itlogger
Goto Top

SPAM Mail Absender in Outlook und Message Tracking gefälscht - aber nicht im LOGFILE

Guten Morgen,

ich habe ein sehr seltsames Problem auf meinem Exchange Server bei einigen eingehenden Spam Mails.

Die Konstellation ist folgende:

<INTERNET> --- <SMTP:25> --- <Kaspersky Mail Gateway Spamfilter> ---<SMTP:25>- -- <Exchange 2010 SP3>

Eine Mail trifft ein, wird als Spam erkannt, aber trotzdem zugestellt. Das ist nicht das Problem.
Das eigentliche Problem ist, dass sowohl im Kaspersky Log als auch im Message Tracking Log des Exchange eine ganz andere Absenderadresse angezeigt wird,
als im Outlook und auch als in der Nachrichtenverfolgung in der Exchange Oberfläche.

Ich hänge die kompletten Logs am Ende an.
Nachfolgend die gekürzten Fassungen:

Kaspersky nimmt die Mail vom Internet kommend an und reicht diese an den Exchange weiter
Absender "reply@connect.awspls.com"

Feb 14 06:31:17 mail postfix/smtpd[26432]: 2308020002: client=mail01.connect.awspls.com[129.145.16.233]
Feb 14 06:31:17 mail postfix/qmgr[2344]: 2308020002: from=<reply@connect.awspls.com>, size=18001, nrcpt=1 (queue active)

Der Exchange nimmt die Mail vom Kaspersky entgegen:
Absender bleibt unverändert.

2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,42,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,MAIL FROM:<reply@connect.awspls.com> SIZE=18001,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,43,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,08D68FFE45A61021;2019-02-14T05:31:17.130Z;1,receiving message
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,44,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,RCPT TO:<RECIPIENT> ORCPT=rfc822;<RECIPIENT>,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,46,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 2.1.0 Sender OK,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,47,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 2.1.5 Recipient OK,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,48,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,354 Start mail input; end with <CRLF>.<CRLF>,

Nachrichtenkopfzeilen Outlook / und Nachrichtenverfolgung:
Absenderadresse wechselt zu: Clement Edward <partnership@iqpc.ae>

Received: from mail01.connect.awspls.com (mail01.connect.awspls.com
[129.145.16.233]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
(256/256 bits)) (Client did not present a certificate) by
<MAILSERVER HELO> (Postfix) with ESMTPS for
<RECIPIENT>; Thu, 14 Feb 2019 06:31:09 +0100
(CET)
Received: from G04SNJ013 (10.34.116.100) by mail01.connect.awspls.com id
hcjuhe2i630q for <RECIPIENT>; Thu, 14 Feb
2019 00:30:56 -0500 (envelope-from <reply@connect.awspls.com>)
MIME-Version: 1.0
From: Clement Edward <partnership@iqpc.ae>
Reply-To: Clement Edward <partnership@iqpc.ae>
Date: Thu, 14 Feb 2019 00:31:08 -0500
X-KSMG-AntiSpam-Envelope-From: reply@connect.awspls.com
X-KSMG-AntiSpam-Auth: dmarc=none header.from=iqpc.ae;spf=pass smtp.mailfrom=connect.awspls.com;dkim=none


Es wird mir sowohl auf der grafischen Nachrichtenverfolgung in Exchange als auch im Outlook die falsche Absenderadresse (iqpc.ae) angezeigt.
Wie kann ich dies verhindern?
Ich dachte zuerst, es handelt sich nur um einen gefälschten Anzeigenamen, aber es kommt im Client tatsächlich die falsche Absenderadresse an.
Wie ist das möglich.

Danke für Vorschläge
Nachfolgend die vollständigen Logs

Gruß
Frank

VOLLSTÄNDIGE LOGS -----

Kaspersky nimmt die Mail vom Internet kommend an und reicht diese an den Exchange weiter
Absender "reply@connect.awspls.com"

Feb 14 06:31:17 mail postfix/smtpd[26432]: 2308020002: client=mail01.connect.awspls.com[129.145.16.233]
Feb 14 06:31:17 mail postfix/cleanup[26433]: 2308020002: message-id=<dbd2648b16f0439c8b35218aecd4662b@893759278>
Feb 14 06:31:17 mail postfix/smtpd[26432]: disconnect from localhost[127.0.0.1]
Feb 14 06:31:17 mail postfix/qmgr[2344]: 2308020002: from=<reply@connect.awspls.com>, size=18001, nrcpt=1 (queue active)
Feb 14 06:31:17 mail postfix/smtp[26434]: setting up TLS connection to <IP EXCHANGE>:25
Feb 14 06:31:17 mail postfix/smtp[26434]: certificate verification failed for IP:25: untrusted issuer <INTERNAL CA>
Feb 14 06:31:17 mail postfix/smtp[26434]: Untrusted TLS connection established to IP:25: TLSv1 with cipher AES128-SHA (128/128 bits)
Feb 14 06:31:17 mail postfix/smtpd[26411]: NOQUEUE: client=mail01.connect.awspls.com[129.145.16.233]
Feb 14 06:31:17 mail postfix/smtp[26434]: 2308020002: to=<RECIPIENT>, relay=<IP EXCHANGE>:25, delay=0.77, delays=0/0/0.01/0.75, dsn=2.6.0, status=sent (250 2.6.0 <dbd2648b16f0439c8b35218aecd4662b@893759278> [InternalId=2936099] Queued mail for delivery)
Feb 14 06:31:17 mail postfix/qmgr[2344]: 2308020002: removed

Der Exchange nimmt die Mail vom Kaspersky entgegen:
Absender bleibt unverändert.

2019-02-14T05:31:17.130Z,SERVER\CONNECTOR,08D68FFE45A61021,1,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,2,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,"220 <FQDN EXCHANGE> Microsoft ESMTP MAIL Service ready at Thu, 14 Feb 2019 06:31:16 +0100",
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,3,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,EHLO <MAILSERVER HELO>,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,4,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-<FQDN EXCHANGE> Hello [<EXCHANGE IP>],
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,5,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-SIZE 51200000,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,6,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-PIPELINING,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,7,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-DSN,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,8,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-ENHANCEDSTATUSCODES,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,9,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-STARTTLS,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,10,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-X-ANONYMOUSTLS,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,11,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-AUTH GSSAPI NTLM,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,12,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-X-EXPS GSSAPI NTLM,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,13,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-8BITMIME,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,14,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-BINARYMIME,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,15,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-CHUNKING,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,16,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-XEXCH50,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,17,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-XRDST,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,18,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 XSHADOW,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,19,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,STARTTLS,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,20,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,220 2.0.0 SMTP server ready,
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,21,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,,Sending certificate
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,22,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,CN=<FQDN EXCHANGE>,Certificate subject
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,23,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,"CN=<INTERNAL CA>",Certificate issuer name
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,24,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,7D51D52B000000000009,Certificate serial number
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,25,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,2B1D5D28F60547B2C4B21807461AA35A4CC1A84D,Certificate thumbprint
2019-02-14T05:31:17.131Z,SERVER\CONNECTOR,08D68FFE45A61021,26,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,<FQDN EXCHANGE>,Certificate alternate names
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,27,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,EHLO <MAILSERVER>,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,28,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,29,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-<FQDN EXCHANGE> Hello [<IP KASPERSKY>],
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,30,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-SIZE 51200000,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,31,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-PIPELINING,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,32,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-DSN,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,33,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-ENHANCEDSTATUSCODES,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,34,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-AUTH GSSAPI NTLM LOGIN,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,35,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-X-EXPS GSSAPI NTLM,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,36,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-8BITMIME,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,37,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-BINARYMIME,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,38,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-CHUNKING,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,39,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-XEXCH50,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,40,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250-XRDST,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,41,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 XSHADOW,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,42,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,MAIL FROM:<reply@connect.awspls.com> SIZE=18001,
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,43,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,08D68FFE45A61021;2019-02-14T05:31:17.130Z;1,receiving message
2019-02-14T05:31:17.142Z,SERVER\CONNECTOR,08D68FFE45A61021,44,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,RCPT TO:<RECIPIENT> ORCPT=rfc822;<RECIPIENT>,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,45,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,DATA,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,46,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 2.1.0 Sender OK,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,47,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 2.1.5 Recipient OK,
2019-02-14T05:31:17.145Z,SERVER\CONNECTOR,08D68FFE45A61021,48,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,354 Start mail input; end with <CRLF>.<CRLF>,
2019-02-14T05:31:17.894Z,SERVER\CONNECTOR,08D68FFE45A61021,49,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,*,Tarpit for '0.00:00:00.226' due to 'DelayedAck',Delivered
2019-02-14T05:31:17.894Z,SERVER\CONNECTOR,08D68FFE45A61021,50,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,250 2.6.0 <dbd2648b16f0439c8b35218aecd4662b@893759278> [InternalId=2936099] Queued mail for delivery,
2019-02-14T05:31:17.894Z,SERVER\CONNECTOR,08D68FFE45A61021,51,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,<,QUIT,
2019-02-14T05:31:17.894Z,SERVER\CONNECTOR,08D68FFE45A61021,52,<IP EXCHANGE>:25,<IP KASPERSKY>:60302,>,221 2.0.0 Service closing transmission channel,

Nachrichtenkopfzeilen Outlook / und Nachrichtenverfolgung:
Absenderadresse wechselt zu: Clement Edward <partnership@iqpc.ae>

Received: from <MAILSERVER HELO> (<KASPERSKY IP>) by <FQDN EXCHANGE>
(<EXCHANGE IP>) with Microsoft SMTP Server (TLS) id 14.2.347.0; Thu, 14 Feb
2019 06:31:17 +0100
Received: from <MAILSERVER HELO> (localhost [127.0.0.1]) by
<MAILSERVER HELO> (Postfix) with ESMTP id 2308020002 for
<RECIPIENT>; Thu, 14 Feb 2019 06:31:17 +0100
(CET)
Received: from mail01.connect.awspls.com (mail01.connect.awspls.com
[129.145.16.233]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
(256/256 bits)) (Client did not present a certificate) by
<MAILSERVER HELO> (Postfix) with ESMTPS for
<RECIPIENT>; Thu, 14 Feb 2019 06:31:09 +0100
(CET)
Received: from G04SNJ013 (10.34.116.100) by mail01.connect.awspls.com id
hcjuhe2i630q for <RECIPIENT>; Thu, 14 Feb
2019 00:30:56 -0500 (envelope-from <reply@connect.awspls.com>)
Message-ID: <dbd2648b16f0439c8b35218aecd4662b@893759278>
X-Binding: 893759278
X-elqSiteID: 893759278
X-elqPod: 0x42929D304091F2FE066CF35EC31ADF5FBC4AF91DBF6F3D6F9D91109E00869E13
X-cid: 41119-50453
List-Unsubscribe: <http://app.connect.awspls.com/e/u?s=893759278&elq=dbd2648b16f0439c8b35218aecd4662b>
MIME-Version: 1.0
From: Clement Edward <partnership@iqpc.ae>
To: <RECIPIENT>
Reply-To: Clement Edward <partnership@iqpc.ae>
Date: Thu, 14 Feb 2019 00:31:08 -0500
Content-Type: multipart/alternative;
boundary="--boundary_1313513_70e658e0-c7d3-4db8-98ea-01a472779b66"
X-KSMG-Rule-ID: 1
X-KSMG-Message-Action: skipped, AntiSpam
X-KSMG-AntiSpam-Lua-Profiles: 135599 [Feb 14 2019]
X-KSMG-AntiSpam-Version: 5.8.6.0
X-KSMG-AntiSpam-Envelope-From: reply@connect.awspls.com
X-KSMG-AntiSpam-Auth: dmarc=none header.from=iqpc.ae;spf=pass smtp.mailfrom=connect.awspls.com;dkim=none
X-KSMG-AntiSpam-Rate: 0
X-KSMG-AntiSpam-Status: mass_mail
X-KSMG-AntiSpam-Method: mass mail
X-KSMG-AntiSpam-Info: LuaCore: 233 233 0b4366ad0ca9e4c51768729fd07517e895618de5, {rep_avail}, {Has list-unsubscribe header [mass mail]}, {Send by Oracle Elogua [B2B]}, {Dosetcrawler: probable amspam}, {Tracking_marketers, list_uns}, {Tracking_text_let_digits}, {Tracking_invalid_attributes, a}, {Tracking_S222e, header}, 129.145.16.233:7.1.2,7.5.0;iqpc.ae:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;mail01.connect.awspls.com:7.1.1;www.iqpc.com:7.1.1;connect.iqpc.com:7.1.1;127.0.0.199:7.1.2;app.connect.awspls.com:7.1.1
X-KSMG-AntiSpam-Interceptor-Info: scan successful
X-KSMG-AntiPhishing: Clean, bases: 2019/02/14 04:03:00
X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.12, bases: 2019/02/14 03:53:00 #12890800
X-KSMG-AntiVirus-Status: Clean, skipped
Subject: [MASSMAIL]Jean-Paul, access USD 6.3bn worth of malls projects
Return-Path: reply@connect.awspls.com
X-MS-Exchange-Organization-AuthSource: <FQDN EXCHANGE>
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: iqpc.ae
X-MS-Exchange-Organization-SenderIdResult: SoftFail
Received-SPF: SoftFail (<FQDN EXCHANGE>: domain of transitioning
partnership@iqpc.ae discourages use of <IP KASPERSKY> as permitted sender)

Content-ID: 417665

Url: https://administrator.de/contentid/417665

Ausgedruckt am: 22.11.2024 um 06:11 Uhr

138810
Lösung 138810 14.02.2019 aktualisiert um 10:22:54 Uhr
Goto Top
Die From-Adresse im Header kann jeder fälschen. Das ist so wie wenn du im Brief selbst den Absender falsch angibst.
Die envelope-from Adresse ist dagegen die die zählt und die ist korrekt
(envelope-from <reply@connect.awspls.com>)
Du verwechselst also FROM und ENVELOPE-FROM (Brief und Umschlag)
Also nochmal dringend die Grundlagen des Mailverkehrs durchlesen ...
https://de.m.wikipedia.org/wiki/Envelope_Sender
ITLogger
ITLogger 14.02.2019 um 11:28:56 Uhr
Goto Top
Hm,
okay soweit klar. Ich war bloß irritiert, dass mir Exchange in der Verfolgung den Sender falsch anzeigt, bzw. den fälschbaren Teil.
Danke