3CX DLL-Sideloading attack: What you need to know

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 4 subscribers
  • Views 3188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Mails in Mail Manager since Update 9.706-9

WolfgangS

HI,

in most cases SPAM  mails get sorted into the Mailmanager for a human ceck.

since update 9.706-9 there are no mails in the mail manager.

what happend ?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to WolfgangS

    Show us the lines from the SMTP log for a spam that should have been quarantined.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hi Bob, i am comming back to this on Friday. 

  • 0 in reply to BAlfson

    by the way, do you wanna see mails from mailmanger SMTP Log or complete from SMTP log ?

  • 0 in reply to WolfgangS

    Definitely from the complete SMTP log file Wolfgang.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok, here we go, if you need more let me know:

    2021:06:23-21:31:27 matrix exim-in[11289]: 2021-06-23 21:31:27 SMTP connection from [199.116.112.134]:56350 (TCP/IP connection count = 1)
    2021:06:23-21:31:29 matrix exim-in[1441]: 2021-06-23 21:31:29 H=srv5.sevaa.com [199.116.112.134]:56350 Warning: Exception matched: Skipping greylisting for this message
    2021:06:23-21:31:29 matrix exim-in[1441]: 2021-06-23 21:31:29 H=srv5.sevaa.com [199.116.112.134]:56350 Warning: domain.net profile excludes SANDBOX scan
    2021:06:23-21:31:29 matrix exim-in[1441]: 2021-06-23 21:31:29 [199.116.112.134] F=<julianhernandez@onemoresponsor.com> R=<mail@goes.here> Verifying recipient address with callout
    2021:06:23-21:31:30 matrix exim-in[1441]: 2021-06-23 21:31:30 1lw8av-0000NF-12 sasi reports probability: 0.109877, version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.190316
    2021:06:23-21:31:30 matrix exim-in[1441]: 2021-06-23 21:31:30 1lw8av-0000NF-12 <= julianhernandez@onemoresponsor.com H=srv5.sevaa.com [199.116.112.134]:56350 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=4532 id=E1lw8ap-00Fent-Lm@srv5.sevaa.com
    2021:06:23-21:31:30 matrix exim-in[1441]: 2021-06-23 21:31:30 SMTP connection from srv5.sevaa.com [199.116.112.134]:56350 closed by QUIT
    2021:06:23-21:31:31 matrix smtpd[11283]: QMGR[11283]: 1lw8av-0000NF-12 moved to work queue
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: 1lw8b6-0000NX-5E <= julianhernandez@onemoresponsor.com R=1lw8av-0000NF-12 P=INPUT S=984
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="199.116.112.134" from="julianhernandez@onemoresponsor.com" to="mail@goes.here" subject="Ein halb Steifer kommt sicher nicht gut an" queueid="1lw8b6-0000NX-5E" size="984"
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: 1lw8av-0000NF-12 => work R=SCANNER T=SCANNER
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: 1lw8av-0000NF-12 Completed
    2021:06:23-21:31:40 matrix exim-out[1462]: 2021-06-23 21:31:40 1lw8b6-0000NX-5E => mail@goes.here P=<julianhernandez@onemoresponsor.com> R=static_route_hostlist T=static_smtp H=000.000.000.000 [000.000.000.000]:25 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as 55A2CF60353"
    2021:06:23-21:31:40 matrix exim-out[1462]: 2021-06-23 21:31:40 1lw8b6-0000NX-5E Completed

    next:

    21:06:23-20:23:43 matrix exim-in[24981]: 2021-06-23 20:23:43 [141.94.34.22] F=<return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de> R=<mail@goes.here> Verifying recipient address with callout
    2021:06:23-20:23:44 matrix exim-in[24981]: 2021-06-23 20:23:44 1lw7XM-0006Uv-02 sasi reports probability: 0.129995, version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.174216
    2021:06:23-20:23:44 matrix exim-in[24981]: 2021-06-23 20:23:44 1lw7XM-0006Uv-02 Greylisting: Greylisted 141.94.34.22
    2021:06:23-20:23:44 matrix exim-in[24981]: [1\72] 2021-06-23 20:23:44 1lw7XM-0006Uv-02 H=smtp117-023.beyond-mta.de [141.94.34.22]:54833 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de> temporarily rejected after DATA: Temporary local problem, please try again!
    2021:06:23-20:23:44 matrix exim-in[24981]: [2\72] Envelope-from: <return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de>
    2021:06:23-20:23:44 matrix exim-in[24981]: [3\72] Envelope-to: <mail@goes.here>
    2021:06:23-20:23:44 matrix exim-in[24981]: [4\72] P Received: from smtp117-023.beyond-mta.de ([141.94.34.22]:54833)
    2021:06:23-20:23:44 matrix exim-in[24981]: [5\72] by domain.here.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    2021:06:23-20:23:44 matrix exim-in[24981]: [6\72] (Exim 4.94.2)
    2021:06:23-20:23:44 matrix exim-in[24981]: [7\72] (envelope-from <return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de>)
    2021:06:23-20:23:44 matrix exim-in[24981]: [8\72] id 1lw7XM-0006Uv-02
    2021:06:23-20:23:44 matrix exim-in[24981]: [9\72] for mail@goes.here; Wed, 23 Jun 2021 20:23:44 +0200
    2021:06:23-20:23:44 matrix exim-in[24981]: [10\72] X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [11\72] CTYPE_JUST_HTML 0.847999, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [12\72] FONT_STYLE_0PT 0.000000, FROM_NAME_PHRASE 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [13\72] HREF_LABEL_TEXT_NO_URI 0.000000, HTML_90_100 0.100000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [14\72] HTML_FONT_INVISIBLE 0.100000, IMGSPAM_TABLE_1 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [15\72] KNOWN_MTA_TFX 0.000000, LINK_TO_IMAGE 0.000000, LIST_HEADER 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [16\72] MIME_LOWER_CASE 0.050000, OBFUSCATION 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [17\72] REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [18\72] STYLE_RATWARE_REF 0.000000, SXL_IP_TFX_WM 0.000000, URI_ENDS_IN_PHP 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [19\72] URI_WITH_PATH_ONLY 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [20\72] __BODY_TEXT_X4 0.000000, __CP_MEDIA_BODY 0.000000, __CP_URI_IN_BODY 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [21\72] __CT 0.000000, __CTE 0.000000, __CTYPE_HTML 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [22\72] __CTYPE_IS_HTML 0.000000, __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [23\72] __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [24\72] __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_LIST_HEADER 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [25\72] __HAS_LIST_UNSUBSCRIBE 0.000000, __HAS_MSGID 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [26\72] __HAS_REPLYTO 0.000000, __HIDDEN_HTML_CONTENT 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [27\72] __HREF_LABEL_IMG 0.000000, __HREF_LABEL_TEXT 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [28\72] __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000, __HTML_BOLD 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [29\72] __HTML_HREF_TAG_X2 0.000000, __HTML_TAG_CENTER 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [30\72] __HTML_TAG_DIV 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [31\72] __HTTP_IMAGE_TAG 0.000000, __IMGSPAM_TABLE_1 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [32\72] __IMG_THEN_TEXT 0.000000, __LEGIT_LIST_HEADER 0.000000, __MIME_HTML 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [33\72] __MIME_HTML_ONLY 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [34\72] __MIME_VERSION 0.000000, __MULTIPLE_URI_HTML 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [35\72] __MULTIPLE_URI_TEXT 0.000000, __SANE_MSGID 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [36\72] __STOCK_PHRASE_7 0.000000, __STYLE_RATWARE 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [37\72] __STYLE_RATWARE_NEG 0.000000, __STYLE_TAG 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [38\72] __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [39\72] __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [40\72] __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NO_WWW 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [41\72] __URI_NS 0.000000, __URI_WITH_PATH 0.000000
    2021:06:23-20:23:44 matrix exim-in[24981]: [42\72] X-SASI-Probability: 13%
    2021:06:23-20:23:44 matrix exim-in[24981]: [43\72] X-SASI-RCODE: 200
    2021:06:23-20:23:44 matrix exim-in[24981]: [44\72] X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.174216
    2021:06:23-20:23:44 matrix exim-in[24981]: [45\72] DKIM-Signature: a=rsa-sha256; bh=a2FwY5Lw3tK8wENUE60iMKz39ODWd+Vu8jradbkAcKo=;
    2021:06:23-20:23:44 matrix exim-in[24981]: [46\72] c=relaxed/relaxed; d=news.wahrmailler.de;
    2021:06:23-20:23:44 matrix exim-in[24981]: [47\72] h=X-Mailer-Info:Mime-Version:X-Skip:Reply-To:Content-Type:X-Rclientid:X-Groupid:X-Providerid:X-Clientid:X-Brm-Dtag:From:Date:X-Campaignid:X-Rpcampaign:Message-Id:Subject:To:Content-Transfer-Encoding:List-Unsubscribe:X-Messageid:X-Memberid;
    2021:06:23-20:23:44 matrix exim-in[24981]: [48\72] s=as; t=1624472623; v=1;
    2021:06:23-20:23:44 matrix exim-in[24981]: [49\72] b=MnsvEgHfr04nieMXTSTUyWM0HvadUXJHcWklt724PdcdMehXK2m+cTsM53aiSRBM1G3k57kV
    2021:06:23-20:23:44 matrix exim-in[24981]: [50\72] kplIEx86w+bp6/jBgeaAWMcd3368mYU1GTKxLRvAP2bYY8g8Tuler+R7f+GhYarKc9MMxL73FIG
    2021:06:23-20:23:44 matrix exim-in[24981]: [51\72] i0pJezWeq0pETMI8YV15A8nA=
    2021:06:23-20:23:44 matrix exim-in[24981]: [52\72] X-Mailer-Info: 3.QWeu9VbslGZ.AZ552YsV3c0VmcflWapJDMyEDM2IzMjFmMwIzNzMzM.09mczRXZuB0cjhmch1Wbl5mLuVGd.Imct1yYsFmch1iMwIDN30SMyUTOzkzMyMDOtEDO1UDO1MTLyAjM3MzMz0SM
    2021:06:23-20:23:44 matrix exim-in[24981]: [53\72] Mime-Version: 1.0
    2021:06:23-20:23:44 matrix exim-in[24981]: [54\72] X-Skip: 0
    2021:06:23-20:23:44 matrix exim-in[24981]: [55\72] R Reply-To: reply@inflamesense.de
    2021:06:23-20:23:44 matrix exim-in[24981]: [56\72] Content-Type: text/html; charset=utf-8
    2021:06:23-20:23:44 matrix exim-in[24981]: [57\72] X-Rclientid: 1000
    2021:06:23-20:23:44 matrix exim-in[24981]: [58\72] X-Groupid: 999
    2021:06:23-20:23:44 matrix exim-in[24981]: [59\72] X-Providerid: 999
    2021:06:23-20:23:44 matrix exim-in[24981]: [60\72] X-Clientid: 20247
    2021:06:23-20:23:44 matrix exim-in[24981]: [61\72] X-Brm-Dtag:
    2021:06:23-20:23:44 matrix exim-in[24981]: [62\72] F From: "Top-Verkaufspreise in Ihrer Region" <mail@news.wahrmailler.de>
    2021:06:23-20:23:44 matrix exim-in[24981]: [63\72] Date: Wed, 23 Jun 2021 20:23:43 +0200
    2021:06:23-20:23:44 matrix exim-in[24981]: [64\72] X-Campaignid: 2027333
    2021:06:23-20:23:44 matrix exim-in[24981]: [65\72] X-Rpcampaign: brm_2027333
    2021:06:23-20:23:44 matrix exim-in[24981]: [66\72] I Message-Id: <1624471915-2027333-1259393238-d3a14955a15e8d6b05ad37b7f48a439a-7dd230@bounces.news.wahrmailler.de>
    2021:06:23-20:23:44 matrix exim-in[24981]: [67\72] Subject: Immobilienverkauf: Ist jetzt der richtige Zeitpunkt?
    2021:06:23-20:23:44 matrix exim-in[24981]: [68\72] T To: mail@goes.here
    2021:06:23-20:23:44 matrix exim-in[24981]: [69\72] Content-Transfer-Encoding: quoted-printable
    2021:06:23-20:23:44 matrix exim-in[24981]: [70\72] List-Unsubscribe: <mailto:mail+5-1000-2027333-1259393238-55d2e3c3412eb305c28a184d00525b09@unsubscribe.news.wahrmailler.de>, <news.wahrmailler.de/unsubscribe
    2021:06:23-20:23:44 matrix exim-in[24981]: [71\72] X-Messageid: 1855853
    2021:06:23-20:23:44 matrix exim-in[24981]: [72/72] X-Memberid: 1259393238
    2021:06:23-20:23:44 matrix exim-in[24981]: 2021-06-23 20:23:44 SMTP connection from smtp117-023.beyond-mta.de [141.94.34.22]:54833 closed by QUIT

    2021:06:23-20:37:43 matrix exim-in[26157]: 2021-06-23 20:37:43 H=smtp117-105.beyond-mta.de [141.94.34.104]:50015 Warning: domain.net profile excludes SANDBOX scan
    2021:06:23-20:37:43 matrix exim-in[26157]: 2021-06-23 20:37:43 [141.94.34.104] F=<return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de> R=<mail@goes.here> Verifying recipient address with callout
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 1lw7kt-0006nt-2v sasi reports probability: 0.129995, version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.180016
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 1lw7kt-0006nt-2v Greylisting: Successful greylist retry from 141.94.34.104 (original host was 141.94.34.22/32)
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 1lw7kt-0006nt-2v <= return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de H=smtp117-105.beyond-mta.de [141.94.34.104]:50015 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=25566 DKIM=news.wahrmailler.de id=1624471915-2027333-1259393238-d3a14955a15e8d6b05ad37b7f48a439a-7dd230@bounces.news.wahrmailler.de
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 SMTP connection from smtp117-105.beyond-mta.de [141.94.34.104]:50015 closed by QUIT

  • 0 in reply to WolfgangS

    The one from  [199.116.112.134] shows "Exception matched" - can you see which Exception might have matched that?

    In the past, did the SMTP Proxy quarantine emails from news.wahrmailler.de?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    The expextion was greylisting for the recipient e-mail.

    Exception matched: Skipping greylisting for this message. The skipped greylisting should no issue at all.

    No, the proxy never quarantined mail from news.wahrmailler.de. so as workarround i put a blocklist in my postfix mailserver.

    But that should not be the solution either...

    cheers

  • 0 in reply to WolfgangS

    How about this, Wolfgang - Show the lines from the log file for similar emails where one before the Up2Date was quarantined and one after the update was not quarantined.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I can't , because i also switched to complete new hardware, because the support told me anti spam does not work anymore with my old hardware.

    you can find my post related to that toppic under: spamd not working

  • 0 in reply to WolfgangS

    I remember that, Wolfgang.  If you still have the old unit, the log files should be accessible.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No i don't have the old unit, because i needed the SSD and some othr parts from it. 

    so i made a new install without saving any logfiles, because my idea was, with all new my problems are gone.

    well...

Unfiltered HTML