วิธีการ Allow range ip : Microsoft เพื่อป้องกันการถูก Block โดย Server
ปัญหา
เนื่องจากพบปัญหาในการส่ง Email จาก Office365 และ Microsoft เข้า Exim mail server และถูก Exim mail server ปฎิเสธ
แนวทางการแก้ไขปัญหา
1. ทำการ Login WHM
2. ไปที่เมนู Home >> Service Configuration >> Exim Configuration Manager จากนั้นเลือกที่ Trusted SMTP IP addresses คลิก Edit
3. ทำการเพิ่มข้อมูล Range ip จากนั้น Click save
13.107.6.152/3113.107.18.10/3113.107.128.0/2223.103.160.0/2040.96.0.0/1340.104.0.0/1552.96.0.0/14131.253.33.215/32132.245.0.0/16150.171.32.0/22204.79.197.215/322603:1006::/402603:1016::/362603:1026::/362603:1036::/362603:1046::/362603:1056::/362620:1ec:4::152/1282620:1ec:4::153/1282620:1ec:c::10/1282620:1ec:c::11/1282620:1ec:d::10/1282620:1ec:d::11/1282620:1ec:8f0::/462620:1ec:900::/462620:1ec:a92::152/1282620:1ec:a92::153/12840.92.0.0/1540.107.0.0/1652.100.0.0/14104.47.0.0/172a01:111:f400::/482a01:111:f403::/48
4. หลังจากทำการเพิ่มข้อมูล Range ip เรียบร้อยแล้วให้ทำการเลื่อนลงมาที่ล่างสุดและกด Save Config อีกครั้ง
รายละเอียด IP Range อาจมีการปรับเปลี่ยนในอนาคต สามารถดูเพิ่มเติมได้ที่ Link ด้านล่างนี้https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
ปัญหา มี Email คล้ายๆลักษณะของ is hacked. แต่จะส่งเข้ามาเป็นรูปภาพเพียงอย่างเดียว และ Subject จะแสดงเป็นชื่อของ Account นั้นๆ
ลักษณะรูปภาพ Spam ที่ส่งเข้ามา
การแก้ไขปัญหา
1. ให้ทำการเพิ่ม System filter ในไฟล์ /usr/local/cpanel/etc/exim/sysfilter/options/netway_filters
[root@system ~]# nano -w /usr/local/cpanel/etc/exim/sysfilter/options/netway_filters
2. โดยให้ทำการเพิ่ม Filter Rule ในบรรทัดล่างสุดตามข้อมูลด้านล่าง
if first_deliveryand ("$header_to:" contains "$header_subject:")then failseen finishendif
3. จากนั้นทำการ buildeximconf
[root@system ~]# /scripts/buildeximconf
4. ผลที่ได้จะมีการแก้ไขไฟล์ในส่วนของ /etc/cpanel_exim_system_filter
# Exim filter# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## cPanel System Filter for EXIM ## VERSION = 2.0 ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is ## next rebuilt. To have modifications retained, please use one of the following options: ## ## 1) ## * Place each sysfilter block you wish to include in a unique file at: ## /usr/local/cpanel/etc/exim/sysfilter/options/ ## * Enable or disable the custom block in WHM using: ## Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file] ## ## 2) ## * Create a custom sysfilter file in /etc/ ## * Change the location of the sysfilter file in WHM using: ## Service Configuration => Exim Configuration Manager => Filters => System Filter File ## ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## ## Only process once ## ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #if not first_deliverythen finishendif# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## ## Ignore "real" errors ## ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #if error_message and $header_from: contains "Mailer-Daemon@"then finishendif# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf## -----------------------------------------------------------------------# Look for single part MIME messages with suspicious name extensions# Check Content-Type header using quoted filename [content_type_quoted_fn_match]if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finishendif# same again using unquoted filename [content_type_unquoted_fn_match]if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finishendif
## -----------------------------------------------------------------------# Attempt to catch embedded VBS attachments# in emails. These were used as the basis for# the ILOVEYOU virus and its variants - many many varients# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?-->\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?-->\\\\s*)attachment);(?-->\\\\s*)(?:file)?name=|begin(?-->\\\\s+)[0-7]{3,4}(?-->\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finishendif# same again using unquoted filename [body_unquoted_fn_match]if $message_body matches "(?:Content-(?:Type:(?-->\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?-->\\\\s*)attachment);(?-->\\\\s*)(?:file)?name=|begin(?-->\\\\s+)[0-7]{3,4}(?-->\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finishendif## -----------------------------------------------------------------------
#### Version history## 0.01 5 May 2000# Initial release# 0.02 8 May 2000# Widened list of content-types accepted, added WSF extension# 0.03 8 May 2000# Embedded the install notes in for those that don't do manuals# 0.04 9 May 2000# Check global content-type header. Efficiency mods to REs# 0.05 9 May 2000# More minor efficiency mods, doc changes# 0.06 20 June 2000# Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan# 0.07 19 July 2000# Latest MS Outhouse bug catching# 0.08 19 July 2000# Changed trigger length to 80 chars, fixed some spelling# 0.09 29 September 2000# More extensions... its getting so we should just allow 2 or 3 through# 0.10 18 January 2001# Removed exclusion for error messages - this is a little nasty# since it has other side effects, hence we do still exclude# on unix like error messages# 0.11 20 March, 2001# Added CMD extension, tidied docs slightly, added RCS tag# ** Missed changing version number at top of file :-(# 0.12 10 May, 2001# Added HTA extension# 0.13 22 May, 2001# Reformatted regexps and code to build them so that they are# shorter than the limits on pre exim 3.20 filters. This will# make them significantly less efficient, but I am getting so# many queries about this that requiring 3.2x appears unsupportable.# 0.14 15 August,2001# Added .lnk extension - most requested item :-)# Reformatted everything so its now built from a set of short# library files, cutting down on manual duplication.# Changed \w in filename detection to . - dodges locale problems# Explicit application of GPL after queries on license status# 0.15 17 August, 2001# Changed the . in filename detect to \S (stops it going mad)# 0.16 19 September, 2001# Pile of new extensions including the eml in current use# 0.17 19 September, 2001# Syntax fix##### Install Notes## Exim filters run the exim filter language - a very primitive# scripting language - in place of a user .forward file, or on# a per system basis (on all messages passing through).# The filtering capability is documented in the main set of manuals# a copy of which can be found on the exim web site# http://www.exim.org/## To install, copy the filter file (with appropriate permissions)# to /etc/exim/system_filter.exim and add to your exim config file# [location is installation depedant - typicaly /etc/exim/config ]# in the first section the line:-# message_filter = /etc/exim/system_filter.exim# message_body_visible = 5000## You may also want to set the message_filter_user & message_filter_group# options, but they default to the standard exim user and so can# be left untouched. The other message_filter_* options are only# needed if you modify this to do other functions such as deliveries.# The main exim documentation is quite thorough and so I see no need# to expand it here...## Any message that matches the filter will then be bounced.# If you wish you can change the error message by editing it(ชื่อ Account ปลายทางที่ต้องการให้ได้รับ Auto BCC)# in the section above - however be careful you don't break it.## After install exim should be restarted - a kill -HUP to the# daemon will do this.##### LIMITATIONS## This filter tries to parse MIME with a regexp... that doesn't# work too well. It will also only see the amount of the body# specified in message_body_visible##### BASIS## The regexp that is used to pickup MIME/uuencoded body parts with# quoted filenames is replicated below (in perl format).# You need to remember that exim converts newlines to spaces in# the message_body variable.## (?:Content- # start of content header# (?:Type: (?-->\s*) # rest of c/t header# [\w-]+/[\w-]+ # content-type (any)# |Disposition: (?-->\s*) # content-disposition hdr# attachment) # content-disposition# ;(?-->\s*) # ; space or newline# (?:file)?name= # filename=/name=# |begin (?-->\s+) [0-7]{3,4} (?-->\s+)) # begin octal-mode# (\"[^\"]+\. # quoted filename.# (?:ad[ep] # list of extns# |ba[st]# |chm# |cmd# |com# |cpl# |crt# |eml# |exe# |hlp# |hta# |in[fs]# |isp# |jse?# |lnk# |md[be]# |ms[cipt]# |pcd# |pif# |reg# |scr# |sct# |shs# |url# |vb[se]# |ws[fhc])# \" # end quote# ) # end of filename capture# [\s;] # trailing ;/space/newline
##### [End]# END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconfif "${if def:header_X-Spam-Subject: {there}}" is therethen headers remove Subject headers add "Subject: $rh_X-Spam-Subject:" headers remove X-Spam-Subjectendif
if ("$header_to:" matches "$header_subject:")then failseen finish endif# END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
ปัญหา
มี Email Subject : Change your password immediately. Your account has been hacked. ส่งเข้าไปยัง inbox ของลูกค้าเอง
ลักษณะของ Email
Return-Path: Delivered-To: poranee@ccsthai.comReceived: from netway37.netway.co.th by netway37.netway.co.th with LMTP id 2FGbFyrx31t+vh8A2wumKw for ; Mon, 05 Nov 2018 14:28:42 +0700Return-path: Envelope-to: poranee@ccsthai.comDelivery-date: Mon, 05 Nov 2018 14:28:42 +0700Received: from cm-27-145-209-217.revip12.asianet.co.th ([27.145.209.217]:40731) by netway37.netway.co.th with esmtp (Exim 4.91) (envelope-from ) id 1gJZJS-008kOV-BS for poranee@ccsthai.com; Mon, 05 Nov 2018 14:28:42 +0700From: To: Date: 5 Nov 2018 19:54:01 +0600MIME-Version: 1.0Subject: Change your password immediately. Your account has been hacked.Message-ID: <5BE05371.9362.8E7D93@poranee.ccsthai.com>Priority: normalX-mailer: Pegasus Mail for Windows (4.41)Content-type: text/plain; charset="ibm852"Content-transfer-encoding: 8BITContent-description: Mail message bodyI greet you!I have bad news for you.11/08/2018 - on this day I hacked your operating system and got full access to your account poranee@ccsthai.comIt is useless to change the password, my malware intercepts it every time.How it was:In the software of the router to which you were connected that day, there was a vulnerability.I first hacked this router and placed my malicious code on it.When you entered in the Internet, my trojan was installed on the operating system of your device.After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).A month ago, I wanted to lock your device and ask for a small amount of money to unlock.But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.I'm talking about sites for adults.I want to say - you are a big pervert. You have unbridled fantasy!After that, an idea came to my mind.I made a screenshot of the intimate website where you have fun (you know what it is about, right?).After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.I think $844 is a very small amount for my silence.Besides, I spent a lot of time on you!I accept money only in Bitcoins.My BTC wallet: 1B1Vov1LTLGLcVG3ycPQhQLe81V67FZpMZYou do not know how to replenish a Bitcoin wallet?In any search engine write "how to send money to btc wallet".It's easier than send money to a credit card!For payment you have a little more than two days (exactly 50 hours).Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!After payment, my virus and dirty photos with you self-destruct automatically.Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".I want you to be prudent.- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)- Do not try to contact me (this is not feasible, I sent you an email from your account)- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim. This is a hacker code of honor.From now on, I advise you to use good antiviruses and update them regularly (several times a day)!Don't be mad at me, everyone has their own work.Farewell.
การแก้ไขปัญหา
1. ใน /etc/mail/spamassassin/local.cf เพิ่มเติม sa rule ตามนี้
header RUSSIAN2 Content-Type =~ /Windows-1251/score RUSSIAN2 2
header RUSSIAN3 Content-Type =~ /ibm852/score RUSSIAN3 2
header RUSSIAN4 Content-Type =~ /cp-850/score RUSSIAN4 2
body LOC_NO_EXTORT1_ALL /I accept money only in Bitcoins/iscore LOC_NO_EXTORT1_ALL 9.0body LOC_NO_EXTORT2_ALL /My BTC wallet/iscore LOC_NO_EXTORT2_ALL 9.0body LOC_NO_EXTORT3_ALL /how to send money to btc wallet/iscore LOC_NO_EXTORT3_ALL 9.0body LOC_NO_EXTORT4_ALL /to my Bitcoin cryptocurrency wallet/iscore LOC_NO_EXTORT4_ALL 9.0body LOC_NO_EXTORT5_ALL /My Bitcoin wallet Address/iscore LOC_NO_EXTORT5_ALL 9.0body LOC_NO_EXTORT6_ALL /My bitcoin wallet Address/iscore LOC_NO_EXTORT6_ALL 9.0body LOC_NO_EXTORT7_ALL /My bitcoin address/iscore LOC_NO_EXTORT7_ALL 9.0body LOC_NO_EXTORT8_ALL /my bitcoin address/iscore LOC_NO_EXTORT8_ALL 9.0body LOC_NO_EXTORT9_ALL /bitcoin address/iscore LOC_NO_EXTORT9_ALL 9.0
body LOC_NO_EXTORT10_ALL /BTC Address/iscore LOC_NO_EXTORT10_ALL 9.0
#Phishing Mail Password Hackedheader NW_BAD_PASS1 Subject =~ /been hacked\./iheader NW_BAD_PASS2 Content-Type =~ /ibm852/body NW_BAD_PASS3 /(got full access|in Bitcoins)/imeta NW_BAD_PASS (NW_BAD_PASS1 + NW_BAD_PASS2 + NW_BAD_PASS3 >= 2.0)describe NW_BAD_PASS Simple rule to block one more enhancement messagescore NW_BAD_PASS 9.0
#Phishing Mail Password Hacked 1header NW_BAD1_PASS1 Subject =~ /was hacked/iheader NW_BAD1_PASS2 Content-Type =~ /cp-850/body NW_BAD1_PASS3 /(opening this letter you have|to my Bitcoin cryptocurrency)/imeta NW_BAD1_PASS (NW_BAD1_PASS1 + NW_BAD1_PASS2 + NW_BAD1_PASS3 >= 2.0)describe NW_BAD_PASS Simple rule to block one more enhancement messagescore NW_BAD1_PASS 9.0
#Phishing Mail Password Hacked 2header NW_BAD2_PASS1 Subject =~ /been hacked\!/ibody NW_BAD2_PASS2 /(My Bitcoin wallet Address|payment by Bitcoin)/imeta NW_BAD2_PASS (NW_BAD2_PASS1 + NW_BAD2_PASS2 >= 2.0)describe NW_BAD_PASS Simple rule to block one more enhancement messagescore NW_BAD2_PASS 9.0
#Phishing Mail Password Hacked 3header NW_BAD3_PASS1 Subject =~ /hackers to your account\!/ibody NW_BAD3_PASS2 /(bitcoin payment|how to buy bitcoins)/imeta NW_BAD3_PASS (NW_BAD2_PASS1 + NW_BAD2_PASS2 >= 2.0)describe NW_BAD_PASS Simple rule to block one more enhancement messagescore NW_BAD3_PASS 9.0
#Phishing Mail Password Hacked 4header NW_BAD4_PASS1 Subject =~ /I hacked device\./ibody NW_BAD4_PASS2 /(My bitcoin address|Buy Bitcoin)/imeta NW_BAD4_PASS (NW_BAD4_PASS1 + NW_BAD4_PASS2 >= 2.0)describe NW_BAD_PASS Simple rule to block one more enhancement messagescore NW_BAD4_PASS 9.0
2. ทำการรัน
/usr/local/cpanel/3rdparty/bin/spamassassin -D --lint/scripts/restartsrv_spamd
3. ต้องทำการ Enable Apache Spamassasin ใน cPanel Account แค่ Enable เท่านั้นไม่ต้องปรับค่าอะไรทั้งนั้นผลที่ได้จาก exim_mainlog :
2018-11-06 16:03:40 1gJxGo-000aNQ-EL H=mail-oln040092009043.outbound.protection.outlook.com (NAM04-BN3-obe.outbound.protection.outlook.com) [40.92.9.43]:50208 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no F= rejected after DATA: "The mail server detected your message as spam and has prevented delivery (100)."
2018-11-06 16:03:40 SMTP connection from [209.85.208.69]:46189 (TCP/IP connection count = 8)
2018-11-06 16:03:40 SSL_write: (from mail-oln040092009043.outbound.protection.outlook.com (NAM04-BN3-obe.outbound.protection.outlook.com) [40.92.9.43]:50208) syscall: Connection reset by peer
2018-11-06 16:03:40 SMTP connection from mail-oln040092009043.outbound.protection.outlook.com (NAM04-BN3-obe.outbound.protection.outlook.com) [40.92.9.43]:50208 closed by QUIT
ผลใน maillog :
Nov 6 16:53:59 netway39 spamd[165551]: spamd: connection from localhost [127.0.0.1]:18246 to port 783, fd 5
Nov 6 16:53:59 netway39 spamd[165551]: spamd: setuid to bkycoth succeeded
Nov 6 16:53:59 netway39 spamd[165551]: spamd: checking message for bkycoth:1014
Nov 6 16:54:01 netway39 spamd[165551]: spamd: identified spam (43.5/9.0) for bkycoth:1014 in 2.4 seconds, 11949 bytes.
Nov 6 16:54:01 netway39 spamd[165551]: spamd: result: Y 43 - DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,LOC_NO_EXTORT1_ALL,LOC_NO_EXTORT2_ALL,LOC_NO_EXTORT3_ALL,NW_BAD_PASS,NW_BAD_PASS1,NW_BAD_PASS3,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS,T_HK_NAME_FM_MR_MRS,URIBL_BLOCKED scantime=2.4,size=11949,user=bkycoth,uid=1014,required_score=9.0,rhost=localhost,raddr=127.0.0.1,rport=18246,mid=,autolearn=spam autolearn_force=no,shortcircuit=no
.png "Microsoft Visio")
.png "VMware")
