZhangHuangbin wrote:

1: Please show us related Postfix log of this smtp session, starts from the initial connection.
2: also the iRedAPD log in /var/log/iredapd/iredapd.log.

Thanks for your response

Here is :

1) Postifx related logs (cat /var/log/mail.log) :

Apr 27 21:48:40 mx postfix/smtpd[9322]: connect from localhost[127.0.0.1]
Apr 27 21:48:40 mx postfix/smtpd[9322]: 3FD672C3D12: client=localhost[127.0.0.1]
Apr 27 21:48:40 mx postfix/cleanup[9317]: 3FD672C3D12: message-id=<648599110214856849353564@MY-DOMAIN.COM>
Apr 27 21:48:40 mx postfix/smtpd[9322]: disconnect from localhost[127.0.0.1]
Apr 27 21:48:40 mx postfix/qmgr[1682]: 3FD672C3D12: from=<d@MY-DOMAIN.COM>, size=6474, nrcpt=1 (queue active)
Apr 27 21:48:40 mx amavis[8917]: (08917-03) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [::1]:50186 <d@MY-DOMAIN.COM> -> <d@MY-DOMAIN.COM>, Queue-ID: CD6FB2C3D11, Message-ID: <648599110214856849353564@MY-DOMAIN.COM>, mail_id: rQ8rteFOPWMb, Hits: -1.307, size: 5258, queued_as: 3FD672C3D12, dkim_new=dkim:MY-DOMAIN.COM, 1951 ms, Tests: [ALL_TRUSTED=-1,BAYES_00=-1.9,DATE_IN_PAST_03_06=1.592,HTML_MESSAGE=0.001]
Apr 27 21:48:40 mx postfix/smtp[9319]: CD6FB2C3D11: to=<d@MY-DOMAIN.COM>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.5/0.05/0.01/2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3FD672C3D12)
Apr 27 21:48:40 mx postfix/qmgr[1682]: CD6FB2C3D11: removed
Apr 27 21:48:40 mx postfix/pipe[9323]: 3FD672C3D12: to=<d@MY-DOMAIN.COM>, relay=dovecot, delay=0.16, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via dovecot service)
Apr 27 21:48:40 mx postfix/qmgr[1682]: 3FD672C3D12: removed




2) iRedAPD related logs :

2020-04-27 21:48:37 INFO ::1 RCPT, d@MY-DOMAIN.COM -> d@MY-DOMAIN.COM, DUNNO [0.0220s]
2020-04-27 21:48:38 INFO ::1 END-OF-MESSAGE, d@MY-DOMAIN.COM -> d@MY-DOMAIN.COM, DUNNO [0.0049s]



--------

In postifx, we can see it prints that all connection are coming from localhost for this spam e-mail.

When I check another ("legit") e-mail, the postfix logs also prints that they are coming from localhost (see below).
Would it be possible that my ssh tunnel+ip tables redirection between my server at port 25 and the remote VPS at port 25 (see my second previous post) could cause postfix to treat all emails as local ?


Apr 27 21:41:09 mx postfix/smtpd[9256]: connect from localhost[::1]
Apr 27 21:41:10 mx postfix/smtpd[9256]: 393F42C3D03: client=localhost[::1]
Apr 27 21:41:11 mx postfix/cleanup[9258]: 393F42C3D03: message-id=<D3D5FDB6.C78C90C1@soborka.net>
Apr 27 21:41:12 mx postfix/qmgr[1682]: 393F42C3D03: from=<RobertWest@soborka.net>, size=10951, nrcpt=1 (queue active)
Apr 27 21:41:13 mx postfix/smtpd[9256]: disconnect from localhost[::1]
Apr 27 21:41:13 mx postfix/smtpd[9266]: connect from localhost[127.0.0.1]
Apr 27 21:41:14 mx postfix/smtpd[9266]: 0364E2C3D11: client=localhost[127.0.0.1]
Apr 27 21:41:14 mx postfix/cleanup[9258]: 0364E2C3D11: message-id=<D3D5FDB6.C78C90C1@soborka.net>
Apr 27 21:41:14 mx postfix/qmgr[1682]: 0364E2C3D11: from=<RobertWest@soborka.net>, size=11699, nrcpt=1 (queue active)
Apr 27 21:41:14 mx postfix/smtpd[9266]: disconnect from localhost[127.0.0.1]
Apr 27 21:41:14 mx amavis[5999]: (05999-18) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [::1]:50148 <RobertWest@soborka.net> -> <karoline@MY-DOMAIN.COM>, Queue-ID: 393F42C3D03, Message-ID: <D3D5FDB6.C78C90C1@soborka.net>, mail_id: rXb0xDbwKbXy, Hits: 2.851, size: 10951, queued_as: 0364E2C3D11, 1525 ms, Tests: [ALL_TRUSTED=-1,BAYES_99=3.5,FROM_EXCESS_BASE64=0.001,HEADER_FROM_DIFFERENT_DOMAINS=0.249,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1]
Apr 27 21:41:14 mx postfix/smtp[9263]: 393F42C3D03: to=<karoline@MY-DOMAIN.COM>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.5, delays=2.9/0.05/0.01/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0364E2C3D11)
Apr 27 21:41:14 mx postfix/qmgr[1682]: 393F42C3D03: removed
Apr 27 21:41:14 mx postfix/pipe[9267]: 0364E2C3D11: to=<karoline@MY-DOMAIN.COM>, relay=dovecot, delay=0.23, delays=0.03/0.02/0/0.19, dsn=2.0.0, status=sent (delivered via dovecot service)
Apr 27 21:41:14 mx postfix/qmgr[1682]: 0364E2C3D11: removed

5

Re: Got hacked ? SPAM passed DKIM check ..

daweed wrote:

Apr 27 21:48:40 mx postfix/smtpd[9322]: connect from localhost[127.0.0.1]

If hack was sending email from webmail, Roundcube is configured to connect to port 587 by default by iRedMail, so the log should be something like "postfix/submission/smtpd" instead of "postfix/smtpd" -- except you modified Roundcube config file to connect to port 25 directly, did you? Please check /opt/www/roundcubemail/config/config.inc.php (or /usr/share/apache2/roundcubemail/config/config.inc.php if you're running old iRedMail version), parameter "smtp_port".

If Roundcube is configured to use port 587, then some other web application might be hacked and it's used to generate email locally and submit to mail queue. This is not what i can predict here, you need to check your server.

6

Re: Got hacked ? SPAM passed DKIM check ..

Thanks for your response, in /usr/share/apache2/roundcubemail/config/config.inc.php the smtp port is 587.

Also, roundcube is not accessible outside of the local network (router level firewall blocks port 80 or 443). I have no other web application running on the server and even never installed anything on it.

The only modification I did was on ip tables to redirect ports. Don't you think that kind of redirection could make all emails to be submitted to local mail queue ?

7

Re: Got hacked ? SPAM passed DKIM check ..

Would it be possible that theses logs are related to direct connection to the smtp server ? Like automated mail send by PHPMailer. Does iRedMail store logs of IP Addresses that have successfully authenticated to postfix ?

8

Re: Got hacked ? SPAM passed DKIM check ..

I'm trying to understand the logs because I don't believe that email was "tailor-made" for me. A lot of friends around me also received that kind of "generic" / "all purpose" spam telling you that they have some kind of pictures of you and will leak them if you don't pay some money on a btc account.

To me, that does not seems to be a serious approach for a hack that's why I think they could be a problem with postfix confusing external emails with locally queued emails because of my ip-tables redirection + ssh tunnel configuratin or maybe I don't understand well the underlying process of postfix