Email header: last 'received: from' header IP is 127.0.0.1 - spam

Have a question about the structure of email headers.
I've been analyzing spam sent through my Postfix MTA, and have noticed a small amount (< 5%) have the localhost address 127.0.0.1 as the final 'received: from header'.
The 2nd-to-last header shows the IP of the spam mail server.
I'm assuming that the spammer is relaying through an MTA on his local box to a remote server, and that's why the last received header (which represents the first in the sending chain) is showing the localhost IP.
I have an example below of an actual header with my servers info changed for privacy (spammer's is real).
Just wanted confirmation that my assumption is correct on this.
Return-Path: <ProsventUltraBlend#operantish.com>
Delivered-To: acme2#mx.acme.net
Received: from localhost (localhost [127.0.0.1])
by mx.acme.net (Postfix) with ESMTP id XXXXXXXXX
for <me#acme.net>; Thu, 30 Mar 2017 16:08:16 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mydomain = acme.com
Received: from mx.acme.net ([127.0.0.1])
by localhost (mx.acme.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XXXXXXXX for <me#acme.net>;
Thu, 30 Mar 2017 16:08:15 -0400 (EDT)
Received: from layrbc.operantish.com (layrbc.operantish.com [66.118.137.94])
by mx.acme.net (Postfix) with ESMTP id 0A576D1FAE8
for <me#acme.net>; Thu, 30 Mar 2017 16:08:14 -0400 (EDT)
Received: from 025a1bf3.layrbc.operantish.com ([127.0.0.1]:19719 helo=layrbc.operantish.com)
by layrbc.operantish.com with ESMTP id 02DYCACOHN5A1BOPBVDGQKF3;
for <me#acme.net>; Thu, 30 Mar 2017 13:08:13 -0700
Date: Thu, 30 Mar 2017 13:08:13 -0700

I know hardly any more than Jon Snow, but I do know that 127.0.0.1 can appear in mail headers. I.e. when a spam filter takes the mail, checks it and sends it on it's way.

Related

Remote port forwarding disconnected when run from cron

I have installed FreeBSD and need to run regularly reverse shell to establish and keep alive SSH connection to the client (no public IP). When running the ssh -R script from the terminal, it works as expected, but when I run it as a cron command, the connection is established and disconnected right after that.
Here is auth.log from the server:
Jan 26 08:50:00 sshd[9696]: Accepted publickey for XXXX from XXX.XXX.XXX.XXX port XXXXX ssh2: RSA SHA256: xxxxxxxxx
Jan 26 08:50:00 sshd[9696]: pam_unix(sshd:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:00 systemd: pam_unix(systemd-user:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:01 systemd-logind[458]: New session 107 of user XXXX.
Jan 26 08:50:01 sshd[9794]: Received disconnect from XXX.XXX.XXX.XXX port XXXXX:11: disconnected by user
Jan 26 08:50:01 sshd[9794]: Disconnected from user XXXX XXX.XXX.XXX.XXX port XXXXX
Jan 26 08:50:01 sshd[9696]: pam_unix(sshd:session): session closed for user XXXX
Jan 26 08:50:01 systemd-logind[458]: Session 107 logged out. Waiting for processes to exit.
Jan 26 08:50:01 systemd-logind[458]: Removed session 107.
Do you have an idea, what causes this behavior and how to fix it?
Solved - see posts above. Thanks

Getting rid of localhost from email header

I am running an ispconfig web/mail server on server1.fvdevelopment.com and the problem is that my mail ends up in spam at Google. I have everything set up rDNS, DKIM, SPF, dmarc, tested it on mail.tester.com and got 10/10 so I don't think that the record part would be an issue. However, my mail header contains at one place localhost. According to Google it's a bad practice.
The header would be as follows:
Delivered-To: hatrix05slk#gmail.com
Received: by 10.46.83.71 with SMTP id t7csp321551ljd;
Thu, 5 Oct 2017 01:44:12 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QDMToIk1MWaxUfmgNnk5OxLTcntcctaq1yCwSzOdCTObVb5C54D/RJ3P4u4hAh4aaMJIJqf
X-Received: by 10.223.184.246 with SMTP id c51mr12273556wrg.250.1507193052462;
Thu, 05 Oct 2017 01:44:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1507193052; cv=none;
d=google.com; s=arc-20160816;
b=fStO+P6zBspVbKy7h/F6IdpvGd0ED+o9ci/3Sopz2cRJfBkESefBHjtO24hKzTNYIx
w5djV02Cj71F4diVmYutOpoeP02plccscyLfhWs2HwxTQ9pjYpFxdmBLtEy1j+HEhVmT
FVb+StuxHBSMYWjNtqren7MSkJBmMIpVCkzebETAdotjDS9g96JU/gFaXqccJIF5NEz5
GVmtnL+S5dtH6Dv+fm9xZfRvTuTLyDvI+RidZ1ZHGW9ZHh2fkGV0EyZvTkboEe0okhQ7
n9PbyX+20xGmwKCfWD7sb3ey1CHlqPUZokXC/uIRAlJ4rldEWtlTPxEX/6PeD+34Ucq7
zfpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=user-agent:message-id:from:date:content-transfer-encoding
:mime-version:subject:to:dkim-signature:arc-authentication-results;
bh=1Z7p1Z5uGEIf+6AZhZ9l3wWsFBizphzS8t8qmhwcSfY=;
b=vGnssxKjYXLBobxlSLeMbWr7+1tXStKmXXCOpvVVhHQ+JAkrjr+4/ArjltNLGMybZT
7XwX3zKmnh2ZP8U39BXDDccVYIqvCE9EK7Zfkkd+M70nr0EWMpRzgdoFGZsJjg5DCQRD
6NymwJDulAKDhBYJocgjfZ06lok6vshrZqwMXcDJTzDwWjD+IUJTgBQy8py7vDlO4mPG
Es2AsVUFNEJGikHs3gj7wFBJRR27bskeYYyJ0Z3tnVswDGn6k0+U/Kj3XV9acQE29936
KgMcLX1eTE3/QiFiTRP7oW6gIrLoEynI5UU3b/Bgq3KppclHl9m4q3v1ASa6JyjmZL9n
u8AA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=#magnorbertfotografus.hu header.s=default header.b=a0SJ1z55;
spf=pass (google.com: domain of info#magnorbertfotografus.hu designates 207.154.236.132 as permitted sender) smtp.mailfrom=info#magnorbertfotografus.hu;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=magnorbertfotografus.hu
Return-Path: <info#magnorbertfotografus.hu>
Received: from server1.fvdevelopment.com (server1.fvdevelopment.com. [207.154.236.132])
by mx.google.com with ESMTPS id a53si2257050wra.424.2017.10.05.01.44.11
for <hatrix05slk#gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 05 Oct 2017 01:44:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of info#magnorbertfotografus.hu designates 207.154.236.132 as permitted sender) client-ip=207.154.236.132;
Authentication-Results: mx.google.com;
dkim=pass header.i=#magnorbertfotografus.hu header.s=default header.b=a0SJ1z55;
spf=pass (google.com: domain of info#magnorbertfotografus.hu designates 207.154.236.132 as permitted sender) smtp.mailfrom=info#magnorbertfotografus.hu;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=magnorbertfotografus.hu
Received: from localhost (server1.fvdevelopment.com [127.0.0.1]) by server1.fvdevelopment.com (Postfix) with ESMTP id C9E5285A71 for <hatrix05slk#gmail.com>; Thu,
5 Oct 2017 10:44:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= magnorbertfotografus.hu; h=user-agent:message-id:from:from:date :date:content-transfer-encoding:content-type:content-type :mime-version:subject:subject; s=default; t=1507193051; x= 1509007452; bh=L/xoTp7H4vQf9Krt99Qa65fJYkTcTAh3O6MbrxKyYR8=; b=a 0SJ1z55WFSLwHWYpsIZvEBVijKT05TW0LRozWmVp/xtV0W78vd6t5uzoEUgoESWd RHQCNz781PsXPaqqQVO5N7SK4IjceWXBd8mpubx/VxAk2hur81vEvIgTBy2oawUG d1M8rxc93Uir+3otzamGkBcV/UDCJURYbUNpLF4kCl7aYrpqkQ0lm1TPukfYkGvK dOjB+ERahcFini3S1v50yEAXeWIarEa3UN4vdA8gh3SG4FBJ9Zi/4C306xh/nml9 /00ynI53loJSatmH7I63oPmyJs5c2+iaW5N11/PMRWfUK8aGp54zs8gqb0r51jXw J8GBQD8e3vNN8AkVo42QQ==
X-Virus-Scanned: Debian amavisd-new at server1.fvdevelopment.com
Received: from server1.fvdevelopment.com ([127.0.0.1]) by localhost (server1.fvdevelopment.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8b0IS0eBLm7u for <hatrix05slk#gmail.com>; Thu,
5 Oct 2017 10:44:11 +0200 (CEST)
Received: by server1.fvdevelopment.com (Postfix, from userid 33) id 0E6148157A; Thu,
5 Oct 2017 10:44:11 +0200 (CEST)
To: hatrix05slk#gmail.com
Subject: Friss hirek jöttek
X-PHP-Originating-Script: 0:rcube.php
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Date: Thu, 05 Oct 2017 10:44:10 +0200
From: "Mag Norbert Fotográfus" <info#magnorbertfotografus.hu>
Message-ID: <066c4122a97faef9edce55bfcfcbc8bf#magnorbertfotografus.hu>
X-Sender: info#magnorbertfotografus.hu
User-Agent: Roundcube Webmail/1.2-beta
As you see there is a localhost at the "recieved from" part.
My /etc/hosts looks as follows:
207.154.236.132 server1.fvdevelopment.com
127.0.0.1 server1.fvdevelopment.com server1
127.0.1.1 server1.fvdevelopment.com server1
127.0.0.1 localhost.localdomain localhost
My /etc/hostname has server1.fvdevelopment.com.
Any ideas on how to get rid of that localhost part because I tried an awful lot of variations but can't get rid of it.
Best regards,
Trix
Check the smtp_header_checks option, for example in main.cf add this line:
smtp_header_checks = pcre:/usr/local/etc/postfix/header_checks.pcre
And in /usr/local/etc/postfix/header_checks.pcre you could use the following to hide some extra headers besides the ones starting with Received: like the User-Agent, sender IP or even the signature of RoundCube X-PHP-Originating-Script:
/^Received:/ IGNORE
/^X-PHP-Originating-Script:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
smtp_header_checks is applied only for outgoing mail (smtp client)
The mail headers in your log indicate that the message is forwarded internally on your host once or twice before it is sent out to gmail. I don't know what the internal server setup is, but it seems that 'postfix' is sending it to itself (or to a different instance of itself) internally before it goes out. On one of those 'hops', the sender is being detected or reported as 'localhost'.
To avoid this, do the following:
- modify /etc/hosts not to have the same IP address for localhost and for your actual server name, e.g., try this:
207.154.236.132 server1.fvdevelopment.com
127.0.1.1 server1.fvdevelopment.com server1
127.0.0.1 localhost.localdomain localhost
(note the 'external' name is NOT on 127.0.0.1)
check all config files related to the mail service for any references to 'localhost' and kill them (replace with the server name).
check all config files related to the mail service for any references to the IP address 127.0.0.1 and change them to 127.0.1.1. That way, a connection from the host to itself for the 'internal hop' will still be on the lo interface, but NOT on 127.0.0.1, so it will not have a chance to be back-resolved to localhost.
verify that the chosen secondary local address (e.g., 127.0.1.1) back-resolves to your full server name (e.g., python -c 'import socket as s ; print (s.gethostbyaddr("127.0.1.1"))'
verify that hostname --fqdn returns server1.fvdevelopment.com (this would normally be the case if your hostname is set to server1).
Just remember ^^ If you change something in the Global Filters in Ispconfig then all your manually edited regexes will disapear from /etc/postfix/header_checks
I've just added those fields directly under
Email -> Content Filter
Best regards

Stop spammers from relaying via sendmail?

For the life of me I cannot figure out how spammers are sendmail mail through my server with relaying off. I'm running Sendmail 8.14.7 on Slackware Linux 14.1. The spammers have not figured out a user's password and are therefore logging in first via SASL with AUTH LOGIN or I would see that in the log.
Heres an example from my logs, a spammer/bot from 182.234.55.47, off the top of someones head what would allow this? Any IP randomly in the world can do this, yet when I try it sendmail says "relaying denied...". I could not be more lost. I firewall them but it happens again an hour later from a different IP.
Feb 23 12:18:44 server sendmail[28315]: t1NHIIgY028315: <-- MAIL FROM: <re>
Feb 23 12:18:44 server sendmail[28315]: t1NHIIgY028315: --- 250 2.1.0 <re>... Sender ok
Feb 23 12:18:45 server sendmail[28315]: t1NHIIgY028315: <-- RCPT TO: <htucker566#gmail.com>
Feb 23 12:18:45 server sendmail[28315]: t1NHIIgY028315: --- 250 2.1.5 <htunhtunnaing.goldpot#gmail.com>... Recipient ok
Feb 23 12:18:47 server sendmail[28315]: t1NHIIgY028315: <-- DATA
Feb 23 12:18:47 server sendmail[28315]: t1NHIIgY028315: --- 354 Enter mail, end with "." on a line by itself
Feb 23 12:18:48 server sendmail[28315]: t1NHIIgY028315: from=<re>, size=496, class=0, nrcpts=5, msgid=<B3BE0AC12425C02A1FB8C9201EE5CB9E#jyvicegy>, proto=ESMTP, daemon=MTA, relay=host-47.55-234-182.cable.dynamic.kbtelecom.net [182.234.55.47]
Feb 23 12:18:48 central sendmail[28315]: t1NHIIgY028315: --- 250 2.0.0 t1NHIIgY028315 Message accepted for delivery

SPF softfail dragging me to an abyss

Mail sent from my PHP is not delivered to some clients and this I am suspecting could be due to SPF test returning a softfail with domain of transitioning . The message details are below:
Delivered-To: eric.clapton#gmail.com
Received: by 10.50.73.42 with SMTP id i10csp74854igv;
Mon, 7 Oct 2013 03:21:52 -0700 (PDT)
X-Received: by 10.68.44.33 with SMTP id b1mr2455965pbm.53.1381141311313;
Mon, 07 Oct 2013 03:21:51 -0700 (PDT)
Return-Path: <craig#abc.com>
Received: from mtarelay2.ops.gq1.yahoo.net (mtarelay2.ops.gq1.yahoo.net. [98.136.240.39])
by mx.google.com with ESMTP id f6si4349525pba.278.1969.12.31.16.00.00;
Mon, 07 Oct 2013 03:21:51 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning craig#abc.com does not designate 98.136.240.39 as permitted sender) client-ip=98.136.240.39;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning craig#abc.com does not designate 98.136.240.39 as permitted sender) smtp.mail=craig#abc.com
Received: from p10db3.geo.gq1.yahoo.com (p10db3.geo.gq1.yahoo.com [67.195.61.18])
by mtarelay2.ops.gq1.yahoo.net (Postfix) with ESMTP id 764E0511EB
for <eric.clapton#gmail.com>; Mon, 7 Oct 2013 10:21:35 +0000 (UTC)
Received: (from root#localhost)
by p10db3.geo.gq1.yahoo.com (8.14.4/8.14.4/Submit) id r97ALZiJ005899;
Mon, 7 Oct 2013 03:21:35 -0700
Date: Mon, 7 Oct 2013 03:21:35 -0700
Message-Id: <201310071021.r97ALZiJ005899#p10db3.geo.gq1.yahoo.com>
To: eric.clapton#gmail.com
Subject: Client invoice
From: craig#abc.com
MIME-Version: 1.0
SPF settings for my domain is:
v=spf1 a mx ~all
Check what IPs are allowed to send emails from the sender domain. This website lets you see all allowed IPs:
http://spf.myisp.ch
If the sender IP does not match any IP or IP range it shows you then you might need to edit the SPF settings.
One thing that stands out are Received: (from root#localhost), which is bound to give an error. Many spam blockers, including googles, doesn't allow localhost to be inside the HELO string. I just had the same error on a Ubuntu Server using Postfix, and the solution was to edit /etc/postfix/main.cf to have:
myhostname = abc.com
and then restart the postfix service.
sudo nano /etc/postfix/main.cf
sudo /etc/init.d/postfix restart

WSO2 ESB Secured Proxy Endpoint

I use the ESB with many different proxies.
One of them is sending the messages to other proxy endpoints. All the proxies are in the ESB.
At the moment those Endpoint Proxies are not secured. I like to use scenario1 as security for them.
But how can I send the message to those Endpoints. That means: How can I add a security header with username and password in my proxy configuration so that I can authenticate may be with user "admin" and password "admin"?
As I understand, you need to secure the proxy and forward it to an unsecured back-end service.
For this, you can try following steps from the WSO2 ESB Management Console. I tried this from WSO2 ESB 4.7.0
Add a pass through proxy service.
View the proxy from Service Dashboard.
Click on "Security" for the service.
Select "Yes" for "Enable Security?"
Select "UsernameToken" and click Next. The Scenario 1 as you mentioned. This will be using WS-Security standard with Username Token.
You can select "admin" group here and click on "Finish"
Now the security will be enabled for your service.
The proxy service now needs authentication and you can use "admin" user now. (Or any user you have added).
If you are using a Java client, it might be easier to use Axis2 with Rampart module engaged. There are many examples of this.
See following links.
http://blog.facilelogin.com/2008/11/security-policy-with-rampart.html (This has a simple client)
http://blog.thilinamb.com/2009/08/securing-web-service-with-username.html
I tested this using SoapUI. You can pass username and password from request properties.
Your request will be similar to following.
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "POST /services/SimpleStockQuoteService.SimpleStockQuoteServiceHttpsSoap12Endpoint HTTP/1.1[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Content-Type: application/soap+xml;charset=UTF-8;action="urn:getQuote"[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Content-Length: 1195[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Host: isurup-ThinkPad-T530:8243[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "<soap:Envelope xmlns:ser="http://services.samples" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://services.samples/xsd">[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <soap:Header><wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Timestamp wsu:Id="TS-63"><wsu:Created>2013-08-20T19:45:32Z</wsu:Created><wsu:Expires>2013-08-20T21:08:52Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="UsernameToken-62"><wsse:Username>admin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WG8iV7vik8QqZkzlaIabWg==</wsse:Nonce><wsu:Created>2013-08-20T19:45:32.861Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <soap:Body>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <ser:getQuote>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <ser:request>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <xsd:symbol>WSO2</xsd:symbol>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </ser:request>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </ser:getQuote>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </soap:Body>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "</soap:Envelope>"
Update
If the back-end service is also secured, you can refer following blog post.
http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
In the calling proxy service you can configure a property as follows,
<property name="Authorization"
expression="fn:concat('Basic ', base64Encode('admin:admin'))"
scope="transport"
type="STRING"/>
With this, the basicAuth header will be set, in the request to the called proxy service.
Hope this helps.
You can simply use curl to invoke the secured proxy service like below.
curl -k --basic -u admin:admin https://localhost:8243/services/PoxSecurityProxy.POXSecurityProxyHttpsSoap11Endpoint/echoString?in=Chanaka
In your scenario, you need to invoke a secured backend ( another proxy service) using a proxy service. To do this you will need to write security policies. Refer [1] blog post.
[1] http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/

Resources