Запрет писем с поддельным полем From или спам от себя к себе в postfix

Последнее время активизировался спам с поддельным полем From. Если на вашем сервере не настроены различные ограничения по приему почты, то это может стать проблемой. Я обычно настраиваю ограничения с помощью стандартных restrictions в postfix. Но вот с подделкой поля from упустил момент, сейчас исправлю.


Сподвигло меня к разбору этой ситуации огромное количество спама примерно следующего содержания:

I greet you!

I have bad news for you.
06/28/2018 - on this day I hacked your operating system and got full access to your account eme@eme.ru
On that day your account (eme@eme.ru) password was: gyhbtj5pq6b

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $971 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 15ZHnf1MPn6ybb8yUeAoCQ1AJtiKhg3NrP

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.

Смысл письма в том, что человек якобы взломал ваш компьютер и следил за вами. Наследил там чего-то важного по посещаемым сайтам и через веб камеру и теперь грозится это обнародовать. Расчет на то, как я понял, что человек по порнографическим сайтам лазил. Для убедительности, в письме приложен пароль, взятый из какой-то публичной базы данных слитых учеток. Сейчас таких баз полно. Пароли могут быть реальными!!! Один человек сказал, что знает этот свой пароль, но только он не от почты, а использовался на сайте booking.com.

В письме используется поддельный адрес From, для того, чтобы письмо выглядело якобы отправленное с вашей учетки, что должно подтверждать реальность угроз. В общем, подход системный получился. Конечно, все это подделка и развод. Я решил сберечь нервы пользователей и каким-то образом оградить людей от подобных писем. С помощью postfix это сделать очень просто. Базовые методы борьбы со спамом я уже подробно расписывал в отдельном разделе в статье по настройке postfix. Но текущая ситуация там не учитывается. Сейчас исправим это.


Для начала давайте проверим, реально ли на ваш почтовый сервер отправить письмо с поддельным полем From. Для этого подключимся к нему по Telnet и попробуем вручную выполнить отправку.

Проверка почтового сервера через telnet

Список команд, которые я вводил:

telnet mx.eme.ru 25
helo yandex.ru
mail from:<zva@eme.ru>
rcpt to:<zva@eme.ru>
data
Test
.
quit

Я использовал поддельные данные в поле helo, представившись yandex.ru и дальше отправил тестовое письмо. Сервер его принял и успешно доставил в ящик. Вот исходный текст этого письма.

Исходный текст письма с поддельным полем From

Обратите внимание, что используется антиспам Kaspersky Security 8.0 for Linux Mail Server. Но у него настроен белый список на адреса исходного домена. Получается, что антивирус так же проверяет поле From, которое подделано, и не защищает пользователей от таких писем.

Для того, чтобы запретить отправку писем с левых почтовых серверов, которые ставят в поле From наш домен, необходимо добавить еще одну проверку в раздел smtpd_sender_restrictions следующим образом:

smtpd_sender_restrictions =	permit_mynetworks,
				permit_sasl_authenticated,
				reject_authenticated_sender_login_mismatch,
				reject_unknown_sender_domain,
				reject_non_fqdn_sender,
				reject_unlisted_sender,
				reject_unauth_destination,
				check_sender_access hash:/etc/postfix/sender_access

К существующим ограничениям я добавил еще одно в самый конец. Создадим указанный файл sender_access со следующим содержимым.

# mcedit /etc/postfix/sender_access
eme.ru REJECT You are not eme.ru
# postmap /etc/postfix/sender_access

Всем, кто захочет отправить нам письмо с доменом нашего сервера, мы будем выдавать ошибку и отвечать, что вы это не мы 🙂 Перечитываем конфигурацию postfix:

# postfix reload

Теперь попробуем еще раз через telnet отправить письмо с полем From из нашего домена.

Запрет подделки From

Сервер выдал ошибку 554. В логе почтового сервера будет следующая строка:

Nov  7 17:59:45 ememail postfix/smtpd[17430]: NOQUEUE: reject: RCPT from broadband: 554 5.7.1 <zva@eme.ru>: Sender address rejected: You are not eme.ru; from=<zva@eme.ru> to=<zva@eme.ru> proto=SMTP helo=yandex.ru

Все, больше ни один отправитель не сможет использовать в поле From наш домен. Вообще странно, что изначально это возможно. Протокол smtp давно пора как-то изменить, чтобы раз и навсегда защитить его от спама. На него нагородили уже столько костылей, но ничего не помогает.

One thought on “Запрет писем с поддельным полем From или спам от себя к себе в postfix

  • 15.12.2022 в 17:21
    Permalink

    сможет использовать в поле From наш домен
    вот пример:
    Return-Path:
    Delivered-To: mymail.adress@mydomain.com
    Received: from hostname.mydomain.com
    by hostname.mydomain.com (Dovecot) with LMTP id NphtINs/l2O/dAAADoV8fQ
    for ; Mon, 12 Dec 2022 19:51:07 +0500
    Received: from localhost (localhost [127.0.0.1])
    by hostname.mydomain.com (Postfix) with ESMTP id 7A585E81DAA
    for ; Mon, 12 Dec 2022 19:51:07 +0500 (+05)
    Authentication-Results: hostname.mydomain.com (amavisd-new);
    dkim=pass (2048-bit key) reason=»pass (just generated, assumed good)»
    header.d=mydomain.com
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com; h=
    x-mailer:content-type:content-type:mime-version:date:date
    :subject:subject:from:from:message-id; s=default; t=1670856667;
    x=1672671068; bh=xJEb51e+30fCSgJn7WpoK7SJkEXPNFibA+jsgFWNSp0=; b=
    MdUEN5g930vxMLbPBeVgy8tC1ySSer6YL9JqMf8lMmE4iZ4rcOXpRjly00E1X2bu
    ieVWnHJQrUT22ONtNASpvxaTYjFDmqW8By6ZWPW+lu3Q8U1xwrUE72yqMoBas3q1
    0+QG1SBsJsvGXa4VoArMddkL0aoQ9bzf2EbDN7VVxV7ZrCeIdwHSpsGEtSiR/wjb
    XKG6C82p4K096Y72uHffugrxufdcNFkz9B/bc9jODAeL0dy1vMTUToAqkegSp2QU
    ZDicHQ27jXaXluYTcYRYEAwHySMRc1Mt2+RxeiIsU3PcXFBiUq7KLM4dhKoMMioK
    FNW60QAhGRWyfuaR8v8i9g==
    X-Virus-Scanned: Debian amavisd-new at hostname.mydomain.com
    Received: from hostname.mydomain.com ([127.0.0.1])
    by localhost (hostname.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with LMTP id JGG5s_AsFHY5 for ;
    Mon, 12 Dec 2022 19:51:07 +0500 (+05)
    Received: from 190.111.165.235.enettelecom.net.br (190.111.165.235.enettelecom.net.br [190.111.165.235])
    by hostname.mydomain.com (Postfix) with ESMTP id 22205E81CE9
    for ; Mon, 12 Dec 2022 19:50:55 +0500 (+05)
    Message-ID:
    From:
    To:
    Subject: Your personal data has leaked due to suspected harmful activities.
    Date: 12 Dec 2022 07:44:46 -0400
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary=»———7047520510053825″
    X-Mailer: Ydiblhe uulqfwo 5.9

    This is a multi-part message in MIME format.
    ————7047520510053825
    Content-Type: text/plain; charset=»iso-8859-3″
    Content-Transfer-Encoding: quoted-printable

    Hi there!I am a professional hacker and have successfully managed to =
    hack your operating system.Currently I have gained full access to your =
    account. In addition, I was secretly monitoring all your activities and =
    watching you for several months. The thing is your computer was infected =
    with harmful spyware due to the fact that you had visited a website with =
    porn content previously. ╭ ᑎ ╮Let me explain to you =
    what that entails. Thanks to Trojan viruses, I can gain complete access =
    to your computer or any other device that you own.It means that I can =
    see absolutely everything in your screen and switch on the camera as =
    well as microphone at any point of time without your permission. In =
    addition, I can also access and see your confidential information as =
    well as your emails and chat messages.You may be wondering why your =
    antivirus cannot detect my malicious software. Let me break it down for =
    you: I am using harmful software that is driver-based, which refreshes =
    its signatures on 4-hourly basis, hence your antivirus is unable to =
    detect it presence.I have made a video compilation, which shows on the =
    left side the scenes of you happily masturbating, while on the right =
    side it demonstrates the video you were watching at that =
    moment..ᵔ.ᵔAll I need is just to share this video to all =
    email addresses and messenger contacts of people you are in =
    communication with on your device or PC. Furthermore, I can also make =
    public all your emails and chat history.I believe you would definitely =
    want to avoid this from happening. Here is what you need to do — =
    transfer the Bitcoin equivalent of 1250 USD to my Bitcoin account (that =
    is rather a simple process, which you can check out online in case if =
    you don’t know how to do that).Below is my bitcoin account information =
    (Bitcoin wallet): 1FmKjxWybWDuoD17pKvKaVH81gb5HGBpyPOnce the required =
    amount is transferred to my account, I will proceed with deleting all =
    those videos and disappear from your life once and for all. Kindly =
    ensure you complete the abovementioned transfer within 50 hours (2 days =
    +). I will receive a notification right after you open this email, hence =
    the countdown will start.Trust me, I am very careful, calculative and =
    never make mistakes.If I discover that you shared this message with =
    others, I will straight away proceed with making your private videos =
    public.Good luck!
    ————7047520510053825
    Content-Type: text/html; charset=»iso-8859-3″
    Content-Transfer-Encoding: quoted-printable

    Hi there!

    I am a professional hacker and have successfully managed to hack your =
    operating system.
    Currently I have gained full access to your account.

    In addition, I was secretly monitoring all your activities and watching =
    you for several months.
    The thing is your computer was infected with harmful spyware due to the =
    fact that you had visited a website with porn content previously. =
    ╭ ᑎ ╮

    Let me explain to you what that entails. Thanks to Trojan viruses, I can =
    gain complete access to your computer or any other device that you =
    own.
    It means that I can see absolutely everything in your screen and switch =
    on the camera as well as microphone at any point of time without your =
    permission.
    In addition, I can also access and see your confidential information as =
    well as your emails and chat messages.

    You may be wondering why your antivirus cannot detect my malicious =
    software.
    Let me break it down for you: I am using harmful software that is =
    driver-based,
    which refreshes its signatures on 4-hourly basis, hence your antivirus =
    is unable to detect it presence.

    I have made a video compilation, which shows on the left side the scenes =
    of you happily masturbating,
    while on the right side it demonstrates the video you were watching at =
    that moment..ᵔ.ᵔ

    All I need is just to share this video to all email addresses and =
    messenger contacts of people you are in communication with on your =
    device or PC.
    Furthermore, I can also make public all your emails and chat =
    history.

    I believe you would definitely want to avoid this from happening.
    Here is what you need to do — transfer the Bitcoin equivalent of 1250 =
    USD to my Bitcoin account
    (that is rather a simple process, which you can check out online in case =
    if you don’t know how to do that).

    Below is my bitcoin account information (Bitcoin wallet): =
    1FmKjxWybWDuoD17pKvKaVH81gb5HGBpyP

    Once the required amount is transferred to my account, I will proceed =
    with deleting all those videos and disappear from your life once and for =
    all.
    Kindly ensure you complete the abovementioned transfer within 50 hours =
    (2 days +).
    I will receive a notification right after you open this email, hence the =
    countdown will start.

    Trust me, I am very careful, calculative and never make mistakes.
    If I discover that you shared this message with others, I will straight =
    away proceed with making your private videos public.

    Good luck!
    ————7047520510053825—

    Ответ

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *