[Mdaemon-L] Email phising
On 12/11/24 10:53, Rievo Niemrod Efraim via Mdaemon-L wrote: Singkatnya, yang dicari dari daftar exempt adalah apakah ada isian mirip berikut winclude:ptbmi.com spf ptbmi.com *@ptbmi.com yang menyebabkan SPF check dari sender @ptbmi.com di exempt (bypass, tidak melakukan check). Isian-isian tersebut perlu dihapus atau diberi comment tag (#) didepan barisnya agar tidak berfungsi. Pak ini saya cek exempt list spf ada sender *@ptbmi.com, dan beberapa sub domain @lmg.ptbmi.com @dpt.ptbmi.com dll Ini bagaimana pak ? apakah di hapus ?? Ya, harus dihapus agar SPF check berjalan jika sendernya @ptbmi.com atau subdomain @*.ptbmi.com. Intinya di SPF verification tidak boleh melakukan Whitelist diri sendiri agar tidak terima spam seolah dari diri sendiri. Mungkin Anda rancu dengan IPshield, yang justru harus memasukkan daftar Host/IP diri sendiri. https://mdaemon.dutaint.com/mdaemon/24.5.0/security--ip_shielding.html IPshield (fungsinya) mirip SPF, tetapi tidak di declare di Name Server (Authoritative DNS server). -- syafril Syafril Hermansyah MDaemon-L Moderator, run MDaemon 24.5.2 Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon. Semua hal atau semua kesulitan dan semua pemborosan sebetulnya bisa kita atasi, kalau mau. Jadi permasalahannya adalah bukan bisa atau tidak bisa, tapi mau atau tidak mau. --- Dahlan Iskan -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.com Berlangganan: Kirim mail ke [email protected] Henti Langgan: Kirim mail ke [email protected] Versi terakhir: MDaemon 24.5.2, SecurityGateway 10.5.2
[Mdaemon-L] Email phising
On 12/11/24 10:49, Rievo Niemrod Efraim via Mdaemon-L wrote: Apakah ptbmi.com atau IP 103.146.203.235 masuk dalam exempt SPF list? https://mdaemon.dutaint.com/mdaemon/24.5.0/security--spf__sender_id.ht ml Kalau kesulitan melakuan check sendiri, kirim kan file \\mdaemon\app\SPFXcpt.dat [email protected]. Setelah saya cek di exempt list tidak ada ip tersebut Bagaimana dengan isian yang mirip berikut ini spf:ptbmi.com winclude:ptbmi.com *@ptbmi.com Tetapi di spf setting - Apply SPF Processing to helo/ehlo value ini un centang Apakah ngefek ? Tidak. -- syafril Syafril Hermansyah MDaemon-L Moderator, run MDaemon 24.5.2 Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon. Cara terbaik bagi perusahaan untuk terbang lebih tinggi lagi adalah dengan memberikan orang-orang berbakat itu alat-alat yang mereka butuhkan untuk dijalani sendiri. -- Rober Noyce -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.com Berlangganan: Kirim mail ke [email protected] Henti Langgan: Kirim mail ke [email protected] Versi terakhir: MDaemon 24.5.2, SecurityGateway 10.5.2
[Mdaemon-L] Email phising
> Tidak di hack, tetapi salah exempt (bypass, pengecualian). > Kalau dilakukan SPF check pasti akan ditolak. > https://mxtoolbox.com/SuperTool.aspx?action=spf%3aptbmi.com%3a103.146.203.235&run=toolpage > Result: SPF Failed for IP - 103.146.203.235 > Singkatnya, yang dicari dari daftar exempt adalah apakah ada isian mirip > berikut > winclude:ptbmi.com > spf ptbmi.com > *@ptbmi.com > yang menyebabkan SPF check dari sender @ptbmi.com di exempt (bypass, tidak > melakukan check). > Isian-isian tersebut perlu dihapus atau diberi comment tag (#) didepan > barisnya agar tidak berfungsi. Pak ini saya cek exempt list spf ada sender *@ptbmi.com, dan beberapa sub domain @lmg.ptbmi.com @dpt.ptbmi.com dll Ini bagaimana pak ? apakah di hapus ?? Mohon pencerahannya Terima kasih Rievo
[Mdaemon-L] Email phising
Pagi Pak Syafril >> Apakah ptbmi.com atau IP 103.146.203.235 masuk dalam exempt SPF list? >> >> https://mdaemon.dutaint.com/mdaemon/24.5.0/security--spf__sender_id.ht >> ml >Kalau kesulitan melakuan check sendiri, kirim kan file >\\mdaemon\app\SPFXcpt.dat ke [email protected]. Setelah saya cek di exempt list tidak ada ip tersebut Tetapi di spf setting - Apply SPF Processing to helo/ehlo value ini un centang Apakah ngefek ? Terima kasih Rievo
[Mdaemon-L] Email phising
On 12/10/24 10:55, Syafril Hermansyah via Mdaemon-L wrote: On 12/10/24 10:26, Rievo Niemrod Efraim via Mdaemon-L wrote: Carikan log transaksinya di smtp-in log tanggal 2024-12-09. Mon 2024-12-09 19:57:45.583: [33026709] <-- MAIL FROM: SIZE=14346 Mon 2024-12-09 19:57:45.682: [33026709] Performing IP lookup (ptbmi.com) Mon 2024-12-09 19:57:45.712: [33026709] * D=ptbmi.com TTL=(13) A=[202.148.11.126] Mon 2024-12-09 19:57:45.728: [33026709] * P=005 S=000 D=ptbmi.com TTL=(0) MX=[bb.ptbmi.com] Mon 2024-12-09 19:57:45.744: [33026709] * D=bb.ptbmi.com TTL=(12) A=[202.148.25.131] Mon 2024-12-09 19:57:45.744: [33026709] End IP lookup results MDaemon tidak melakukan SPF check. Apakah ptbmi.com atau IP 103.146.203.235 masuk dalam exempt SPF list? https://mdaemon.dutaint.com/mdaemon/24.5.0/security--spf__sender_id.html Exempt List Click this button to open the SPF Exception List on which you can designate IP addresses, email addresses, and domains that you wish to exempt from SPF lookups. Email addresses are compared against the SMTP envelope not the message From header. Domains are exempted by placing the word "spf" in front of the domain name. MDaemon will include that domain's SPF record in every SPF evaluation using an MDaemon specific "wlinclude:" tag. In this way you can have your backup MX provider treated as a valid SPF source for all senders. tapi btw itu kok dari alias email saya ya, apa jangan2 email sya ke hack ? Tidak di hack, tetapi salah exempt (bypass, pengecualian). Kalau dilakukan SPF check pasti akan ditolak. https://mxtoolbox.com/SuperTool.aspx?action=spf%3aptbmi.com%3a103.146.203.235&run=toolpage Result: SPF Failed for IP - 103.146.203.235 Singkatnya, yang dicari dari daftar exempt adalah apakah ada isian mirip berikut winclude:ptbmi.com spf ptbmi.com *@ptbmi.com yang menyebabkan SPF check dari sender @ptbmi.com di exempt (bypass, tidak melakukan check). Isian-isian tersebut perlu dihapus atau diberi comment tag (#) didepan barisnya agar tidak berfungsi. -- syafril --- Syafril Hermansyah MDaemon-L Moderator, run MDaemon 24.5.2 Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon. In tough world, using strategy is how you survive. -- Jack Trout -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.com Berlangganan: Kirim mail ke [email protected] Henti Langgan: Kirim mail ke [email protected] Versi terakhir: MDaemon 24.5.2, SecurityGateway 10.5.2
[Mdaemon-L] Email phising
On 12/10/24 10:55, Syafril Hermansyah via Mdaemon-L wrote: Apakah ptbmi.com atau IP 103.146.203.235 masuk dalam exempt SPF list? https://mdaemon.dutaint.com/mdaemon/24.5.0/security--spf__sender_id.html Kalau kesulitan melakuan check sendiri, kirim kan file \\mdaemon\app\SPFXcpt.dat ke [email protected]. -- syafril --- Syafril Hermansyah -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.com Berlangganan: Kirim mail ke [email protected] Henti Langgan: Kirim mail ke [email protected] Versi terakhir: MDaemon 24.5.2, SecurityGateway 10.5.2
[Mdaemon-L] Email phising
On 12/10/24 10:26, Rievo Niemrod Efraim via Mdaemon-L wrote: Carikan log transaksinya di smtp-in log tanggal 2024-12-09. Mon 2024-12-09 19:57:45.583: [33026709] <-- MAIL FROM: SIZE=14346 Mon 2024-12-09 19:57:45.682: [33026709] Performing IP lookup (ptbmi.com) Mon 2024-12-09 19:57:45.712: [33026709] * D=ptbmi.com TTL=(13) A=[202.148.11.126] Mon 2024-12-09 19:57:45.728: [33026709] * P=005 S=000 D=ptbmi.com TTL=(0) MX=[bb.ptbmi.com] Mon 2024-12-09 19:57:45.744: [33026709] * D=bb.ptbmi.com TTL=(12) A=[202.148.25.131] Mon 2024-12-09 19:57:45.744: [33026709] End IP lookup results MDaemon tidak melakukan SPF check. Apakah ptbmi.com atau IP 103.146.203.235 masuk dalam exempt SPF list? https://mdaemon.dutaint.com/mdaemon/24.5.0/security--spf__sender_id.html Exempt List Click this button to open the SPF Exception List on which you can designate IP addresses, email addresses, and domains that you wish to exempt from SPF lookups. Email addresses are compared against the SMTP envelope not the message From header. Domains are exempted by placing the word "spf" in front of the domain name. MDaemon will include that domain's SPF record in every SPF evaluation using an MDaemon specific "wlinclude:" tag. In this way you can have your backup MX provider treated as a valid SPF source for all senders. -- syafril --- Syafril Hermansyah -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.com Berlangganan: Kirim mail ke [email protected] Henti Langgan: Kirim mail ke [email protected] Versi terakhir: MDaemon 24.5.2, SecurityGateway 10.5.2
[Mdaemon-L] Email phising
> Carikan log transaksinya di smtp-in log tanggal 2024-12-09. Mon 2024-12-09 19:57:36.457: -- Mon 2024-12-09 19:57:44.844: [33026709] Session 33026709; child 0002 Mon 2024-12-09 19:57:44.844: [33026709] Accepting SMTP connection from 103.146.203.235:34318 to 172.16.0.6:25 Mon 2024-12-09 19:57:44.844: [33026709] Location Screen says connection is from Indonesia, Asia Mon 2024-12-09 19:57:44.845: [33026709] --> 220 bb.ptbmi.com ESMTP MDaemon 24.5.0; Mon, 09 Dec 2024 19:57:44 +0700 Mon 2024-12-09 19:57:45.449: [33026709] <-- EHLO cfi.cloudhost.id Mon 2024-12-09 19:57:45.449: [33026709] --> 250-bb.ptbmi.com Hello cfi.cloudhost.id [103.146.203.235], pleased to meet you Mon 2024-12-09 19:57:45.449: [33026709] --> 250-ETRN Mon 2024-12-09 19:57:45.449: [33026709] --> 250-8BITMIME Mon 2024-12-09 19:57:45.449: [33026709] --> 250-ENHANCEDSTATUSCODES Mon 2024-12-09 19:57:45.449: [33026709] --> 250-PIPELINING Mon 2024-12-09 19:57:45.449: [33026709] --> 250-CHUNKING Mon 2024-12-09 19:57:45.449: [33026709] --> 250-STARTTLS Mon 2024-12-09 19:57:45.449: [33026709] --> 250 SIZE Mon 2024-12-09 19:57:45.469: [33026709] <-- STARTTLS Mon 2024-12-09 19:57:45.469: [33026709] --> 220 2.7.0 Ready to start TLS Mon 2024-12-09 19:57:45.541: [33026709] SSL negotiation successful (TLS 1.2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) Mon 2024-12-09 19:57:45.562: [33026709] <-- EHLO cfi.cloudhost.id Mon 2024-12-09 19:57:45.562: [33026709] --> 250-bb.ptbmi.com Hello cfi.cloudhost.id [103.146.203.235], pleased to meet you Mon 2024-12-09 19:57:45.562: [33026709] --> 250-ETRN Mon 2024-12-09 19:57:45.562: [33026709] --> 250-8BITMIME Mon 2024-12-09 19:57:45.562: [33026709] --> 250-ENHANCEDSTATUSCODES Mon 2024-12-09 19:57:45.562: [33026709] --> 250-PIPELINING Mon 2024-12-09 19:57:45.562: [33026709] --> 250-CHUNKING Mon 2024-12-09 19:57:45.562: [33026709] --> 250-REQUIRETLS Mon 2024-12-09 19:57:45.562: [33026709] --> 250 SIZE Mon 2024-12-09 19:57:45.583: [33026709] <-- MAIL FROM: SIZE=14346 Mon 2024-12-09 19:57:45.586: [33026709] Performing PTR lookup (235.203.146.103.IN-ADDR.ARPA) Mon 2024-12-09 19:57:45.638: [33026709] * D=235.203.146.103.IN-ADDR.ARPA TTL=(60) PTR=[cfi.cloudhost.id] Mon 2024-12-09 19:57:45.662: [33026709] * D=cfi.cloudhost.id TTL=(5) A=[103.146.203.235] Mon 2024-12-09 19:57:45.662: [33026709] End PTR results Mon 2024-12-09 19:57:45.663: [33026709] Performing IP lookup (cfi.cloudhost.id) Mon 2024-12-09 19:57:45.680: [33026709] * D=cfi.cloudhost.id TTL=(5) A=[103.146.203.235] Mon 2024-12-09 19:57:45.680: [33026709] End IP lookup results Mon 2024-12-09 19:57:45.682: [33026709] Performing IP lookup (ptbmi.com) Mon 2024-12-09 19:57:45.712: [33026709] * D=ptbmi.com TTL=(13) A=[202.148.11.126] Mon 2024-12-09 19:57:45.728: [33026709] * P=005 S=000 D=ptbmi.com TTL=(0) MX=[bb.ptbmi.com] Mon 2024-12-09 19:57:45.744: [33026709] * D=bb.ptbmi.com TTL=(12) A=[202.148.25.131] Mon 2024-12-09 19:57:45.744: [33026709] End IP lookup results Mon 2024-12-09 19:57:45.744: [33026709] [email protected] is an alias for [email protected] Mon 2024-12-09 19:57:45.745: [33026709] --> 250 2.1.0 Sender OK Mon 2024-12-09 19:57:45.745: [33026709] <-- RCPT TO: Mon 2024-12-09 19:57:45.749: [33026709] Performing DNS-BL lookup (103.146.203.235 - connecting IP) Mon 2024-12-09 19:57:45.997: [33026709] * b.barracudacentral.org - passed Mon 2024-12-09 19:57:46.120: [33026709] * zen.spamhaus.org - passed Mon 2024-12-09 19:57:46.120: [33026709] End DNS-BL results Mon 2024-12-09 19:57:46.124: [33026709] --> 250 2.1.5 Recipient OK Mon 2024-12-09 19:57:46.124: [33026709] <-- DATA Mon 2024-12-09 19:57:46.125: [33026709] --> 354 Enter mail, end with . Mon 2024-12-09 19:57:46.200: [33026709] Message size: 14649 bytes Mon 2024-12-09 19:57:46.202: [33026709] Performing DKIM verification Mon 2024-12-09 19:57:46.202: [33026709] * File: d:\mdaemon\queues\temp\12\md500101218.tmp Mon 2024-12-09 19:57:46.202: [33026709] * Message-ID: <[email protected]> Mon 2024-12-09 19:57:46.203: [33026709] * DKIM-Signature 1: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elshinta.com; s=default; ; Mon 2024-12-09 19:57:46.203: [33026709] *Verification result: good signature Mon 2024-12-09 19:57:46.204: [33026709] * Result: pass Mon 2024-12-09 19:57:46.204: [33026709] End DKIM results Mon 2024-12-09 19:57:46.204: [33026709] Performing ARC verification Mon 2024-12-09 19:57:46.204: [33026709] * File: d:\mdaemon\queues\temp\12\md500101218.tmp Mon 2024-12-09 19:57:46.204: [33026709] * Message-ID: <[email protected]> Mon 2024-12-09 19:57:46.204: [33026709] * ARC result: none Mon 2024-12-09 19:57:46.204: [33026709] End ARC results Mon 2024-12-09 19:57:46.207: [33026709] Passing message through AntiVirus (Size: 14649)... Mon 2024-12-09 19:57:47.227: [33026709] * Message is clean (no viruses found) scanned by (IKARUS: clean (0.00218s)) Mon 2024-12-09 19:57:47.227: [3
[Mdaemon-L] Email phising
On 12/10/24 09:33, Rievo Niemrod Efraim via Mdaemon-L wrote: Mohon bantuannya berikut terlampir email spam yang masuk ke email kami Dan email tersebut menggunakan email domain ptbmi.com Subject: Peringatan Bahwa Email Anda Akan Diblokir From: "Server Admin - ptbmi.com ([email protected])" Date: 12/9/24, 22:13 To: [email protected] Carikan log transaksinya di smtp-in log tanggal 2024-12-09. -- syafril --- Syafril Hermansyah -- --[mdaemon-l]-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.com Berlangganan: Kirim mail ke [email protected] Henti Langgan: Kirim mail ke [email protected] Versi terakhir: MDaemon 24.5.2, SecurityGateway 10.5.2
