最近发现攻击者 IP 180.103.12.117 通过 SMTP 端口向同事发送钓鱼邮件成功,没有经过任何认证,且发件 IP 不在 cpibj.com.cn 的 SPF 允许范围内。
C:\>nslookup
默认服务器: public1.114dns.com
Address: 114.114.114.114
> set qt=txt
> cpibj.com.cn
服务器: public1.114dns.com
Address: 114.114.114.114
非权威应答:
cpibj.com.cn text =
"qqmail-site-verification=b72f361daa3048ca5b64be6b1670252f65ced90d851"
cpibj.com.cn text =
"MS=D2EBDFFED7F601051E24E409E3F0F36697658F03"
cpibj.com.cn text =
"v=spf1 ip4:123.117.136.189 ip4:114.255.252.30 ip4:114.255.252.17 -all"
感觉碰到玄学了,攻击者能直接利用,我却复现不了。。。提示没通过 SPF 校验。。。
黑产是怎么实现这种方式的批量钓鱼邮件投递啊。。。求大佬解惑
下面是捕获到的伪造的发件人清单:
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM:<[email protected]>
MAIL FROM: <[email protected]>
我这边回溯我们的全流量产品,有抓到的原始流量信息,源 IP ( 180.103.12.117 )直接连的我们这边的邮件网关( 10...131:25 )。
TCP 日志还原后的部分交互内容,如下:
220 smtp ready
HELO cpibj.com.cn
250 spic.com.cn HELO, pleased to meet cpibj.com.cn
MAIL FROM: <[email protected]>
250 OK
RCPT TO: <chenhuan01@****.com.cn>
250 OK
DATA
354 go ahead
Date: T
我按照以上格式,通过 telnet 命令还有 python 脚本去发件,都是提示「 556 remote ip check error.(SPF online: 发信 ip 与 Mail From 地址不一致)」,所以接下来不知道怎么办了。
目前这封邮件是没有被邮件安全网关拦截的,是「投递成功」状态,也没有被标记为垃圾邮件。
1
1423 241 天前
是哪家的域名邮箱吗,还是公司自己管理的
|
2
winterx 241 天前
网关有多种判断识别方式,spf 只是其中一种,楼主要完全伪造相同邮件头才知道能不能过
没有用过亿邮不太了解他家产品 ,如果能进网关后台就看具体过滤日志跟原因,如果不行就问客服吧 |
3
chuckzhou 241 天前
可能是有人密码泄露了,有的邮件系统在 auth 通过之后,就可以冒充任何人。具体的还是要看日志。
|
4
LaoDahVong 241 天前
邮件相关的不大懂. 会不会是 relay 或者 forward 出去的? 马一个给楼主送小红心. 蹲个后续学习学习.
|
5
lemonda 241 天前
https://xxb.ecust.edu.cn/2010/0304/c7630a52237/page.htm
是否是队列中的邮件同事点了投递 |
6
serafin 241 天前
因为是从内网 IP 发的。10 开口的 IP 为什么要打马?
|
7
miscnote 241 天前
spf 只是一个标记,通不通过是你的策略服务器的事。
|
8
leonshaw 241 天前 via Android
客户端地址跟 SPF 没关系,邮件提交和转发是两个过程。如果是提交到对方邮件服务器并转发的,从技术上看就是正常邮件。
|
9
xcodeghost 241 天前
是你们域名使用的邮件系统对垃圾邮件过滤不严导致的,不是攻击者有多厉害。
|
10
gtese 241 天前
spf 是检查 发件域名是否域名所有者申请。
域名本身没有做 sfp 申请,spf 就是无效的反垃圾策略。 180.103.12.117 本身没有上过黑名单,投递到你们这里也算正常的。 “10 开口的 IP 为什么要打马?” 10 是对方当时用的内网 ip ,打码确实没必要。 |
11
lixingcong 241 天前
据说某迪的内网邮箱收到过诈骗邮件:标题《 2024 年综合补贴申领通知》,还真的有人点进去填信息,老骗局。
|
12
bootyshinehf OP @1423 是公司本地部署自建的邮件系统,用的是亿邮的产品,不是那种 SaaS 化的企业邮箱。
|
13
bootyshinehf OP @winterx
# 1 、关于伪造相同邮件头的问题: 我这边回溯我们的全流量产品,有抓到的原始流量信息,源 IP ( 180.103.12.117 )直接连的我们这边的邮件网关( 10.**.**.131:25 )。 TCP 日志还原后的部分交互内容,如下: ``` 220 smtp ready HELO cpibj.com.cn 250 spic.com.cn HELO, pleased to meet cpibj.com.cn MAIL FROM: <[email protected]> 250 OK RCPT TO: <chenhuan01@****.com.cn> 250 OK DATA 354 go ahead Date: T ``` 我按照以上格式,通过 telnet 命令还有 python 脚本去发件,都是提示「 556 remote ip check error.(SPF online:发信 ip 与 Mail From 地址不一致)」,所以接下来不知道怎么办了。 # 2 、关于邮件网关中的拦截问题 目前这封邮件是没有被拦截的,是「投递成功」状态,也没有被标记为垃圾邮件。 |
14
bootyshinehf OP |
15
bootyshinehf OP |
16
bootyshinehf OP @serafin
根据邮件头信息「 Received: from 180.103.12.117 by 10.**.**.131 with SMTP; Thu, 25 Apr 2024 10:14:31 +0800 」来看,发件地址是 180.103.12.117 ,应该是很明确的。 10.**.**.131 ,这个是我们的邮件安全网关。 |
17
retanoj 240 天前
是变更过 SPF 记录了吗?
我这边获得的结果跟 OP 贴的内容不一致 dig @114.114.114.114 cpibj.com.cn txt ;; QUESTION SECTION: ;cpibj.com.cn. IN TXT ;; ANSWER SECTION: cpibj.com.cn. 600 IN TXT "v=spf1 ip4:123.117.136.189 ip4:114.255.252.30 ip4:114.255.252.17 mx a include:spf.protection.outlook.com ~all" ~all 是个软拒绝策略 |
18
bootyshinehf OP |
19
sleepm 240 天前
|
20
wan4da 240 天前
from 是可以伪造的,看看 sender 是啥。https://www.cnblogs.com/xiaozi/p/12906040.html 可以看看这篇文章
|
21
leonshaw 240 天前
既然有流量回溯,就看看当时邮件服务器发起的 DNS 解析
|
22
follow 240 天前
@bootyshinehf 你这内网和外网解析结果不一致,
|
23
retanoj 240 天前
|
24
bootyshinehf OP @retanoj @follow
不对啊。。。 我用在线工具 Dig https://toolbox.googleapps.com/apps/dig/?lang=zh-CN 还有在线 nslookup http://www.jsons.cn/nslookup/ 查询的结果也是不一致的。。。 |
25
lemonda 240 天前
@bootyshinehf
看下万网里是否设置了分线路解析不同的 SPF 记录 |
26
retanoj 240 天前
|
27
winterx 240 天前
@bootyshinehf #13 不用查流量回溯这么复杂,smtp 都是先经过邮件网关再投递到服务器,你只需要查为什么网关会放行这封邮件
首先你要知道没有网关能 100%拦截垃圾邮件 1 、策略问题 2 、识别问题 |
28
broeeee 240 天前
27 是明白人,先看策略
|
29
C0nvN3t 240 天前
确实有点奇怪 按理 spf 应该直接就 deny 掉才对。。 插眼学习
|
30
bootyshinehf OP |
31
bootyshinehf OP |
32
retanoj 240 天前
em. 我还好奇他的访问入口
|
33
litblue 240 天前
你的 mx 记录指向 mail.cpibj.com.cn 123.117.136.189
telnet 123.117.136.189 25 后 220 Welcome to chinapower ehlo cpibj.com.cn 250-mailadmin.chinapower.hk Hello cpibj.com.cn [*], pleased to meet you 250-SIZE 40000000 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-STARTTLS 250-PIPELINING 250-8BITMIME 250 HELP MAIL FROM: <[email protected]> 250 Sender <[email protected]> OK quit 没有拒绝,还是查查网关的策略吧。 |