Login

***milos_rs*** · (This post was last modified: 04-24-2025, 11:31 AM by milos_rs.)

Spam stigao sa državnog mejl servera:

Filename: spam1.png Size: 79.85 KB 04-24-2025, 08:38 AM

Filename: spam2.png Size: 175.76 KB 04-24-2025, 09:12 AM

Izvor samog mejla je IP adresa 196.251.92.43 koja je registrovana na AFRINIC-u na firmu sa Sejšela ali se koristi iz Holandije, odatle se neko povezao na državni mejl server koristeći validne kredencijale i dalje slao mejlove.

Putanja mejla dalje prolazi kroz državni mejl server i izlazi sa njega preko smtp2.gov.rs (195.222.96.34)
Dodao bih da ima malo misterije ovde, nije baš jasno kako je mejl dospeo na smtp1int.gov.rs jer ta adresa nema nikakav DNS zapis niti je u ovom trenutku dostupna niti hostuje mejl server.

Header Return-Path otkriva verovatno kompromitovan nalog: [email protected]

Filename: spam3.png Size: 63.07 KB 04-24-2025, 08:38 AM

U prilogu je stealer malver:

Filename: spam4.png Size: 259.83 KB 04-24-2025, 08:38 AM

https://www.virustotal.com/gui/file/2e32...ad39898de6

Glavno pitanje je zašto je nalogu sa @minpolj.gov.rs dozvoljeno da šalje mejlove kao @trezor.gov.rs ?

***milos_rs*** · (This post was last modified: 04-24-2025, 10:49 AM by milos_rs.)

Zanimljivo je da se pre godinu dana desilo nešto slično i da nikakva pouka nije izvučena iz toga:

Filename: spam6.png Size: 388.22 KB 04-24-2025, 10:49 AM

https://www.trezor.gov.rs/sr/news/2024_06_07/

***milos_rs*** · (This post was last modified: 04-24-2025, 11:29 AM by milos_rs.)

da dodam i ovo kao dodatni dokaz, IP adresa državnog mejl servera na bazi koja prati zloupotrebe IP adresa :

Filename: spam7.png Size: 194.7 KB 04-24-2025, 11:18 AM

https://www.abuseipdb.com/check/195.222.96.34

ima i za izvornu IP adresu odakle je mejl prvobitno potekao :

Filename: spam8.png Size: 123.57 KB 04-24-2025, 10:41 AM

https://www.abuseipdb.com/check/196.251.92.43

***milos_rs*** · 04-24-2025, 10:57 AM

Server sa kojeg je maliciozni akter poslao mejlove na državni mejl server radi daljeg prosleđivanja je Windows mašina sa otvorenim Remote Desktop-om :

Filename: spam9.png Size: 667.12 KB 04-24-2025, 10:52 AM

IP adresa kao i čitav taj blok adresa je na Spamhaus-u označen kao Bulletproof hosting i dakle maliciozan:

Filename: spam11.png Size: 255.36 KB 04-24-2025, 10:56 AM

***milos_rs*** · (This post was last modified: 04-24-2025, 11:30 AM by milos_rs.)

Na drugom državnom mejl serveru, smtp1.gov.rs 195.222.96.33 vidimo da je pre godinu dana bilo spama sa još jedne mejl adrese Ministarstva poljoprivrede, [email protected]

Filename: spam12.png Size: 192.05 KB 04-24-2025, 11:26 AM

***milos_rs*** · 04-24-2025, 11:40 AM

Još jedan header od drugog primaoca na drugom provajderu.

Filename: spam13.png Size: 138.57 KB 04-24-2025, 11:39 AM

Mejl je stigao u inbox bez problema ni naznake da se radi o SPAM-u iako ga je našao u Spamhaus block listi:

Code:
X-Spam-Status: No, score=4.5, No

X-Spam-Score: 45

X-Spam-Bar: ++++

X-Ham-Report: Spam detection software, running on the system "cp22.ulimitserver.com",

    has NOT identified this incoming email as spam. The original

    message has been attached to this so you can view it or label

    similar future email. If you have any questions, see

    root\@localhost for details.

    Content preview: ***Ово је аутоматски генерисан имејл,

    на који не треба одговарати.*** ***За сва питања

    потребно је да се обратите [...]

    Content analysis details: (4.5 points, 5.0 required)

    pts rule name description

    ---- ---------------------- --------------------------------------------------

    0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query

    to zen.spamhaus.org was blocked due to

    usage of an open resolver. See

    https://www.spamhaus.org/returnc/pub/

    [195.222.96.34 listed in zen.spamhaus.org]

    1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in

    bl.spamcop.net

    [Blocked - see <https://www.spamcop.net/bl.shtml?196.251.92.43>]

    -0.0 SPF_PASS SPF: sender matches SPF record

    1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of

    words

    0.0 HTML_MESSAGE BODY: HTML included in message

    0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image

    area

    0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

    1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)

    0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The

    query to Validity was blocked. See

    https://knowledge.validity.com/hc/en-us/articles/20961730681243

    for more information.

    [195.222.96.34 listed in sa-accredit.habeas.com]

    0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The

    query to Validity was blocked. See

    https://knowledge.validity.com/hc/en-us/articles/20961730681243

    for more information.

    [195.222.96.34 listed in bl.score.senderscore.com]

    0.0 T_ISO_ATTACH ISO attachment - possible malware delivery

    0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict

    Alignment

    0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years

    0.3 TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image

X-Spam-Flag: NO

***milos_rs*** · 04-24-2025, 11:58 AM

Uprava za Trezor objavila saopštenje upozorenje:

Filename: spam14.png Size: 354.17 KB 04-24-2025, 11:58 AM

https://www.trezor.gov.rs/sr/news/2025_04_24/

***milos_rs*** · (This post was last modified: 04-25-2025, 08:19 AM by milos_rs.)

Mnogi mediji su juče preneli upozorenje, ali niko se nije bavio suštinom loše konfigurisanih i nesigurnih državnih mejl servera, kao i kompromitacije naloga Ministarstva poljoprivrede

Login
Username/Email:
Password:	Lost Password?
	Remember me