[Mdaemon-L] Email Spoofing

Syafril Hermansyah via Mdaemon-L Wed, 09 Aug 2023 01:42:55 -0700

On 8/9/23 09:22, Rievo Niemrod Efraim via Mdaemon-L wrote:

Bisa di check ke smtp-in log, apakah transaksi mail yang masuk dari internet 
memicu DMARC verification.

Aneh nya pada waktu kejadian itu dmarc Procesing nya seperti tidak jalan kalau 
di lihat dari log smtp in pada hari kejadian


Mon 2023-08-07 11:55:28.694: [00968378] ---- End DKIM results
Mon 2023-08-07 11:55:28.695: [00968378] Passing message through AntiVirus 
(Size: 8603)...
Mon 2023-08-07 11:55:28.714: [00968378] *  Message is clean (no viruses found) 
scanned by (IKARUS: clean (0.00303s))
Mon 2023-08-07 11:55:28.714: [00968378] ---- End AntiVirus results


Di bandingkan dengan log email dari BCA  DMARC Processing nya jalan

Mon 2023-08-07 11:55:48.946: [00968484] Performing DMARC processing
Mon 2023-08-07 11:55:48.946: [00968484] *  File: 
d:\mdaemon\queues\temp\25\md5001000000239.tmp
Mon 2023-08-07 11:55:48.946: [00968484] *  Message-ID: 
<2007367336.8292957.1691384169124@759f5bc6-5d2c-49d8-4bf7-6a9c>
Mon 2023-08-07 11:55:48.946: [00968484] *  Author domain: klikbca.com
Mon 2023-08-07 11:55:48.946: [00968484] *  Organizational domain: klikbca.com
Mon 2023-08-07 11:55:48.946: [00968484] *  Query domain: _dmarc.klikbca.com
Mon 2023-08-07 11:55:48.979: [00968484] *    Policy record: 
v=DMARC1;p=quarantine;rua=mailto:[email protected];fo=1
Mon 2023-08-07 11:55:48.981: [00968484] *  Verifying report 
recipient:[email protected]
Mon 2023-08-07 11:55:48.981: [00968484] *  Query domain: 
klikbca.com._report._dmarc.bca.co.id
Mon 2023-08-07 11:55:49.012: [00968484] *    Policy record: v=DMARC1
Mon 2023-08-07 11:55:49.012: [00968484] *    [email protected]  is 
verified
Mon 2023-08-07 11:55:49.012: [00968484] *  Checking authentication mechanisms 
for DMARC alignment
Mon 2023-08-07 11:55:49.012: [00968484] *    SPF: domain "klikbca.com" passed 
SPF check; and domain is DMARC aligned
Mon 2023-08-07 11:55:49.012: [00968484] *    DKIM: domain "klikbca.com" (from 
d= of signature #1) verified; and domain is DMARC aligned
Mon 2023-08-07 11:55:49.012: [00968484] *  Result: pass
Mon 2023-08-07 11:55:49.012: [00968484] ---- End DMARC results

Padahal log di atas tanggal dan waktunya kurang lebih sama, jadi bisa di 
pastikan bukan karena DMARC Verificationnya tidak aktif pada saat itu
Atau mungkin system membaca seakan2 email tersebut memang dari local, sehingga 
Dmarc procesingnya tidak jalan ???

DMARC verification tidak aktif (bypass) jika sender IP masuk dalamdaftar exemption list atau trusted IP saja.

[ ] Do not verify messages from trusted IPs

Baik Pak sementara Do not verify messages from trusted Ips saya disabled

lalu periksa lagi smtp-in log, apakah DMARC verification berjalan.



Wed 2023-08-09 08:54:28.471: [01143185] ---- End DKIM results
Wed 2023-08-09 08:54:28.476: [01143185] Performing DMARC processing
Wed 2023-08-09 08:54:28.476: [01143185] *  File: 
d:\mdaemon\queues\temp\15\md5001000000001.tmp
Wed 2023-08-09 08:54:28.476: [01143185] *  Message-ID: 
<cajxr3gun0kpeif1dxaotdnwqmair3p+emqfdxemoc8a4+ti...@mail.gmail.com>
Wed 2023-08-09 08:54:28.476: [01143185] *  Author domain: gmail.com
Wed 2023-08-09 08:54:28.476: [01143185] *  Organizational domain: gmail.com
Wed 2023-08-09 08:54:28.476: [01143185] *  Query domain: _dmarc.gmail.com
Wed 2023-08-09 08:54:28.476: [01143185] *    Policy record (from cache): 
v=DMARC1; p=none; sp=quarantine; rua=mailto:[email protected]
Wed 2023-08-09 08:54:28.479: [01143185] *  Verifying report recipient: 
[email protected]
Wed 2023-08-09 08:54:28.479: [01143185] *  Query domain: 
gmail.com._report._dmarc.google.com
Wed 2023-08-09 08:54:28.508: [01143185] *    Policy record: v=DMARC1
Wed 2023-08-09 08:54:28.508: [01143185] *    Recipient 
[email protected] is verified
Wed 2023-08-09 08:54:28.508: [01143185] *  Checking authentication mechanisms 
for DMARC alignment
Wed 2023-08-09 08:54:28.508: [01143185] *    SPF: domain "gmail.com" passed SPF 
check; and domain is DMARC aligned
Wed 2023-08-09 08:54:28.509: [01143185] *    DKIM: domain "gmail.com" (from d= 
of signature #1) verified; and domain is DMARC aligned
Wed 2023-08-09 08:54:28.509: [01143185] *  Result: pass
Wed 2023-08-09 08:54:28.509: [01143185] ---- End DMARC results



ok.

--
syafril
--------
Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 23.5.0 Beta B
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.

I'm unpredictable, I never know where I'm going until I get there, I'mso random, I'm always growing, learning, changing, I'm never the sameperson twice. But one thing you can be sure of about me; is I willalways do exactly what I want to do.

        --- C. JoyBell C.


--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Berlangganan: Kirim mail ke [email protected]
Henti Langgan: Kirim mail ke [email protected]
Versi terakhir: MDaemon 23.0.2, SecurityGateway 9.0.3

[Mdaemon-L] Email Spoofing

Kirim email ke