我收到了一封垃圾邮件,发件人是[email protected]
,[email protected]
但“发件人”是rec15.appleandrdoidmail.mx
。[email protected]
这是一个别名。奇怪的是,它说是由 签名的mydomain.com
!
我一直在查看电子邮件来源,并且该电子邮件通过了 DKIM 和 SPF 过滤器(没有找到 DMARC 信息):
Assumpte: 8NUE7 Comprobante Electronico de Pago N: (94596)
SPF: PASS amb la IP 0.0.0.0 Més informació
DKIM: 'PASS' amb el domini mydomain.com Més informació
我一直在查看邮件日志以查找连接并发现了以下情况:
Oct 20 13:32:00 mydomain postfix/smtpd[5162]: connect from rec15.appleandroidemail.mx[45.7.231.194]
Oct 20 13:32:01 mydomain postfix/smtpd[5162]: 5A04D1B5C75: client=rec15.appleandroidemail.mx[45.7.231.194]
Oct 20 13:32:01 mydomain postfix/cleanup[5164]: 5A04D1B5C75: message-id=<[email protected]>
Oct 20 13:32:01 mydomain postfix/qmgr[2202]: 5A04D1B5C75: from=<[email protected]>, size=3140, nrcpt=1 (queue active)
Oct 20 13:32:01 mydomain postfix/smtpd[5162]: disconnect from rec15.appleandroidemail.mx[45.7.231.194] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 20 13:32:07 mydomain postfix/smtpd[5180]: connect from mydomain.com[127.0.0.1]
Oct 20 13:32:07 mydomain postfix/smtpd[5180]: EA2481B5F8A: client=mydomain.com[127.0.0.1]
Oct 20 13:32:07 mydomain postfix/cleanup[5164]: EA2481B5F8A: message-id=<[email protected]>
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: EA2481B5F8A: from=<[email protected]>, size=4004, nrcpt=1 (queue active)
Oct 20 13:32:08 mydomain postfix/smtpd[5180]: disconnect from mydomain.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 20 13:32:08 mydomain amavis[16608]: (16608-05) Passed CLEAN {RelayedInbound}, [45.7.231.194]:50918 [45.7.231.194] <[email protected]> -> <[email protected]>, Queue-ID: 5A04D1B5C75, Message-ID: <[email protected]>, mail_id: qwEeUiSFqmai, Hits: 3.204, size: 3164, queued_as: EA2481B5F8A, 6422 ms
Oct 20 13:32:08 mydomain postfix/smtp[5165]: 5A04D1B5C75: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.8, delays=0.33/0.01/0/6.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EA2481B5F8A)
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: 5A04D1B5C75: removed
Oct 20 13:32:08 mydomain dovecot: lmtp(5182): Connect from local
Oct 20 13:32:08 mydomain dovecot: lmtp([email protected]): 8ksOBtjmjl8+FAAAWnabiA: msgid=<[email protected]>: saved mail to INBOX
Oct 20 13:32:08 mydomain dovecot: lmtp(5182): Disconnect from local: Successful quit
Oct 20 13:32:08 mydomain postfix/lmtp[5181]: EA2481B5F8A: to=<[email protected]>, relay=mydomain.com[private/dovecot-lmtp], delay=0.15, delays=0.13/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 8ksOBtjmjl8+FAAAWnabiA Saved)
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: EA2481B5F8A: removed
防晒指数配置:
mydomain.com. 86400 IN TXT "v=spf1 ip4:xx.xx.xx.xx include:_spf.mydomain.com ~all"
mydomain.com. 86400 IN TXT "v=spf2.0/pra ip4:xx.xx.xx.xx include:_spf.mydomain.com ~all"
密钥管理信息系统配置:
20XXXX._domainkey.mydomain.com. 82086 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GC..."
DMARC配置:
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; aspf=s; adkim=s; fo=1
我已经查看了所有 DMARC xml 报告,没有发现任何45.7.231.194
IP 地址的条目,也没有发现拒绝、无或隔离的条目。
在电子邮件来源中我发现:
X-Received: by 2002:a2f:a551:: with SMTP id a23mr2209527ljn.5.1603290742268;
Tue, 20 Oct 2020 06:32:24 -0700 (PDT)
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of [email protected] designates 45.7.231.194 as permitted sender) [email protected];
dkim=pass [email protected] header.s=20XXXX header.b=EBPdgUba
Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 45.7.231.194 as permitted sender) client-ip=45.7.231.194;
...
Received: from localhost (mydomain.com [127.0.0.1]) by mydomain.com (Postfix) with ESMTP id EA2481B5F8A for <[email protected]>; Tue, 20 Oct 2020 13:32:07 +0000 (UTC)
因此,似乎有人被授权45.7.231.194
以 的名义发送电子邮件mydomain.com
,但我认为 SPF 就是为了这个目的,以保护某人以 的mydomain.com
名义发送电子邮件。我遗漏了什么?是否配置有误?
如有任何关于如何阻止这次攻击的帮助,我们将不胜感激。
答案1
根据定义RFC 7208, 1.1.3,SPF 未针对RFC 5322 From
头球,但信封发件人即地址RFC 5321 MAIL FROM
命令。
from=<[email protected]>
因此,rec15.appleandroidemail.mx
是信封发件人的域,并且该主机名没有 SPF 记录。
你需要额外的DMARC策略来强制MAIL FROM
与信封发件人之间的一致性。
答案2
您的 SPF 记录配置为“软失败”,即使失败也允许发送邮件。这是为了测试目的。
您需要将 SPF 记录配置为“硬失败”,方法-all
是设置~all
-