Re: [exim] Is that SPAM? Or am I compromised?
Le 13/03/2023 à 22:28, Slavko via Exim-users a écrit : All 3 lines seem to me to relate to receiving the message. I don’t see a line that is about sending the message, or signing it. Yes, received. The line has no DKIM= field, which is logged by default, thus seems that message had not valid DKIM at that time. Thanks for the confirmation. I feel better after reading that. Could it be that the message is signed when I receive it? Exim signs only on delivery... Could it be because I use LMTP for delivering, instead of local drop? Yes, (one of) delivery to LMTP can be configred to sign message, but someone must configure that. If that is the explanation, it seems a bit “stupid” of Exim to do so… Exim does what admin configured for it, thus try to guess who did something "a bit stupid"... It’s me :-) With your help, and the guidance of Gedalya explanations (thanks!), I found the mistake I did in my configuration, which is due to a regex matching at 2 places where I expected it to match at only one place. Thank you everyone! Yves. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 3/14/23 08:07, Jeremy Harris via Exim-users wrote: > Only authentication methods which are self-encrypted should be used on a > cleartext channel. Further, I'm not aware of clients which have the specific behavior of switching to TLS after authentication. While we're at it, will Exim or other SMTP servers remember your authenticated status after STARTTLS? I don't see the point of enabling clients to send the message body in plaintext. And there's a need for a final push towards disallowing plaintext MX<>MX. Those that feel they can disallow that already now are helping to turn the tide and normalize the notion that plaintext SMTP is broken. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 3/14/23 08:07, Jeremy Harris via Exim-users wrote: > On 13/03/2023 23:43, Gedalya via Exim-users wrote: >> 4. On ports 587, authentication should not be advertised before STARTTLS is >> issued. > > A slight suggested relaxation of that rule: Only authentication methods > which are self-encrypted should be used on a cleartext channel. > > That mean the same as your simpler rule for PLAIN and LOGIN, which are > the common ones. But the SCRAM family, for example, would be safe. There's a slightly different motivation for the approach I suggested. Don't bother supporting SCRAM, and auto-ban any client that tries to use unadvertised AUTH. Cuts down on a lot of log spam. Many bots will not try TLS, and will either attempt AUTH before STARTTLS or will just not try at all. This doesn't "solve" anything, it's just a relative reduction of noise. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 13/03/2023 23:43, Gedalya via Exim-users wrote: 4. On ports 587, authentication should not be advertised before STARTTLS is issued. A slight suggested relaxation of that rule: Only authentication methods which are self-encrypted should be used on a cleartext channel. That mean the same as your simpler rule for PLAIN and LOGIN, which are the common ones. But the SCRAM family, for example, would be safe. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 3/14/23 05:57, Yves via Exim-users wrote:
> Yes, it is just that most emails I receive are sent through ISPs or from
> commercial companies, and go through a bunch of internal relays. Although
> completely standard, such direct emails are rare enough for me that I noticed…
Spam is very often delivered this way, directly to your server.
> If that is any help, my server is built using Ansible, and the whole
> configuration is public:
> https://yalis.fr/git/yves/home-server/src/branch/master/roles/dmz_exim/tasks/main.yml
>
> Based on Archlinux packaging for Exim
> (https://github.com/archlinux/svntogit-community/blob/packages/exim/trunk/PKGBUILD),
> my exim.conf seems to be just upstream Exim 4.96 configuration. Then I patch
> it using Ansible with various rules.
It's not much help. I can't reconstruct your exact config this way. But I do
see how you're adding DKIM signing:
insertafter: '^\s*driver\s*=\s*smtp\s*$'
And I don't see any condition there.
The only thing that matters is the actual exim config file you have in effect.
A few comments:
1. On ports 587 / 465, _only_ authenticated users should be allowed
2. On ports 587 / 465, TLS should be _mandatory_.
3. On port 25, authentication should _not_ be available (not advertised, and
exim will refuse the command if it wasn't advertised)
4. On ports 587, authentication should not be advertised before STARTTLS is
issued.
(The above can be rephrased as: properly separate submission from "classic"
SMTP. Submission requires TLS).
5. It does look like you may be simply signing all mail.
Sign only authenticated or locally-submitted mail:
dkim_private_key = ${if or
{{match_ip{$sender_host_address}{:@[]}}{def:authenticated_id}}{/etc/your/private.key}{}}
Good idea: add:
dkim_sign_headers =
From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:=In-Reply-To:=References:=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
May be a matter of taste but you might find that maintaining the exim config
file itself in git might be simpler at some point.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
Thank you Gedalya for answering. On 13/03/2023 12:02, Gedalya via Exim-users wrote: On 3/13/23 05:34, Yves via Exim-users wrote: — This email went through very few intermediaries to reach my server (yalis.fr). Apparently, it actually came directly from the sender (a Palestinian ISP). > Why would that surprise you? They just did exactly that. Yes, it is just that most emails I receive are sent through ISPs or from commercial companies, and go through a bunch of internal relays. Although completely standard, such direct emails are rare enough for me that I noticed… — There is a DKIM signature done by my own server (d=yalis.fr), which includes the From header, and that header is @yalis.fr. As Slavko said, check that the signature is actually valid. If it is, review you exim config and see how they might have been able to get your exim to sign the message. Maybe you have a flaw in your config? If that is any help, my server is built using Ansible, and the whole configuration is public: https://yalis.fr/git/yves/home-server/src/branch/master/roles/dmz_exim/tasks/main.yml Based on Archlinux packaging for Exim (https://github.com/archlinux/svntogit-community/blob/packages/exim/trunk/PKGBUILD), my exim.conf seems to be just upstream Exim 4.96 configuration. Then I patch it using Ansible with various rules. Regards -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
Hi, Dňa 13. marca 2023 19:12:20 UTC používateľ Yves via Exim-users napísal: >which returned nothing, and $?==0. So the signature is valid! I never used OpenDKIM, thus i cannot comment. >I checked per your advice on the server: > >[root@seuil3 etc]# journalctl --grep 640E42D8.7020207 >mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message ><640e42d8.7020...@yalis.fr> for nobody:182 >mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 - >BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_> These are from SA, i never used it, thus i cannot comment. >mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02 1pbRIJ-002UYg-0j <= >ad...@yalis.fr H=([93.184.14.24]) [93.184.14.24] P=esmtp S=6613 >id=640e42d8.7020...@yalis.fr That one is relevant, but incomplete exim message log. The missing part is delivery. I do not use journal for exim logs, but you can try to grep exim's message ID: journalctl --no-pager -u exim.service --grep 1pbRIJ-002UYg-0j >All 3 lines seem to me to relate to receiving the message. I don’t see a line >that is about sending the message, or signing it. Yes, received. The line has no DKIM= field, which is logged by default, thus seems that message had not valid DKIM at that time. >Could it be that the message is signed when I receive it? Exim signs only on delivery... > Could it be because I use LMTP for delivering, instead of local drop? Yes, (one of) delivery to LMTP can be configred to sign message, but someone must configure that. >If that is the explanation, it seems a bit “stupid” of Exim to do so… Exim does what admin configured for it, thus try to guess who did something "a bit stupid"... regards -- Slavko https://www.slavino.sk/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 3/14/23 03:12, Yves via Exim-users wrote: > Could it be that the message is signed when I receive it Try to run: exim -bV See if the output includes a line resembling -- Configuration file is /etc/exim4/exim4.conf Examine the file and look for lines containing "dkim_private_key", "dkim_selector" etc. If appropriate, you can post the whole transport section here (redacted as necessary). -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 3/14/23 03:12, Yves via Exim-users wrote: > > opendkim-testmsg <./"Hey, what's up? - - 2023-03-12 2223.eml" > > which returned nothing, and $?==0. So the signature is valid! > > [root@seuil3 etc]# journalctl --grep 640E42D8.7020207 > mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message > <640e42d8.7020...@yalis.fr> for nobody:182 > mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 - > BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_> > mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02 1pbRIJ-002UYg-0j <= > ad...@yalis.fr H=([93.184.14.24]) [93.184.14.24] P=esmtp S=6613 > id=640e42d8.7020...@yalis.fr > > I’m not sure of how to understand that :-/ > All 3 lines seem to me to relate to receiving the message. I don’t see a line > that is about sending the message, or signing it. > DKIM_ADSP_ALL says that SpamAssassin found no signature. Something signed it later, which makes sense. > Could it be that the message is signed when I receive it? Your configuration answers this question. > Could it be because I use LMTP for delivering, instead of local drop? > If that is the explanation, it seems a bit “stupid” of Exim to do so… Of your configuration, not of Exim per se. Exim behavior is extremely flexible and configurations can vary tremendously from site to site. Examine your configuration, check whether signing is indeed done by / controlled by exim configuration or elsewhere, and on what conditions. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
Thank you Slavko for your answer. On 13/03/2023 10:28, Slavko via Exim-users wrote: Dňa 12. 3. o 22:34 Yves via Exim-users napísal(a): […] — There is a DKIM signature done by my own server (d=yalis.fr), which includes the From header, and that header is @yalis.fr. Can be DKIM replay, it can be failed, only with purpose to fool users. You didn't provide DKIM verify result... I did not know how to verify the signature… Looking at Archlinux packages, I selected opendkim; it man page says that opendkim-testmsg returns nothing if the input message is good. I ran: opendkim-testmsg <./"Hey, what's up? - - 2023-03-12 2223.eml" which returned nothing, and $?==0. So the signature is valid! Anyway, your Message-ID is signed, if that message was initialed from your server, you must be able to find it in logs. And you can change DKIM key, to be sure... I checked per your advice on the server: [root@seuil3 etc]# journalctl --grep 640E42D8.7020207 mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message <640e42d8.7020...@yalis.fr> for nobody:182 mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 - BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_> mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02 1pbRIJ-002UYg-0j <= ad...@yalis.fr H=([93.184.14.24]) [93.184.14.24] P=esmtp S=6613 id=640e42d8.7020...@yalis.fr I’m not sure of how to understand that :-/ All 3 lines seem to me to relate to receiving the message. I don’t see a line that is about sending the message, or signing it. Could it be that the message is signed when I receive it? Could it be because I use LMTP for delivering, instead of local drop? If that is the explanation, it seems a bit “stupid” of Exim to do so… Regards > […] -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
> From: exi.ml @ yalis.fr > > I just received a SPAM (I hope), but the headers retained my attention; > here they are, in full: An infected Windows sent this common fraudulent spam with the same email address in From: and envelope-from as the recipient. And the same domain in Message-ID. > There is a DKIM signature done by my own server (d=yalis.fr), which > includes the From header, and that header is @yalis.fr. Your "seuil3" added DKIM signature while it relayed that spam to your "sphinx3". Accepting emails from hosts with empty $sender_host_name is unwise. I deny mail from such hosts in China, HongKong, Taiwan, Brazil, Korea, Vietnam and greylist mail from such hosts in other countries. But most other mail admins deny emails from such hosts. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 3/13/23 05:34, Yves via Exim-users wrote: > > I am surprised by a few things: > > — This email went through very few intermediaries to reach my server > (yalis.fr). Apparently, it actually came directly from the sender (a > Palestinian ISP). Why would that surprise you? They just did exactly that. > — There is a DKIM signature done by my own server (d=yalis.fr), which > includes the From header, and that header is @yalis.fr. As Slavko said, check that the signature is actually valid. If it is, review you exim config and see how they might have been able to get your exim to sign the message. Maybe you have a flaw in your config? > Considering the fact that the body is all about how “they” used a zero-day > exploit to infiltrate my machine (but with some non-believable elements, such > as making a video of me, and I do not have a webcam…), how can I make sure > that this is indeed a SPAM, and not a real attack? Based on what you have described, the furthest extent of any possible attack is somehow getting your exim to sign incoming messages coming from the wild. Claiming that they infiltrated your machine is not an attack, it's a very common spam message. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
Dňa 12. 3. o 22:34 Yves via Exim-users napísal(a): I have no solution for you, but some comments: — This email went through very few intermediaries to reach my server (yalis.fr). Apparently, it actually came directly from the sender (a Palestinian ISP). Received: headers can be faked, removed, etc... — There is a DKIM signature done by my own server (d=yalis.fr), which includes the From header, and that header is @yalis.fr. Can be DKIM replay, it can be failed, only with purpose to fool users. You didn't provide DKIM verify result... Anyway, your Message-ID is signed, if that message was initialed from your server, you must be able to find it in logs. And you can change DKIM key, to be sure... Considering the fact that the body is all about how “they” used a zero-day exploit to infiltrate my machine (but with some non-believable elements, such as making a video of me, and I do not have a webcam…), how can I make sure that this is indeed a SPAM, and not a real attack? I see that type of message often, and often as flood from some hundreds/thounsands of hosts in short time. I am very success to filter them, and i don't very worry about them... regards -- Slavko -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
