Есть почтовый сервер Zimbra (Postfix), на нем есть порядка 32 ящиков. И вот с недавних пор на некоторые ящики стали приходить письма, что якобы компьютер на котором используется ящик на который пришло письмо был взломан и угрожают что если человек не заплатит n-ю сумму денег на биткоин, то взломщик разошлет личную информацию пользователя, и что
пользователь посещал сайты "интересного характера" и т.д.
Вот заголовок письма:
Spoiler
Return-Path: user@domain.com.ua
Received: from mx.domain.com.ua (LHLO mx.domain.com.ua) (192.168.50.10) by
mx.domain.com.ua with LMTP; Sun, 4 Nov 2018 22:52:32 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
by mx.domain.com.ua (Postfix) with ESMTP id 621E0BA09FB
for <user@domain.com.ua>; Sun, 4 Nov 2018 22:52:32 +0200 (EET)
X-Virus-Scanned: amavisd-new at domain.com.ua
X-Spam-Flag: YES
X-Spam-Score: 14.479
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.479 tagged_above=-10 required=6.6
tests=[BAYES_00=-1.9, CK_HELO_DYNAMIC_SPLIT_IP=1.499,
DATE_IN_PAST_03_06=1.592, HELO_DYNAMIC_IPADDR2=3.607,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_BL=0.01,
RCVD_IN_MSPIKE_L5=2.956, RCVD_IN_PSBL=2.7, RCVD_IN_RP_RNBL=1.31,
RCVD_IN_XBL=0.375, RDNS_DYNAMIC=0.982, TVD_RCVD_IP=0.001]
autolearn=no autolearn_force=no
Received: from mx.domain.com.ua ([127.0.0.1])
by localhost (mx.domain.com.ua [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xfkDxekwmF4g for <user@domain.com.ua>;
Sun, 4 Nov 2018 22:52:30 +0200 (EET)
Received: from 201-213-72-189.net.prima.net.ar (201-213-72-189.net.prima.net.ar [201.213.72.189])
by mx.domain.com.ua (Postfix) with ESMTP id 267A0BA013C
for <user@domain.com.ua>; Sun, 4 Nov 2018 22:52:30 +0200 (EET)
Message-ID: <5C9BA9C4466EF62BECDEB33119815C9B@8C8762K>
From: <user@domain.com.ua>
To: <user@domain.com.ua>
Subject: Change your password immediately. Your account has been hacked.
Date: 4 Nov 2018 13:41:51 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
Received: from mx.domain.com.ua (LHLO mx.domain.com.ua) (192.168.50.10) by
mx.domain.com.ua with LMTP; Sun, 4 Nov 2018 22:52:32 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
by mx.domain.com.ua (Postfix) with ESMTP id 621E0BA09FB
for <user@domain.com.ua>; Sun, 4 Nov 2018 22:52:32 +0200 (EET)
X-Virus-Scanned: amavisd-new at domain.com.ua
X-Spam-Flag: YES
X-Spam-Score: 14.479
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.479 tagged_above=-10 required=6.6
tests=[BAYES_00=-1.9, CK_HELO_DYNAMIC_SPLIT_IP=1.499,
DATE_IN_PAST_03_06=1.592, HELO_DYNAMIC_IPADDR2=3.607,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_BL=0.01,
RCVD_IN_MSPIKE_L5=2.956, RCVD_IN_PSBL=2.7, RCVD_IN_RP_RNBL=1.31,
RCVD_IN_XBL=0.375, RDNS_DYNAMIC=0.982, TVD_RCVD_IP=0.001]
autolearn=no autolearn_force=no
Received: from mx.domain.com.ua ([127.0.0.1])
by localhost (mx.domain.com.ua [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xfkDxekwmF4g for <user@domain.com.ua>;
Sun, 4 Nov 2018 22:52:30 +0200 (EET)
Received: from 201-213-72-189.net.prima.net.ar (201-213-72-189.net.prima.net.ar [201.213.72.189])
by mx.domain.com.ua (Postfix) with ESMTP id 267A0BA013C
for <user@domain.com.ua>; Sun, 4 Nov 2018 22:52:30 +0200 (EET)
Message-ID: <5C9BA9C4466EF62BECDEB33119815C9B@8C8762K>
From: <user@domain.com.ua>
To: <user@domain.com.ua>
Subject: Change your password immediately. Your account has been hacked.
Date: 4 Nov 2018 13:41:51 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
Spoiler
Return-Path: user2@domain2.com.ua
Received: from mx.domain2.pp.ua (LHLO mx.domain2.pp.ua) (11.22.33.44)
by mx.domain2.pp.ua with LMTP; Thu, 25 Oct 2018 00:12:33 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1])
by mx.domain2.pp.ua (Postfix) with ESMTP id A4C66FD80C
for <user2@domain2.com.ua>; Thu, 25 Oct 2018 00:12:33 +0300 (EEST)
X-Virus-Scanned: amavisd-new at domain2.pp.ua
X-Spam-Flag: NO
X-Spam-Score: 5.964
X-Spam-Level: *****
X-Spam-Status: No, score=5.964 required=6.6 tests=[BAYES_00=-1.9,
DATE_IN_FUTURE_06_12=1.947, DOS_OUTLOOK_TO_MX=2.845,
FROM_IN_TO_AND_SUBJ=1.499, RDNS_NONE=0.793, SPF_NEUTRAL=0.779,
URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mx.domain2.pp.ua ([127.0.0.1])
by localhost (mx.domain2.pp.ua [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id zxOEs8ofF0hE; Thu, 25 Oct 2018 00:12:29 +0300 (EEST)
Received: from [1.46.76.222] (unknown [1.46.76.222])
by mx.domain2.pp.ua (Postfix) with ESMTP id B6960FD735
for <user2@domain2.com.ua>; Thu, 25 Oct 2018 00:12:28 +0300 (EEST)
From: <user2@domain2.com.ua>
To: <user2@domain2.com.ua>
Subject: account user2@domain2.com.ua is compromised
Date: 25 Oct 2018 09:59:20 +0600
Message-ID: <003201d46c18$04536a49$8d34828b$@domain2.com.ua>
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Ac6eqgs0g3ggp9rn6eqgs0g3ggp9rn==
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514
Received: from mx.domain2.pp.ua (LHLO mx.domain2.pp.ua) (11.22.33.44)
by mx.domain2.pp.ua with LMTP; Thu, 25 Oct 2018 00:12:33 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1])
by mx.domain2.pp.ua (Postfix) with ESMTP id A4C66FD80C
for <user2@domain2.com.ua>; Thu, 25 Oct 2018 00:12:33 +0300 (EEST)
X-Virus-Scanned: amavisd-new at domain2.pp.ua
X-Spam-Flag: NO
X-Spam-Score: 5.964
X-Spam-Level: *****
X-Spam-Status: No, score=5.964 required=6.6 tests=[BAYES_00=-1.9,
DATE_IN_FUTURE_06_12=1.947, DOS_OUTLOOK_TO_MX=2.845,
FROM_IN_TO_AND_SUBJ=1.499, RDNS_NONE=0.793, SPF_NEUTRAL=0.779,
URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mx.domain2.pp.ua ([127.0.0.1])
by localhost (mx.domain2.pp.ua [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id zxOEs8ofF0hE; Thu, 25 Oct 2018 00:12:29 +0300 (EEST)
Received: from [1.46.76.222] (unknown [1.46.76.222])
by mx.domain2.pp.ua (Postfix) with ESMTP id B6960FD735
for <user2@domain2.com.ua>; Thu, 25 Oct 2018 00:12:28 +0300 (EEST)
From: <user2@domain2.com.ua>
To: <user2@domain2.com.ua>
Subject: account user2@domain2.com.ua is compromised
Date: 25 Oct 2018 09:59:20 +0600
Message-ID: <003201d46c18$04536a49$8d34828b$@domain2.com.ua>
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Ac6eqgs0g3ggp9rn6eqgs0g3ggp9rn==
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514
Spoiler
[zimbra@mx ~]$ postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain, permit
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain, permit
Пробовал дропать iptables-ом по ip отправителя, но толку 0 каждый раз приходит с нового ip. Кстати судя по моим наблюдениям это идет с роутеров с дырявыми прошивками.
Компьютеры проверил антивирусом на некоторых реально нашел вирусняк, почистил их.