Mailing List Archive: Is that SPAM? Or am I compromised?

Is that SPAM? Or am I compromised?

exim-users at exim

Mar 12, 2023, 2:34 PM

Post #1 of 14 (697 views)

I just received a SPAM (I hope), but the headers retained my attention;
here they are, in full:

Return-Path: <admin@yalis.fr>
Delivered-To: yves@yalis.fr
Received: from seuil3 ([192.168.1.201])
by sphinx3 with LMTP
id UARXHdImDmQdcBQAMvrXhg
(envelope-from <admin@yalis.fr>)
for <yves@yalis.fr>; Sun, 12 Mar 2023 20:24:02 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=yalis.fr;
s=sphinx2;
h=Content-Type:Subject:To:MIME-Version:From:Date:Message-ID:Sender
:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=qXhLPFix7x9RH0AbzUC6Jm3wwLRKaSLaBoZ0e0PYWGg=;
b=19nO++1psw29bETtkJfSoCaeie
x1Pa9jycEaMoWNC7ZTP04Fhf/nfNy6GrWKkY2paGp56NkLoyf+wWv54Ld1wB71kSczpBOHjFE5UyY
UEazDeLVZcp9XS8IuiwUZWI+SFb4KTfAdJSmP1vrl8JPnBqaJPJTkAQhiuoATG4viLog=;
Received: from [93.184.14.24]
by seuil3 with esmtp (Exim 4.96)
(envelope-from <admin@yalis.fr>)
id 1pbRIJ-002UYg-0j
for admin@yalis.fr;
Sun, 12 Mar 2023 20:24:02 +0100
Message-ID: <640E42D8.7020207@yalis.fr>
Date: Sun, 12 Mar 2023 22:23:36 +0100
From: <admin@yalis.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.17)
Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: <admin@yalis.fr>
Subject: =?UTF-8?B?SGV5LCB3aGF0J3MgdXA/?=
Content-Type: multipart/alternative;
boundary="------------080506090407010304040403"

I am surprised by a few things:

— This email went through very few intermediaries to reach my server
(yalis.fr). Apparently, it actually came directly from the sender (a
Palestinian ISP).
— There is a DKIM signature done by my own server (d=yalis.fr), which
includes the From header, and that header is @yalis.fr.

Considering the fact that the body is all about how “they” used a
zero-day exploit to infiltrate my machine (but with some non-believable
elements, such as making a video of me, and I do not have a webcam…),
how can I make sure that this is indeed a SPAM, and not a real attack?

Kind regards

Yves.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 2:28 AM

Post #2 of 14 (697 views)

D?a 12. 3. o 22:34 Yves via Exim-users napísal(a):

I have no solution for you, but some comments:

> — This email went through very few intermediaries to reach my server
> (yalis.fr). Apparently, it actually came directly from the sender (a
> Palestinian ISP).

Received: headers can be faked, removed, etc...

> — There is a DKIM signature done by my own server (d=yalis.fr), which
> includes the From header, and that header is @yalis.fr.

Can be DKIM replay, it can be failed, only with purpose to fool users.
You didn't provide DKIM verify result...

Anyway, your Message-ID is signed, if that message was initialed from
your server, you must be able to find it in logs. And you can change
DKIM key, to be sure...

> Considering the fact that the body is all about how “they” used a
> zero-day exploit to infiltrate my machine (but with some non-believable
> elements, such as making a video of me, and I do not have a webcam…),
> how can I make sure that this is indeed a SPAM, and not a real attack?

I see that type of message often, and often as flood from some
hundreds/thounsands of hosts in short time. I am very success to filter
them, and i don't very worry about them...

regards

--
Slavko

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 4:02 AM

Post #3 of 14 (697 views)

On 3/13/23 05:34, Yves via Exim-users wrote:
>
> I am surprised by a few things:
>
> — This email went through very few intermediaries to reach my server (yalis.fr). Apparently, it actually came directly from the sender (a Palestinian ISP).

Why would that surprise you? They just did exactly that.

> — There is a DKIM signature done by my own server (d=yalis.fr), which includes the From header, and that header is @yalis.fr.
As Slavko said, check that the signature is actually valid. If it is, review you exim config and see how they might have been able to get your exim to sign the message. Maybe you have a flaw in your config?
> Considering the fact that the body is all about how “they” used a zero-day exploit to infiltrate my machine (but with some non-believable elements, such as making a video of me, and I do not have a webcam…), how can I make sure that this is indeed a SPAM, and not a real attack?

Based on what you have described, the furthest extent of any possible attack is somehow getting your exim to sign incoming messages coming from the wild.

Claiming that they infiltrated your machine is not an attack, it's a very common spam message.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 4:08 AM

Post #4 of 14 (697 views)

> From: exi.ml @ yalis.fr
>
> I just received a SPAM (I hope), but the headers retained my attention;
> here they are, in full:

An infected Windows sent this common fraudulent spam with the same
email address in From: and envelope-from as the recipient.
And the same domain in Message-ID.

> There is a DKIM signature done by my own server (d=yalis.fr), which
> includes the From header, and that header is @yalis.fr.

Your "seuil3" added DKIM signature while it relayed that spam
to your "sphinx3".

Accepting emails from hosts with empty $sender_host_name is unwise.
I deny mail from such hosts in China, HongKong, Taiwan, Brazil, Korea, Vietnam
and greylist mail from such hosts in other countries.
But most other mail admins deny emails from such hosts.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 12:12 PM

Post #5 of 14 (697 views)

Thank you Slavko for your answer.

On 13/03/2023 10:28, Slavko via Exim-users wrote:
> D?a 12. 3. o 22:34 Yves via Exim-users napísal(a):
> […]
>> — There is a DKIM signature done by my own server (d=yalis.fr), which
>> includes the From header, and that header is @yalis.fr.
>
> Can be DKIM replay, it can be failed, only with purpose to fool users.
> You didn't provide DKIM verify result...

I did not know how to verify the signature… Looking at Archlinux
packages, I selected opendkim; it man page says that opendkim-testmsg
returns nothing if the input message is good. I ran:

opendkim-testmsg <./"Hey, what's up? - <admin@yalis.fr> - 2023-03-12
2223.eml"

which returned nothing, and $?==0. So the signature is valid!

> Anyway, your Message-ID is signed, if that message was initialed from
> your server, you must be able to find it in logs. And you can change
> DKIM key, to be sure...

I checked per your advice on the server:

[root@seuil3 etc]# journalctl --grep 640E42D8.7020207
mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message
<640E42D8.7020207@yalis.fr> for nobody:182
mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 -
BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_>
mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02
1pbRIJ-002UYg-0j <= admin@yalis.fr H=([93.184.14.24]) [93.184.14.24]
P=esmtp S=6613 id=640E42D8.7020207@yalis.fr

I’m not sure of how to understand that :-/
All 3 lines seem to me to relate to receiving the message. I don’t see a
line that is about sending the message, or signing it.

Could it be that the message is signed when I receive it? Could it be
because I use LMTP for delivering, instead of local drop?
If that is the explanation, it seems a bit “stupid” of Exim to do so…

Regards

> […]

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 1:43 PM

Post #6 of 14 (697 views)

On 3/14/23 03:12, Yves via Exim-users wrote:
>
> opendkim-testmsg <./"Hey, what's up? - <admin@yalis.fr> - 2023-03-12 2223.eml"
>
> which returned nothing, and $?==0. So the signature is valid!
>

> [root@seuil3 etc]# journalctl --grep 640E42D8.7020207
> mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message <640E42D8.7020207@yalis.fr> for nobody:182
> mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 - BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_>
> mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02 1pbRIJ-002UYg-0j <= admin@yalis.fr H=([93.184.14.24]) [93.184.14.24] P=esmtp S=6613 id=640E42D8.7020207@yalis.fr
>
> I’m not sure of how to understand that :-/
> All 3 lines seem to me to relate to receiving the message. I don’t see a line that is about sending the message, or signing it.
>
DKIM_ADSP_ALL says that SpamAssassin found no signature. Something signed it later, which makes sense.

> Could it be that the message is signed when I receive it?
Your configuration answers this question.
> Could it be because I use LMTP for delivering, instead of local drop?
> If that is the explanation, it seems a bit “stupid” of Exim to do so…

Of your configuration, not of Exim per se. Exim behavior is extremely flexible and configurations can vary tremendously from site to site.

Examine your configuration, check whether signing is indeed done by / controlled by exim configuration or elsewhere, and on what conditions.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 1:49 PM

Post #7 of 14 (697 views)

On 3/14/23 03:12, Yves via Exim-users wrote:
> Could it be that the message is signed when I receive it

Try to run:

exim -bV

See if the output includes a line resembling --

Configuration file is /etc/exim4/exim4.conf

Examine the file and look for lines containing "dkim_private_key", "dkim_selector" etc.

If appropriate, you can post the whole transport section here (redacted as necessary).

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 2:28 PM

Post #8 of 14 (697 views)

Hi,

D?a 13. marca 2023 19:12:20 UTC používate? Yves via Exim-users <exim-users@exim.org> napísal:

>which returned nothing, and $?==0. So the signature is valid!

I never used OpenDKIM, thus i cannot comment.

>I checked per your advice on the server:
>
>[root@seuil3 etc]# journalctl --grep 640E42D8.7020207
>mars 12 20:23:47 seuil3 spamd[522247]: spamd: checking message <640E42D8.7020207@yalis.fr> for nobody:182
>mars 12 20:24:02 seuil3 spamd[522247]: spamd: result: . 3 - BAYES_00,BITCOIN_PAY_ME,BITCOIN_SPAM_02,BITCOIN_YOUR_INFO,DKIM_ADSP_ALL,HELO_NO_DOMAIN,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_>

These are from SA, i never used it, thus i cannot comment.

>mars 12 20:24:02 seuil3 exim[594126]: 2023-03-12 20:24:02 1pbRIJ-002UYg-0j <= admin@yalis.fr H=([93.184.14.24]) [93.184.14.24] P=esmtp S=6613 id=640E42D8.7020207@yalis.fr

That one is relevant, but incomplete exim message log. The missing part
is delivery. I do not use journal for exim logs, but you can try to grep exim's
message ID:

journalctl --no-pager -u exim.service --grep 1pbRIJ-002UYg-0j

>All 3 lines seem to me to relate to receiving the message. I don’t see a line that is about sending the message, or signing it.

Yes, received. The line has no DKIM= field, which is logged by default,
thus seems that message had not valid DKIM at that time.

>Could it be that the message is signed when I receive it?

Exim signs only on delivery...

> Could it be because I use LMTP for delivering, instead of local drop?

Yes, (one of) delivery to LMTP can be configred to sign message,
but someone must configure that.

>If that is the explanation, it seems a bit “stupid” of Exim to do so…

Exim does what admin configured for it, thus try to guess who did
something "a bit stupid"...

regards

--
Slavko
https://www.slavino.sk/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 2:57 PM

Post #9 of 14 (697 views)

Thank you Gedalya for answering.

On 13/03/2023 12:02, Gedalya via Exim-users wrote:
> On 3/13/23 05:34, Yves via Exim-users wrote:
>> — This email went through very few intermediaries to reach my server (yalis.fr). Apparently, it actually came directly from the sender (a Palestinian ISP).
> > Why would that surprise you? They just did exactly that.

Yes, it is just that most emails I receive are sent through ISPs or from
commercial companies, and go through a bunch of internal relays.
Although completely standard, such direct emails are rare enough for me
that I?noticed…

>> — There is a DKIM signature done by my own server (d=yalis.fr), which includes the From header, and that header is @yalis.fr.
> As Slavko said, check that the signature is actually valid. If it is, review you exim config and see how they might have been able to get your exim to sign the message. Maybe you have a flaw in your config?

If that is any help, my server is built using Ansible, and the whole
configuration is public:
https://yalis.fr/git/yves/home-server/src/branch/master/roles/dmz_exim/tasks/main.yml

Based on Archlinux packaging for Exim
(https://github.com/archlinux/svntogit-community/blob/packages/exim/trunk/PKGBUILD),
my exim.conf seems to be just upstream Exim 4.96 configuration. Then I
patch it using Ansible with various rules.

Regards

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 4:43 PM

Post #10 of 14 (697 views)

On 3/14/23 05:57, Yves via Exim-users wrote:

> Yes, it is just that most emails I receive are sent through ISPs or from commercial companies, and go through a bunch of internal relays. Although completely standard, such direct emails are rare enough for me that I?noticed…

Spam is very often delivered this way, directly to your server.

> If that is any help, my server is built using Ansible, and the whole configuration is public:
> https://yalis.fr/git/yves/home-server/src/branch/master/roles/dmz_exim/tasks/main.yml
>
> Based on Archlinux packaging for Exim (https://github.com/archlinux/svntogit-community/blob/packages/exim/trunk/PKGBUILD), my exim.conf seems to be just upstream Exim 4.96 configuration. Then I patch it using Ansible with various rules.

It's not much help. I can't reconstruct your exact config this way. But I do see how you're adding DKIM signing:

insertafter: '^\s*driver\s*=\s*smtp\s*$'

And I don't see any condition there.

The only thing that matters is the actual exim config file you have in effect.

A few comments:

1. On ports 587 / 465, _only_ authenticated users should be allowed

2. On ports 587 / 465, TLS should be _mandatory_.

3. On port 25, authentication should _not_ be available (not advertised, and exim will refuse the command if it wasn't advertised)

4. On ports 587, authentication should not be advertised before STARTTLS is issued.

(The above can be rephrased as: properly separate submission from "classic" SMTP. Submission requires TLS).

5. It does look like you may be simply signing all mail.

Sign only authenticated or locally-submitted mail:

dkim_private_key = ${if or {{match_ip{$sender_host_address}{:@[]}}{def:authenticated_id}}{/etc/your/private.key}{}}

Good idea: add:

dkim_sign_headers = From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:=In-Reply-To:=References:=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive

May be a matter of taste but you might find that maintaining the exim config file itself in git might be simpler at some point.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 5:07 PM

Post #11 of 14 (697 views)

On 13/03/2023 23:43, Gedalya via Exim-users wrote:
> 4. On ports 587, authentication should not be advertised before STARTTLS is issued.

A slight suggested relaxation of that rule: Only authentication methods
which are self-encrypted should be used on a cleartext channel.

That mean the same as your simpler rule for PLAIN and LOGIN, which are
the common ones. But the SCRAM family, for example, would be safe.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 7:30 PM

Post #12 of 14 (697 views)

On 3/14/23 08:07, Jeremy Harris via Exim-users wrote:
> On 13/03/2023 23:43, Gedalya via Exim-users wrote:
>> 4. On ports 587, authentication should not be advertised before STARTTLS is issued.
>
> A slight suggested relaxation of that rule: Only authentication methods
> which are self-encrypted should be used on a cleartext channel.
>
> That mean the same as your simpler rule for PLAIN and LOGIN, which are
> the common ones. But the SCRAM family, for example, would be safe.

There's a slightly different motivation for the approach I suggested.

Don't bother supporting SCRAM, and auto-ban any client that tries to use unadvertised AUTH. Cuts down on a lot of log spam. Many bots will not try TLS, and will either attempt AUTH before STARTTLS or will just not try at all. This doesn't "solve" anything, it's just a relative reduction of noise.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 13, 2023, 7:36 PM

Post #13 of 14 (697 views)

On 3/14/23 08:07, Jeremy Harris via Exim-users wrote:
> Only authentication methods which are self-encrypted should be used on a cleartext channel.

Further, I'm not aware of clients which have the specific behavior of switching to TLS after authentication.

While we're at it, will Exim or other SMTP servers remember your authenticated status after STARTTLS?

I don't see the point of enabling clients to send the message body in plaintext. And there's a need for a final push towards disallowing plaintext MX<>MX. Those that feel they can disallow that already now are helping to turn the tide and normalize the notion that plaintext SMTP is broken.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Is that SPAM? Or am I compromised? [ In reply to ]

exim-users at exim

Mar 14, 2023, 12:28 PM

Post #14 of 14 (697 views)

Le 13/03/2023 à 22:28, Slavko via Exim-users a écrit :
>> All 3 lines seem to me to relate to receiving the message. I don’t see a line that is about sending the message, or signing it.
>
> Yes, received. The line has no DKIM= field, which is logged by default,
> thus seems that message had not valid DKIM at that time.

Thanks for the confirmation. I feel better after reading that.

>> Could it be that the message is signed when I receive it?
>
> Exim signs only on delivery...
>
>> Could it be because I use LMTP for delivering, instead of local drop?
>
> Yes, (one of) delivery to LMTP can be configred to sign message,
> but someone must configure that.
>
>> If that is the explanation, it seems a bit “stupid” of Exim to do so…
>
> Exim does what admin configured for it, thus try to guess who did
> something "a bit stupid"...

It’s me :-)
With your help, and the guidance of Gedalya explanations (thanks!), I
found the mistake I did in my configuration, which is due to a regex
matching at 2 places where I expected it to match at only one place.

Thank you everyone!

Yves.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/