Aller au contenu


dkim sur les emails internes

dkim phishing

  • Veuillez vous connecter pour répondre
1 réponse à ce sujet

#1 qube001

qube001

    Membre

  • Membres
  • 12 messages

Posté 13 mars 2020 - 13:51

Hello

on reçoit des emails de phishing de plus en plus perfectionnés dont un me pose question car le serveur d'envoi semble s'être maquillé pour utiliser le même hostname que notre serveur de messagerie

du coup je suis perplexe sur la conduite a tenir dans ce cas là?

je ne sais pas si c'est la bonne methode, mais j'aimerais bien verifier DKIM sur les mails locaux, mais je ne sais pas si c'est possible de faire une regle uniquement pour ceux-ci?


je vous joins un phishing qui est passé (anonymisé), je ne comprend pas comment il est passé, on voit qu'il imite mail.southpark.fr mais il est sur une IP renégate americaine

comment vous feriez pour bloquer ce genre de pestes?


un grand merci pour vos avis


Return-Path: <mgomez@southpark.fr>
Received: from mail.southpark.fr (LHLO mail.southpark.fr) (192.168.33.2) by
mail.southpark.fr with LMTP; Thu, 13 Feb 2020 15:25:31 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by mail.southpark.fr (Postfix) with ESMTP id 317F32074B;
Thu, 13 Feb 2020 15:25:31 +0100 (CET)
X-Spam-Flag: NO
X-Spam-Score: -0.876
X-Spam-Level:
X-Spam-Status: No, score=-0.876 required=6.6 tests=[ALL_TRUSTED=-1,
BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723]
autolearn=no autolearn_force=no
Authentication-Results: mail.southpark.fr (amavisd-new); dkim=pass (2048-bit key)
header.d=southpark.fr
Received: from mail.southpark.fr ([127.0.0.1])
by localhost (mail.southpark.fr [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id EBZXN-tv8W5o; Thu, 13 Feb 2020 15:25:30 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by mail.southpark.fr (Postfix) with ESMTP id BF4FC2076B;
Thu, 13 Feb 2020 15:25:30 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.southpark.fr BF4FC2076B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=southpark.fr;
s=220D1030-927C-11E9-9B0C-1AAA9CB69CFD; t=1581603930;
bh=aCEJjFaekYrUYSL5fCyeX0jx4OT7qoZAFJPXnHkeOfk=;
h=From:To:Date:Message-ID:MIME-Version;
b=gmtaOg+HJ++ThCsvpetU1NVoOhNOguZfyivQ9zftawOpULytTpFvYsn78OlWVMj0E
  HHC0TNafRbFrF+zDXvhbl73j+Ob/0aVVUckpTA2+A3Y3YSHseZHTOkWMyO0ZMMRKEw
  nngISdsMca3DtJhd8P7dIaf2kCpY7recqgSGhxi4lMJ/LOezUUiEnZomwCA9n8Y43S
  XqHadSTwAZmp+OZUCea0fJIDxH9nTxxkNn9OgxWN/ZKA6ntyQcFV+28H4GVh7kokcg
  EpaHxFj3OVkA6gVY/xSYESuZb/UMD6I7VOpKliTRas7oJX/880pq2Ih0Qt3S67Z6uv
  2IvsSQ40hvMqQ==
X-Virus-Scanned: amavisd-new at mail.southpark.fr
Received: from mail.southpark.fr ([127.0.0.1])
by localhost (mail.southpark.fr [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 65wxOF2NyFfo; Thu, 13 Feb 2020 15:25:30 +0100 (CET)
Received: from [color=#ff0000]mail.southpark.fr (unknown [23.227.207.133])[/color]
by mail.southpark.fr (Postfix) with ESMTPSA id 69AEB20770
for <qgomez@southpark.fr>; Thu, 13 Feb 2020 15:25:30 +0100 (CET)
From: Philippe Wtchernia <pwtchernia@southpark.fr>
To: qgomez@southpark.fr
Subject: Shared an important Document
Date: 13 Feb 2020 06:25:29 -0800
Message-ID: <20200213062529.9119EFEA562A698A@southpark.fr>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.=
w3.org/TR/html4/loose.dtd">
<HTML><HEAD>
<META name=3DGENERATOR content=3D"MSHTML 11.00.9600.19399"></HEAD>
<BODY style=3D"MARGIN: 0.5em">
<TABLE style=3D"FONT-SIZE: 15px; FONT-FAMILY: arial, sans-serif; COLOR: rgb=
(33,33,33); BACKGROUND-COLOR: rgb(238,241,245)" cellSpacing=3D0 cellPadding=
=3D0 border=3D1>
<TBODY>
<TR>
<TD style=3D"FONT-SIZE: 11px; FONT-FAMILY: arial, sans-serif; PADDING-BOTTO=
M: 4px">
<TABLE style=3D'FONT-FAMILY: "Segoe UI", Tahoma, Geneva, Verdana, sans-seri=
f; COLOR: rgb(22,35,58); LINE-HEIGHT: 20px' cellSpacing=3D0 cellPadding=3D0=
border=3D1>
<TBODY>
<TR>
<TD style=3D"FONT-FAMILY: arial, sans-serif; FONT-WEIGHT: bold">qgomez@so=
uthprak</TD></TR>
<TR>
<TD style=3D"FONT-FAMILY: arial, sans-serif">You've have received a new doc=
ument from&nbsp;<STRONG><FONT color=3D#3d85c6>Philippe Wtchernia</FONT></ST=
RONG><B><SPAN style=3D"COLOR: rgb(61,133,198)"><B>&nbsp;</B><BR></SPAN></B>=
</TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<P style=3D'MARGIN-BOTTOM: 0px; FONT-SIZE: 15px; FONT-FAMILY: "Segoe UI", "=
Lucida Sans", sans-serif; COLOR: rgb(32,31,30); MARGIN-TOP: 0px'><BR style=
=3D'FONT-SIZE: 13px; FONT-FAMILY: "trebuchet ms", sans-serif; COLOR: rgb(0,=
0,0)'></P>
<DIV style=3D'FONT-SIZE: 13px; FONT-FAMILY: "trebuchet ms", sans-serif; COL=
OR: rgb(0,0,0)'>
<P style=3D"FONT-SIZE: 13px; COLOR: rgb(33,33,33); MARGIN: 0px">A private&n=
bsp;Document was shared with OneDrive by a contact in your address book.&nb=
sp;</P>
<P style=3D"FONT-SIZE: 13px; COLOR: rgb(33,33,33); MARGIN: 0px"><BR></P>
<P style=3D"FONT-SIZE: 13px; COLOR: rgb(33,33,33); MARGIN: 0px">Go to link =
below&nbsp;:</P>
<DIV style=3D'FONT-SIZE: 15px; FONT-FAMILY: wf_segoe-ui_normal, "Segoe UI",=
"Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; COLOR: rgb(33,33,=
33)'>
<P style=3D"MARGIN: 0px"><A class=3Dgmail-x_btn></A><SPAN id=3Dgmail-OBJ_PR=
EFIX_DWT123_com_zimbra_url class=3Dgmail-Object style=3D"CURSOR: pointer; C=
OLOR: rgb(51,102,153)"><SPAN id=3Dgmail-OBJ_PREFIX_DWT124_com_zimbra_url cl=
ass=3Dgmail-Object style=3D"CURSOR: pointer">
<A style=3D'CURSOR: pointer; FONT-SIZE: 15pt; BORDER-TOP: rgb(237,242,249) =
1px solid; FONT-FAMILY: arial, "Segoe UI"; BORDER-RIGHT: rgb(237,242,249) 1=
px solid; BACKGROUND: rgb(237,242,249); BORDER-BOTTOM: rgb(237,242,249) 1px=
solid; COLOR: rgb(255,255,255); PADDING-BOTTOM: 5px; PADDING-TOP: 5px; PAD=
DING-LEFT: 20px; BORDER-LEFT: rgb(237,242,249) 1px solid; DISPLAY: inline-b=
lock; PADDING-RIGHT: 20px; text-decoration-line: none' href=3D"https://pari=
kramaholidays.com/b2b/zmm/?email=3Dqgomez@southpark.fr"=20
rel=3D"noopener noreferrer" target=3D_blank><B><SPAN style=3D"COLOR: rgb(61=
,133,198)">View</SPAN></B></A></SPAN></SPAN></P></DIV>
<P style=3D"FONT-SIZE: 13px; FONT-FAMILY: Arial, Helvetica, sans-serif; MAR=
GIN: 0px"><B>File Type:</B>&nbsp;PDF.</P>
<P style=3D"FONT-SIZE: 13px; FONT-FAMILY: Arial, Helvetica, sans-serif; MAR=
GIN: 0px"><B>File Size:</B>&nbsp;304.12 KB</P>
<P style=3D"FONT-SIZE: 13px; FONT-FAMILY: Arial, Helvetica, sans-serif; MAR=
GIN: 0px"><BR></P>
<P style=3D"FONT-SIZE: 13px; FONT-FAMILY: Arial, Helvetica, sans-serif; MAR=
GIN: 0px"><SPAN style=3D"FONT-SIZE: 8pt">Philippe Wtchernia<BR><BR></P>
<DIV style=3D'FONT-SIZE: 13px; FONT-FAMILY: tahoma, "new york", times, seri=
f; WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT-WEIGH=
T: 400; COLOR: rgb(0,0,153); FONT-STYLE: normal; ORPHANS: 2; WIDOWS: 2; LET=
TER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); TEXT-INDENT: 0px; =
font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-str=
oke-width: 0px; text-decoration-style: initial; text-decoration-color: init=
ial'>
<SPAN style=3D'FONT-SIZE: 8pt; FONT-FAMILY: tahoma, "new york", times, seri=
f; COLOR: rgb(0,0,128)'></SPAN>&nbsp;</DIV></SPAN></DIV>
<P></P></BODY></HTML>

Release 8.8.12_GA_3794.RHEL7_64_20190329045002
Centos 7.6

#2 Zimbra Guy

Zimbra Guy

    Zimbra Jedi

  • Modérateurs
  • 5 662 messages
  • LocalisationPlanète Terre

Posté 16 mars 2020 - 10:00

Bonjour,

il appartient à qui le domaine de messagerie southpark.fr ? C'est le vôtre ?
Parce que là je comprends pas grand chose car ça envoie de southpark.fr vers southpark.fr dont les DNS ont l'air bidon, enfin pas cohérents.

  Cordialement,
Guy Carré, professionel certifié Zimbra, Contributeur Zimbra
tel : +33 (0)6 63 18 08 XX / mail : guy.carre+zimbrafr@libremail.fr
http://www.scalesi.fr/




0 utilisateur(s) li(sen)t ce sujet

0 membre(s), 0 invité(s), 0 utilisateur(s) anonyme(s)