How to stop scammer faking from email address?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 09:51

For quite a time I notice scum emails claiming they stole passwords.
I tried various configurations to stop such emails but so far failed.

I think I found out reason hMail server lets such email pass through but I cannot find way to stop it.
here is what I get.

Issue:

- I have set that mail from local to local address may be sent only by authenticated connections. Actually it is set to require authentication for all SMTP using local address as sender. Mail from external address is not required only when recipient is local address.

- Mail containing local email address in From: are still passing by without authentication

- Password is, off course, not compromised

- Mail content is image so I cannot catch suspicious text phrases




What happens:

Spammer connects to hMail server and uses external mail address during SMTP. Example:

Code: Select all

"SMTPD"	3924	153824	"2019-06-17 07:15:57.954"	"89.107.226.227"	"RECEIVED: MAIL FROM:<postmaster@bay-t.com.tr> SIZE=237324"
hMail server recognizes this as external address, allows connection and receives email without requiring authentiation.

However, email itself contains From: field set as local email address.

Person that receives email is confused how it received email from himself. That is when panic questions start.

This is classic example of faking From: which has to be handled.

Here is an example of header from such spam message (note that some information is altered for privacy issues). The only suspicious content I could catch on is invalid HELO but I decided to keep it lower than SPAM threshold as, often, wrong HELO content does not mean email is evil.

Code: Select all

-----
From - Mon Jun 17 08:26:47 2019
X-Account-Key: account1
X-UIDL: 79841
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: postmaster@bay-t.com.tr
Received: from WIN-OI0Q27COD8G.home (ns1.bay-t.com.tr [89.107.226.227]) by mail.uzxxx.net
 with ESMTP ; Mon, 17 Jun 2019 07:15:59 +0200
Received: from [] ([168.196.13.2]) by home with MailEnable ESMTP; Mon, 17 Jun 2019 08:09:01
 +0300
X-aid: 5175934663
Message-ID: <CEAE9-7D6760-6D@www884.bay-t.com.tr>
Abuse-Reports-To: <abuse@mailer.bay-t.com.tr>
Date: Mon, 17 Jun 2019 07:09:07 +0200
Subject: [SPAM] Your account is hacked
X-Complaints-To: abuse@mailer.bay-t.com.tr
X-Mailer: ColdFusion 11 Application Server
List-Help:  <http://www.bay-t.com.tr/lists/?p=preferences&uid=oyw4bsesa2i94044d3st3ab1qqubyosr>
Content-Type: multipart/related; boundary="ivnpndb-78CDBC64757F486A9"
MIME-Version: 1.0
X-CSA-Complaints: whitelist-complaints@bay-t.com.tr
X-Sender: postmaster@bay-t.com.tr
To: sam@uzxxx.net
From: <sam@uzxxx.net>
List-Unsubscribe:  <mailto:z-lko_xgzbgrmoo_xktema_hgwbdjnjl_q@bounce.bay-t.com.tr?subject=Unsubscribe>
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 3)
X-hMailServer-Reason-Score: 3

This is a multi-part message in MIME format

----
Any suggestion how to handle this is welcome.

User avatar
Dravion
Senior user
Senior user
Posts: 1330
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: How to stop scammer faking from email address?

Post by Dravion » 2019-06-17 10:16

This wannabe Hacker sends donzenz of Emails with a ages old Adobe Coldfusion Batchmailer (see X-Mailer field in the header) because he is to dunb to use something modern like PHP Mailer. Also SPAM Assasin allready identifued it as Spam so you should have valid pointer to stop this Idiot.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 11:01

This is just one example.
Various spam of the same sort come in.

The common issue is that they manage to fool hMail server not to recognize faking sender email.

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to stop scammer faking from email address?

Post by SorenR » 2019-06-17 11:51

Pedja wrote:
2019-06-17 11:01
This is just one example.
Various spam of the same sort come in.

The common issue is that they manage to fool hMail server not to recognize faking sender email.
It's not hMailServer job to detect those mails, it's yours by managing your SPAM rules properly. If you take a good look at hMailServer, it can only do DNS lookups and relate to deviations from RFC. The DNS lookups are only as good as the source and by looking at your example I see hMailServer already found a deviation from RFC (The host name specified in HELO does not match IP address).

For comprehensive SPAM fighting you need to install SpamAssassin and train it accordingly like the rest of us. We have posted gigabytes of information, advice and scripts in these forums to get you going towards a SPAM free life. Start reading!

You still have a lot to learn in the world of emails - The first rule is: Don't shoot the messenger!
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 13:47

I see no reason for such harsh comment.

I explained problem I have and asked for help. I did not bash anyone.

I expected to get some help, not rude comments.

I have some experience handling mail servers (the first one I set in 1991) and tried to be as much specific about the issue.

I do not see why I am wrong expecting hMail server to handle issues with authentication. That is what he controls.

You suggest using SpamAssasin for that. I am not sure it can do it. I think it gets involved in a process too late. But, I am open for that idea, if you are willing to be more specific in explanation, how do you think I should use SpamAssasin to handle this.

However, I did get something that is promising. There is half-documented setting in .ini: AddXAuthUserHeader. If AddXAuthUserHeader is set to 1, hMailSever will add a X-AuthUser header containing a username to messages received using SMTP, if the user has authenticated.

After I set that, I indeed got X-AuthUser header filed in received mail from users that are actually authenticated. Having that I can match with local domain within From: and get pretty good guess if address is faked. Exactly what I was looking for. Now I can get to finding how to make a script to do that.

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 14:28

I also found out that in scripting Message object has property FromAddress which returns the address that the sender gave in the MAIL FROM SMTP-command, the one used to trick hMail server to accept email. It could be used too.

User avatar
SorenR
Senior user
Senior user
Posts: 3137
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to stop scammer faking from email address?

Post by SorenR » 2019-06-17 14:56

Pedja wrote:
2019-06-17 13:47
I see no reason for such harsh comment.

I explained problem I have and asked for help. I did not bash anyone.

I expected to get some help, not rude comments.

I have some experience handling mail servers (the first one I set in 1991) and tried to be as much specific about the issue.

I do not see why I am wrong expecting hMail server to handle issues with authentication. That is what he controls.

You suggest using SpamAssasin for that. I am not sure it can do it. I think it gets involved in a process too late. But, I am open for that idea, if you are willing to be more specific in explanation, how do you think I should use SpamAssasin to handle this.

However, I did get something that is promising. There is half-documented setting in .ini: AddXAuthUserHeader. If AddXAuthUserHeader is set to 1, hMailSever will add a X-AuthUser header containing a username to messages received using SMTP, if the user has authenticated.

After I set that, I indeed got X-AuthUser header filed in received mail from users that are actually authenticated. Having that I can match with local domain within From: and get pretty good guess if address is faked. Exactly what I was looking for. Now I can get to finding how to make a script to do that.
You have not provided proof that your server was compromised, you have only shown that someone is threatening you... I get the same type of mails, several each day. It's a well known scam primarely targeting non-technical staff.

First rule if compromised it to pull the plug and find out when and where. If not compromised then set up a rule to discard messages and move on with life.

Perhaps you should take a read here... https://www.hmailserver.com/forum/viewt ... 41#p209541

And SpamAssassin ... You simply cannot install it fast enough!
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 15:14

SorenR wrote:
2019-06-17 14:56
You have not provided proof that your server was compromised, you have only shown that someone is threatening you...
You missed the point. I do not have to. I already found out exactly what is happening and described it.
I am not looking for a way to find out if accunt is compromised. I know it is not. I am looking for a way to set hMail to efficiently recognize faked From in emails and discard such messages.
SorenR wrote:
2019-06-17 14:56
It's a well known scam primarely targeting non-technical staff.
Again, You missed the point. It does not matter. I want such email discarded so ones who are technically aware are not bothered and those who are not not to be scared. Simply, i want such messages to go to nil and not reach end user mailbox.
SorenR wrote:
2019-06-17 14:56
First rule if compromised it to pull the plug and find out when and where. If not compromised then set up a rule to discard messages and move on with life.
The second First rule? :)

I guess it is obvious I well passed that point. I know what happens and seek for help to resolve it.
SorenR wrote:
2019-06-17 14:56
And SpamAssassin ... You simply cannot install it fast enough!
I do not see what speed of SpamAssassin installation has to do with all this. I expected from You to elaborate your suggestion that I should use it to resolve this issue. You are just repeating claim that I have to use SpamAssassin but no explanation how to use it for this specific problem.
SorenR wrote:
2019-06-17 14:56
Perhaps you should take a read here... https://www.hmailserver.com/forum/viewt ... 41#p209541
Before I asked a question I did my homework, including finding ad reading that thread. It is good and very informative, but it does not cover issue I have, so I started this thread.

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 15:18

I managed to create simple script that adds some headers into message allowing SpamAssasin or even simple message filter to deal with messages that have fake address in From field. Not extensively tested. I did send fake email to server and it was detected properly.

Now I have to wait to see if real fake email are detected too.

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
	
	varDomain = "uzxxx.net"  ' set local domain to check for fake senders

	If instr (oMessage.FromAddress, varDomain) = 0 Then
		oMessage.HeaderValue ("X-ExternalFromAddress") = oMessage.FromAddress
		EventLog.Write("X-ExternalFromAddress Header Added")
		If instr (oMessage.From, varDomain) > 0 Then
		  oMessage.HeaderValue ("X-FakedFromAddress") = oMessage.From
		  EventLog.Write("Fake From address attempted. X-FakedFromAddress Header Added")
		end if 
		oMessage.save
		
	end if

   End Sub

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How to stop scammer faking from email address?

Post by mattg » 2019-06-17 16:12

This is what I do
Checks all local domains and domain names (aliases)

Code: Select all

	If oClient.Username <> "" Then
		If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
			Result.Message = "You are only allowed to send from your own account"
	 		Result.Value = 2
			Exit Sub
		End If
	End If
	
	
	For i = 1 to oApp.domains.count
		if (InStr(1, oMessage.FromAddress, "@" & oApp.Domains.item(i-1).name, 1) > 0) Then ' Local user.
			local = local + 1
			Exit For
		End If
		For j = 1 to oApp.Domains.item(i-1).DomainAliases.count
			if (InStr(1, oMessage.FromAddress, "@" & oApp.Domains.item(i-1).DomainAliases.item(j-1).AliasName, 1) > 0) Then ' Local user.
				local = local + 1
				Exit for
			End If
		Next 'j
	Next 'i
	If local >0 then
		If (oClient.Username = "") Then 'Not Authenticated
			Result.Value = 2
			Result.Message = "You must be authenticated to send from local domain."
			Exit sub
		End If
	End If

What you haven't worked out is that hMailserver doesn't use the message FROM header to access whether local or external, it uses the SMTP envelope FROM.


I also force AUTH for local sender, and ensure that the AUTH user matches the message FROM (the first part of the code)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 827
Joined: 2017-09-12 17:57

Re: How to stop scammer faking from email address?

Post by palinka » 2019-06-17 18:24

Pedja wrote:
2019-06-17 15:14
SorenR wrote:
2019-06-17 14:56
And SpamAssassin ... You simply cannot install it fast enough!
I do not see what speed of SpamAssassin installation has to do with all this. I expected from You to elaborate your suggestion that I should use it to resolve this issue. You are just repeating claim that I have to use SpamAssassin but no explanation how to use it for this specific problem.
SorenR wrote:
2019-06-17 14:56
Perhaps you should take a read here... https://www.hmailserver.com/forum/viewt ... 41#p209541
Before I asked a question I did my homework, including finding ad reading that thread. It is good and very informative, but it does not cover issue I have, so I started this thread.
The reason spamassassin was suggested is because it is VERY GOOD at picking up messages like the one you described. You can decide how to handle the message after spamassassin scores it: pass to inbox with subject modified, pass to spam folder, delete, whatever you want.

Also, the link Soren provided contains a function that checks spamhaus for known spammer IPs and rejects the connection outright. When i turned this function on, 90% of messages similar to yours simply vanished. It works great and to date i have not received a single false positive complaint. For the few messages that make it past filters like the spamhaus one, spamassassin handles the rest easily. And if you train spamassassin, the whole thing works like magic.

Here is another excellent tutorial provided by Soren on how to train spamassassin. https://hmailserver.com/forum/viewtopic ... 20&t=26866

I agree with Soren. RUN, don't walk to install spamassassin. I promise you will not regret that decision.

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 18:59

mattg wrote:
2019-06-17 16:12
This is what I do
Checks all local domains and domain names (aliases)
Great! This is even more elaborate code. I do not ned to handle multiple domains and aliases. I had thought to add support for that but I found out that things tend to get complicated like, aliases, aliases of aliases... account aliases... As I did not need that I opted to the most simple solution.

Thanks for the code!
What you haven't worked out is that hMailserver doesn't use the message FROM header to access whether local or external, it uses the SMTP envelope FROM.
Actually I did, and that is the source of the problem, hMail server handles SMTP envelope FROM and neglects message From which is actually used for fakeing sender. Both, your and mine scripts handle that. I still do think this should be built in functionality but it works this way too.
I also force AUTH for local sender, and ensure that the AUTH user matches the message FROM (the first part of the code)
Just checking if sender is within the same domain was OK for my needs. I to not need to control local users that way. Scumers are problem and this handles them quite good.

Pedja
Normal user
Normal user
Posts: 32
Joined: 2010-10-30 05:39
Location: Serbia

Re: How to stop scammer faking from email address?

Post by Pedja » 2019-06-17 19:10

palinka wrote:
2019-06-17 18:24
The reason spamassassin was suggested is because it is VERY GOOD at picking up messages like the one you described. You can decide how to handle the message after spamassassin scores it: pass to inbox with subject modified, pass to spam folder, delete, whatever you want.
I think SpamAssassin is invoked to late to handle SMTP envelope FROM. It it is not, I would like to hear how that can be handled.
Also, the link Soren provided contains a function that checks spamhaus for known spammer IPs and rejects the connection outright. When i turned this function on, 90% of messages similar to yours simply vanished.
Exacly. I do have 90% spam handled. I handle lots of them even on router level so they do not even reach mail server.

But those nasty sender faking bastards occasionally come through, so I wanted to fix them. Faking sender can be done easy buy everyone not just well known spammers. This handles them all without consulting any external source. I like it that way.
I agree with Soren. RUN, don't walk to install spamassassin. I promise you will not regret that decision.
I do know how to use SpamAssassin.

palinka
Senior user
Senior user
Posts: 827
Joined: 2017-09-12 17:57

Re: How to stop scammer faking from email address?

Post by palinka » 2019-06-17 19:43

Pedja wrote:
2019-06-17 19:10
I do know how to use SpamAssassin.
Then obviously you would know that about a dozen items would be scored in this message. I bolded only the ones that caught my eye. Obviously, you haven't provided the full message either.
-----
From - Mon Jun 17 08:26:47 2019
X-Account-Key: account1
X-UIDL: 79841
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: postmaster@bay-t.com.tr
Received: from WIN-OI0Q27COD8G.home (ns1.bay-t.com.tr [89.107.226.227]) by mail.uzxxx.net
with ESMTP ; Mon, 17 Jun 2019 07:15:59 +0200
Received: from [] ([168.196.13.2]) by home with MailEnable ESMTP; Mon, 17 Jun 2019 08:09:01
+0300
X-aid: 5175934663
Message-ID: <CEAE9-7D6760-6D@www884.bay-t.com.tr>
Abuse-Reports-To: <abuse@mailer.bay-t.com.tr>
Date: Mon, 17 Jun 2019 07:09:07 +0200
Subject: [SPAM] Your account is hacked
X-Complaints-To: abuse@mailer.bay-t.com.tr
X-Mailer: ColdFusion 11 Application Server
List-Help: <http://www.bay-t.com.tr/lists/?p=prefer ... b1qqubyosr>
Content-Type: multipart/related; boundary="ivnpndb-78CDBC64757F486A9"
MIME-Version: 1.0
X-CSA-Complaints: whitelist-complaints@bay-t.com.tr
X-Sender: postmaster@bay-t.com.tr
To: sam@uzxxx.net
From: <sam@uzxxx.net>
List-Unsubscribe: <mailto:z-lko_xgzbgrmoo_xktema_hgwbdjnjl_q@bounce.bay-t.com.tr?subject=Unsubscribe>
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 3)
X-hMailServer-Reason-Score: 3

This is a multi-part message in MIME format

----
Spamassassin would definitely hit other things. These kinds of messages score very high (over double my delete threshold) with a big laundry list of hits and points. Bayes filter plays a good part in that as well. Spamassassin learns from previous spam.

Spamassassin is free, extremely well maintained, very low maintenance once tuned and works great. Why on earth would you be opposed to using it?

By the way, the sending mta appears to be a legit mailer.

Abuse-Reports-To: <abuse@mailer.bay-t.com.tr>

You could send them a note and they will likely take action.

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How to stop scammer faking from email address?

Post by mattg » 2019-06-17 22:59

Pedja wrote:
2019-06-17 18:59
I still do think this should be built in functionality.
hMailserver doesn't build stuff in unless the FRCs require it generally, and something that NOT ALL users need, and can be solved with a dozen or so lines of VB is unlikely to be added.

The fact that we can script in VB makes hMailserver much more powerful.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply