[mdaemon-l] Email account sering di hijack
On 2018-06-12 07:56, Heryanto (herya...@dima.co.id) wrote: > Pak Syafril mau bertanya belakangan ini kami sering mengalami > serangan account hijack dari luar , padahal utk dymanic screening dan > location sudah kita aktif kan. Strong password sudah diaktifkan untuk semua user? > Tue 2018-06-12 04:26:01.178: [756095] * From: charli@dima.co.id > > Tue 2018-06-12 04:26:01.178: [756095] * To: > hbbtkepurpsrd...@quaihuonglashzke.info > > Tue 2018-06-12 04:26:01.178: [756095] * Message-ID: > <313035646463.2018611212...@quaihuonglashzke.info> Perlihatkan sumber/pengirim dari mail spam di smtp-in log. > Yg ingin saya tanya kan apakah utk hijack detection dan spambot > detection perlu di enable ? dan bisa di kirimkan settingan utk kedua > menu ini best practice nya Ya perlu khususnya untuk account hijack detection, sebagai tindakan berjaga-jaga kalau ada akun yang terkena hijack. Untuk start awal gunakan setting standard saja. http://mdaemon.dutaint.co.id/mdaemon/18.0/index.html?security--hijack_detection.htm -- syafril --- Syafril Hermansyah MDaemon-L Moderators, MDaemon 18.0.2-64 Beta B Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. Anyone who stops learning is old, whether twenty or eighty. Anyone who keeps learning stays young. The greatest thing you can do is keep your mind young. --- Mark Twain (1835 - 1910) -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com Versi terakhir MD 18.0.1, SG 5.5.0
[mdaemon-l] Email account sering di hijack
Dear Pak Syafril, Pak Syafril mau bertanya belakangan ini kami sering mengalami serangan account hijack dari luar , padahal utk dymanic screening dan location sudah kita aktif kan. Yg ingin saya tanya kan apakah utk hijack detection dan spambot detection perlu di enable ? dan bisa di kirimkan settingan utk kedua menu ini best practice nya . Terima Kasih. Berikut kami lampirkan log smtp-out : 2018-06-12 04:01:31.654: -- Tue 2018-06-12 04:26:01.177: [756095] Session 756095; child 0001 Tue 2018-06-12 04:26:01.177: [756095] Parsing message Tue 2018-06-12 04:26:01.178: [756095] * From: charli@dima.co.id Tue 2018-06-12 04:26:01.178: [756095] * To: hbbtkepurpsrd...@quaihuonglashzke.info Tue 2018-06-12 04:26:01.178: [756095] * Subject: Tax Return Transcript from 06/12/2018 Tue 2018-06-12 04:26:01.178: [756095] * Size (bytes): 140054 Tue 2018-06-12 04:26:01.178: [756095] * Message-ID: <313035646463.2018611212...@quaihuonglashzke.info> Tue 2018-06-12 04:26:01.180: [756095] Attempting to send message to smart host Tue 2018-06-12 04:26:01.180: [756095] Attempting SMTP connection to smtp.antispamcloud.com Tue 2018-06-12 04:26:01.180: [756095] Resolving A record for smtp.antispamcloud.com (DNS Server: 116.254.101.2)... Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[198.7.58.152] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[217.20.113.37] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[5.79.72.138] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[5.79.72.139] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[37.48.65.165] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[46.165.209.5] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[46.165.217.141] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[46.165.217.142] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[69.64.57.56] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[85.25.237.173] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[94.75.244.163] Tue 2018-06-12 04:26:01.182: [756095] * D=smtp.antispamcloud.com TTL=(0) A=[138.201.61.135] Tue 2018-06-12 04:26:01.182: [756095] Randomly picked 94.75.244.163 from list of possible hosts Tue 2018-06-12 04:26:01.183: [756095] Attempting SMTP connection to 94.75.244.163:587 Tue 2018-06-12 04:26:01.183: [756095] Waiting for socket connection... Tue 2018-06-12 04:26:01.368: [756095] * Connection established 116.254.100.37:57350 --> 94.75.244.163:587 Tue 2018-06-12 04:26:01.368: [756095] Waiting for protocol to start... Tue 2018-06-12 04:26:01.928: [756095] <-- 220 mx3.antispamcloud.com ESMTP Exim 135182 Mon, 11 Jun 2018 23:22:16 +0200 Tue 2018-06-12 04:26:01.929: [756095] --> EHLO mail.dima.co.id Tue 2018-06-12 04:26:02.112: [756095] <-- 250-mx3.antispamcloud.com Hello edm.ed-dima.com [116.254.100.37] Tue 2018-06-12 04:26:02.112: [756095] <-- 250-SIZE Tue 2018-06-12 04:26:02.112: [756095] <-- 250-8BITMIME Tue 2018-06-12 04:26:02.112: [756095] <-- 250-DSN Tue 2018-06-12 04:26:02.112: [756095] <-- 250-AUTH PLAIN LOGIN Tue 2018-06-12 04:26:02.112: [756095] <-- 250-STARTTLS Tue 2018-06-12 04:26:02.112: [756095] <-- 250 HELP Tue 2018-06-12 04:26:02.112: [756095] --> STARTTLS Tue 2018-06-12 04:26:02.305: [756095] <-- 220 TLS go ahead Tue 2018-06-12 04:26:02.681: [756095] SSL negotiation successful (TLS 1.2, 2048 bit key exchange, 128 bit AES encryption) Tue 2018-06-12 04:26:02.890: [756095] SSL certificate is valid (matches smtp.antispamcloud.com and is signed by recognized CA) Tue 2018-06-12 04:26:02.890: [756095] --> EHLO mail.dima.co.id Tue 2018-06-12 04:26:03.075: [756095] <-- 250-mx3.antispamcloud.com Hello edm.ed-dima.com [116.254.100.37] Tue 2018-06-12 04:26:03.075: [756095] <-- 250-SIZE Tue 2018-06-12 04:26:03.075: [756095] <-- 250-8BITMIME Tue 2018-06-12 04:26:03.075: [756095] <-- 250-DSN Tue 2018-06-12 04:26:03.075: [756095] <-- 250-AUTH PLAIN LOGIN Tue 2018-06-12 04:26:03.075: [756095] <-- 250 HELP Tue 2018-06-12 04:26:03.075: [756095] --> AUTH LOGIN Tue 2018-06-12 04:26:03.258: [756095] <-- 334 VXNlcm5hbWU6 Tue 2018-06-12 04:26:03.258: [756095] --> ** Tue 2018-06-12 04:26:03.442: [756095] <-- 334 UGFzc3dvcmQ6 Tue 2018-06-12 04:26:03.442: [756095] --> ** Tue 2018-06-12 04:26:03.628: [756095] <-- 235 Authentication succeeded Tue 2018-06-12 04:26:03.628: [756095] --> MAIL From: SIZE=140054 Tue 2018-06-12 04:26:08.791: [756095] <-- 250 OK Tue 2018-06-12 04:26:08.791: [756095] --> RCPT To: Tue 2018-06-12 04:26:08.984: [756095] <-- 250 Accepted Tue 2018-06-12 04:26:08.986: [756095] --> DATA Tue 2018-06-12 04:26:09.169: [756095] <-- 354 Enter message, ending with "." on a line by itself Tue 2018-06-12 04:26:09.169: