Mancing Mania!

Mancing Mania!

Saya mendapatkan surel seperti ini:

Dear ***REMOVED***@ui.ac.id,

 Your webhosting account has been transmitting viruses to our servers and will be deactivated permanently if not resolved.

 You are urgently required to sanitize your webhosting account with Norton FTP Scanner; otherwise, your access to webhosting services will be deactivated 

 Click here now to scan and sanitize your webhosting account

 Note that failure to sanitize your webhosting account immediately will lead to permanent deactivation without warning.

 We are very sorry for the inconveniences this might have caused you and we assure you that everything will return to normal as soon as you have sanitized your webhosting account.

 cPanel Admin

Saya sudah menghapus URL tujuan. Nampaknya setelah menyerang WordPress, sekarang para penyepam hendak menyerang pengguna cPanel.

Omong-omong, mengapa saya bisa menduga bahwa ini adalah phising? Karena berikut isi dari kepala surel:

Return-Path: <NortonFTPScanner@cPanel.com>
Delivered-To: ***REMOVED***@ui.ac.id
Received: from bunglon.ui.ac.id (bunglon.ui.ac.id [152.118.148.227])
    by marimar.ui.ac.id (Postfix) with ESMTP id 259272C38
    for <***REMOVED***@ui.ac.id>; Wed, 12 Jun 2013 22:18:57 +0700 (WIT)
Received: from iguana.ui.ac.id (iguana.ui.ac.id [152.118.148.215])
    by bunglon.ui.ac.id (Postfix) with ESMTP id 48D1AB61774
    for <***REMOVED***@ui.ac.id>; Wed, 12 Jun 2013 22:18:18 +0700 (WIT)
Received: from cancer.server-iix.com (localhost.localdomain [127.0.0.1])
    by iguana.ui.ac.id (Postfix) with ESMTP id 2FFF94C1BDD
    for <***REMOVED***@ui.ac.id>; Wed, 12 Jun 2013 22:18:18 +0700 (WIT)
Received: from cancer.server-iix.com ([103.29.215.159] helo=cancer.server-iix.com)
    by iguana.ui.ac.id with SMTP (2.2.1); 12 Jun 2013 22:18:18 +0700
Received: from [202.152.202.186] (port=63142 helo=pedro-PC)
    by cancer.server-iix.com with esmtpsa (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
    (Exim 4.80)
    (envelope-from <NortonFTPScanner@cPanel.com>)
    id 1UmPLd-0007in-Ie
    for ***REMOVED***@ui.ac.id; Tue, 11 Jun 2013 21:14:58 +0700
Message-ID: <03b254f4-41436-1d748846041667@pedro-pc>
Reply-To: "cPanel Admin" <lkjhasgdsfsdfgfdfadghfhsfjhj@yahoo.com>
From: "cPanel Admin" <NortonFTPScanner@cPanel.com>
To: ***REMOVED***@ui.ac.id
Subject: Problem with your webhosting account - ***REMOVED***@ui.ac.id
Date: Tue, 11 Jun 2013 21:13:50 +0700
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Mailer: Power Sending Sockets v5.1
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cancer.server-iix.com
X-AntiAbuse: Original Domain - ui.ac.id
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - cPanel.com
X-Get-Message-Sender-Via: cancer.server-iix.com: authenticated_id: julie@hidrolikpart.com
X-Assp-Version: 2.2.1(13020) on iguana.ui.ac.id
X-Assp-Delay: not delayed (auto accepted); 12 Jun 2013 22:18:18 +0700
X-Assp-Message-Score: 10 (Message-ID not valid: '03b254f4-41436-1d748846041667@pedro-pc')
X-Assp-IP-Score: 10 (Message-ID not valid: '03b254f4-41436-1d748846041667@pedro-pc')
X-Assp-Received-SPF: none (cache) ip=103.29.215.159 mailfrom=NortonFTPScanner@cPanel.com
    helo=cancer.server-iix.com
X-Original-Authentication-Results: iguana.ui.ac.id; spf=none
X-Assp-Message-Score: -10 (Home Country Bonus ID (Sentra Niaga
    Solusindo, PT.))
X-Assp-IP-Score: -10 (Home Country Bonus ID (Sentra Niaga Solusindo, PT.))
X-Assp-Whitelisted: Yes
X-Assp-ID: iguana.ui.ac.id m1-50298-00280
X-Assp-Detected-RIP: 202.152.202.186
X-Assp-Source-IP: 202.152.202.186

Ada beberapa poin yang saya dapati mengapa surel ini penipuan:

  1. Alamat kirim surat bukan dari cPanel, melainkan dari tempat lain. Sepertinya akun orang tersebut tercolong. Yah, terkadang di UI juga ada pengguna dari waktu ke waktu yang tak sadar bahwa dia sedang dipancing (phising). Mereka menjadi korban karena menjadi inang pengiriman surel berantai seperti ini.
  2. Isi surat tidak menyatakan alamat URL saya yang dinyatakan terkompromisasi. Semua badan resmi (Stop Badware, Google, dkk.) selalu menyertakan tautan URL yang dia tuduhkan.
  3. Server MX yang mengirim pun bukan dari cPanel, karena kalau cPanel:
    cpanel.com.             140     IN      MX      0 mx1.cpanel.com.
    mx1.cpanel.com.         14334   IN      A       208.74.121.6

Yah, kira-kira begitu. Mengapa bisa masuk ke dalam sistem surel UI? Karena sebagian besar server MX di Indonesia salah konfigurasi/konfigurasi yang tidak benar, bahkan ISP yang besar sekali pun. Terpaksa, deh, surel dari Indonesia harus dinaikkan reputasinya.

Saya berharap bahwa Indonesia suatu saat akan memiliki MX-MX yang terkenal kuat dan admin-admin yang berdedikasi membenahi konfigurasinya hingga optimal. AMIN!