mail slipped by with forged/spoofed from: in our domain

[Robert Kudyba <rk...@fordham.edu>]

We use sendmail-8.15.2-8.fc25 on Fedora 25 with spamassassin-3.4.1-9. Can anyone explain how this email got through with a forged from: address? https://pastebin.com/L7NKCK3E <https://pastebin.com/L7NKCK3E>

The 1st received IP is not on any real time blacklist as of this moment:

Received: from 167.249.16.132

The 2nd IP in the mail header trail now shows up in BACKSCATTER, BLOCKLIST.DE and MAILSPIKE BL

Received: from embacelsga.localdomain (oi66.grupocartonpack.com [189.30.23.66])

But shouldn’t the default settings in sendmail.mc/cf check for spoofing of the HELO?

Re: mail slipped by with forged/spoofed from: in our domain

[Robert Kudyba <rk...@fordham.edu>]

> I don't believe sendmail has any default setting for rejecting HELO names.  You should probably add "localdomain" to your access table.
> 

Yep been like this for years:
# By default we allow relaying from localhost...
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY

Re: mail slipped by with forged/spoofed from: in our domain

[Noel <no...@gmail.com>]

On 6/19/2017 1:54 PM, Robert Kudyba wrote:
> We use sendmail-8.15.2-8.fc25 on Fedora 25
> with spamassassin-3.4.1-9. Can anyone explain how this email got
> through with a forged from: address? https://pastebin.com/L7NKCK3E
>
> The 1st received IP is not on any real time blacklist as of this
> moment:
>
> Received: from 167.249.16.132
>
> The 2nd IP in the mail header trail now shows up
> in BACKSCATTER, BLOCKLIST.DE and MAILSPIKE BL
>
> Received: from embacelsga.localdomain (oi66.grupocartonpack.com
> <http://oi66.grupocartonpack.com> [189.30.23.66])
>
> But shouldn’t the default settings in sendmail.mc/cf check for
> spoofing of the HELO?


It appears this mail passed through your system and was forwarded to
google, and maybe a little mangled along the way.  This makes the
headers hard to follow as to who added what, and what to trust.

I don't believe sendmail has any default setting for rejecting HELO
names.  You should probably add "localdomain" to your access table.

Re: mail slipped by with forged/spoofed from: in our domain

[Robert Kudyba <rk...@fordham.edu>]

> On Jun 19, 2017, at 4:02 PM, Kevin A. McGrail <ke...@mcgrail.com> wrote:
> 
> On 6/19/2017 3:27 PM, Robert Kudyba wrote:
>> 
>> Well this user has his sendmail account from our subdomain forward to his university Gmail account so that’s where the SPF kicks in. But how come those first IPs in the mail header pass?
> 
> I don't know, it's hard to tell with a forwarded email.

Does the logs help?

Jun 17 15:53:32 storm sendmail[30146]: v5HJqkrB030146: from=<le...@cis.fordham.edu>, size=1019, class=0, nrcpts=1, msgid=<85...@cis.fordham.edu>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=oi66.grupocartonpa
ck.com [189.30.23.66]
Jun 17 15:53:32 storm sendmail[30146]: v5HJqkrB030146: Milter insert (1): header: X-Virus-Scanned: clamav-milter 0.99.2 at storm.cis.fordham.edu
Jun 17 15:53:32 storm sendmail[30146]: v5HJqkrB030146: Milter insert (1): header: X-Virus-Status: Clean
Jun 17 15:53:32 storm spamd[2840]: spamd: connection from localhost [::1]:59804 to port 783, fd 5
Jun 17 15:53:32 storm spamd[2840]: spamd: using default config for root: /home/spamd/user_prefs
Jun 17 15:53:32 storm spamd[2840]: spamd: processing message <85...@cis.fordham.edu> for root:1001
Jun 17 15:53:37 storm sendmail[30355]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Jun 17 15:53:38 storm sendmail[30197]: v5HJr7gx030197: unassigned.nodeoutlet.com [103.208.244.235] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jun 17 15:53:38 storm sendmail[30196]: v5HJr7qA030196: unassigned.nodeoutlet.com [103.208.244.235] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jun 17 15:53:38 storm sendmail[30195]: v5HJr7K1030195: unassigned.nodeoutlet.com [103.208.244.235] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jun 17 15:53:47 storm spamd[2840]: spamd: clean message (0.2/5.0) for root:1001 in 15.0 seconds, 1429 bytes.
Jun 17 15:53:47 storm spamd[2840]: spamd: result: . 0 - BAYES_00,FROM_IS_TO,PYZOR_CHECK,RCVD_NUMERIC_HELO,T_SPF_HELO_TEMPERROR,T_SPF_TEMPERROR scantime=15.0,size=1429,user=root,uid=1001,required_score=5.0,rhost=localhost,raddr=::1,rport=59804,mid=<85...@cis.fordham.edu>,bayes=0.001885,autolearn=no autolearn_force=no
Jun 17 15:53:47 storm sendmail[30146]: v5HJqkrB030146: Milter add: header: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,FROM_IS_TO,\n\tPYZOR_CHECK,RCVD_NUMERIC_HELO,T_SPF_HELO_TEMPERROR,T_SPF_TEMPERROR\n\tautolearn=no autolearn_force=no version=3.4.1
Jun 17 15:53:47 storm sendmail[30146]: v5HJqkrB030146: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on\n\tstorm.cis.fordham.edu
Jun 17 15:55:08 storm sendmail[30476]: v5HJqkrB030146: to=<le...@cis.fordham.edu>, ctladdr=<le...@cis.fordham.edu> (15746/1500), delay=00:01:36, xdelay=00:01:21, mailer=local, pri=31610, dsn=2.0.0, stat=Sent
Jun

Re: mail slipped by with forged/spoofed from: in our domain

["Kevin A. McGrail" <ke...@mcgrail.com>]

On 6/19/2017 3:27 PM, Robert Kudyba wrote:
>
> Well this user has his sendmail account from our subdomain forward to 
> his university Gmail account so that’s where the SPF kicks in. But how 
> come those first IPs in the mail header pass?

I don't know, it's hard to tell with a forwarded email.

Re: mail slipped by with forged/spoofed from: in our domain

[RW <rw...@googlemail.com>]

On Mon, 19 Jun 2017 15:27:36 -0400
Robert Kudyba wrote:

> > The biggest issue I see is the SPF approval:
> > ARC‐Authentication‐Results: i=1; mx.google.com;
> > 
> >        spf=pass (google.com: best guess record for domain of
> > leeds@cis.fordham.edu <ma...@cis.fordham.edu> designates
> > 150.108.68.26 as permitted sender)
> > 
> > Perhaps a compromised account?  
> 
> Well this user has his sendmail account from our subdomain forward to
> his university Gmail account so that’s where the SPF kicks in. But
> how come those first IPs in the mail header pass?

Pass what? 

I'm a bit confused, but if I'm understanding correctly, by spoofed HELO
you meant that the HELO doesn't match the rDNS (which is full-circle),
and you had expected sendmail to reject because of that. Beyond that I
don't see what the question is.

The only thing anomalous is that cis.fordham.edu doesn't have an SPF
record, google used a best-guess record.

Re: mail slipped by with forged/spoofed from: in our domain

[Robert Kudyba <rk...@fordham.edu>]

> The biggest issue I see is the SPF approval:
> ARC‐Authentication‐Results: i=1; mx.google.com;
> 
>        spf=pass (google.com: best guess record for domain of
> leeds@cis.fordham.edu <ma...@cis.fordham.edu> designates 150.108.68.26 as permitted sender)
> 
> Perhaps a compromised account?

Well this user has his sendmail account from our subdomain forward to his university Gmail account so that’s where the SPF kicks in. But how come those first IPs in the mail header pass?

Re: mail slipped by with forged/spoofed from: in our domain

["Kevin A. McGrail" <ke...@mcgrail.com>]

On 6/19/2017 2:54 PM, Robert Kudyba wrote:
> We use sendmail-8.15.2-8.fc25 on Fedora 25 with spamassassin-3.4.1-9. 
> Can anyone explain how this email got through with a forged from: 
> address? https://pastebin.com/L7NKCK3E
>
> The 1st received IP is not on any real time blacklist as of this moment:
>
> Received: from 167.249.16.132
>
> The 2nd IP in the mail header trail now shows up in BACKSCATTER, 
> BLOCKLIST.DE and MAILSPIKE BL
>
> Received: from embacelsga.localdomain (oi66.grupocartonpack.com 
> <http://oi66.grupocartonpack.com> [189.30.23.66])
>
> But shouldn’t the default settings in sendmail.mc/cf check for 
> spoofing of the HELO?

I'm not aware of much in the way of spoofed helo checks by default in 
sendmail.


The biggest issue I see is the SPF approval:


ARC‐Authentication‐Results: i=1; mx.google.com;
        spf=pass (google.com: best guess record for domain of
leeds@cis.fordham.edu designates 150.108.68.26 as permitted sender)

Perhaps a compromised account?

Regards,
KAM