Domains.co.za Security Concerns - Need Technical Community Input

X

Xman

Well-Known Member
Joined
Sep 11, 2006
Messages
285
Reaction score
1
Location
Klerksdorp
Hi MyBroadband community,


I'm facing an interesting situation and would appreciate your technical insights and opinions.


Background: I manage websites and email hosting for clients through Domains.co.za. One of my clients recently got a new office printer/scanner from a printer service company. The setup works as follows:


  • Documents are scanned at the printer
  • The scan is sent to the printer company's servers
  • They then forward it to the final recipient
  • All scanned documents must pass through their system

The Issue: The printer company is making some serious claims about Domains.co.za's security:


  1. They claim to have detected:
    • Emails being routed through European IPs
    • Unauthorized code being added to PDF attachments
    • Our domain is being flagged as spam
  2. They state Domains.co.za lacks:
    • Sufficient firewall protection
    • Flow control protection
    • Sophos protection
  3. They suggest these "deficiencies" make users vulnerable to:
    • Email hijacking
    • Unauthorized access to business information
    • Document interception

Technical Questions:


  1. Is it normal for a printer company to require all scanned documents to go through their servers?
  2. How concerning is email routing through European IPs?
  3. What's your experience with Domains.co.za's security?
  4. Are Sophos and flow control protection industry standards for hosting companies?

The printer company is using these claims to suggest my client should change service providers. I'm trying to understand if these are legitimate concerns or if there's something else going on here.


Would appreciate any technical insights or similar experiences from the community.


Thanks in advance!
 
scan to email dodgy? all depends where its being routed through,and who is the provider
many copiers have this functionality and one can always set up a SMTP or a email system oneself that does scanning and forwarding to people,

if you working in High security environment, you can always turn this function off and use scan to folder, or onedrive, if the printer supports it,
of course one could always use a system like papercut to secure scans and prints with a users code.

but this is now a question of how deep are your pockets,
 
Xman said:
Hi MyBroadband community,


I'm facing an interesting situation and would appreciate your technical insights and opinions.


Background: I manage websites and email hosting for clients through Domains.co.za. One of my clients recently got a new office printer/scanner from a printer service company. The setup works as follows:


  • Documents are scanned at the printer
  • The scan is sent to the printer company's servers
  • They then forward it to the final recipient
  • All scanned documents must pass through their system

The Issue: The printer company is making some serious claims about Domains.co.za's security:


  1. They claim to have detected:
    • Emails being routed through European IPs
    • Unauthorized code being added to PDF attachments
    • Our domain is being flagged as spam
  2. They state Domains.co.za lacks:
    • Sufficient firewall protection
    • Flow control protection
    • Sophos protection
  3. They suggest these "deficiencies" make users vulnerable to:
    • Email hijacking
    • Unauthorized access to business information
    • Document interception

Technical Questions:


  1. Is it normal for a printer company to require all scanned documents to go through their servers?
  2. How concerning is email routing through European IPs?
  3. What's your experience with Domains.co.za's security?
  4. Are Sophos and flow control protection industry standards for hosting companies?

The printer company is using these claims to suggest my client should change service providers. I'm trying to understand if these are legitimate concerns or if there's something else going on here.


Would appreciate any technical insights or similar experiences from the community.


Thanks in advance!
Click to expand...
I'd tell the printer company to take a hike. There is no reason for scanned documents to go to the printer company's servers first.
 
Xman said:
Hi MyBroadband community,


I'm facing an interesting situation and would appreciate your technical insights and opinions.


Background: I manage websites and email hosting for clients through Domains.co.za. One of my clients recently got a new office printer/scanner from a printer service company. The setup works as follows:


  • Documents are scanned at the printer
  • The scan is sent to the printer company's servers
  • They then forward it to the final recipient
  • All scanned documents must pass through their system

The Issue: The printer company is making some serious claims about Domains.co.za's security:


  1. They claim to have detected:
    • Emails being routed through European IPs
    • Unauthorized code being added to PDF attachments
    • Our domain is being flagged as spam
  2. They state Domains.co.za lacks:
    • Sufficient firewall protection
    • Flow control protection
    • Sophos protection
  3. They suggest these "deficiencies" make users vulnerable to:
    • Email hijacking
    • Unauthorized access to business information
    • Document interception

Technical Questions:


  1. Is it normal for a printer company to require all scanned documents to go through their servers?
  2. How concerning is email routing through European IPs?
  3. What's your experience with Domains.co.za's security?
  4. Are Sophos and flow control protection industry standards for hosting companies?

The printer company is using these claims to suggest my client should change service providers. I'm trying to understand if these are legitimate concerns or if there's something else going on here.


Would appreciate any technical insights or similar experiences from the community.


Thanks in advance!
Click to expand...
There are some bits missing here.. who is actually sending the email to the final recipient..? Domains.co.za or the printer company..?

If it's domains.co.za, how is the scan getting from the company servers to domains.co.za..?

There's nothing wrong with emails coming from European IP addresses, assuming the IPs are owned and operated by a legitimate entity, which they most likely are..
 
WAslayer said:
There are some bits missing here.. who is actually sending the email to the final recipient..? Domains.co.za or the printer company..?

If it's domains.co.za, how is the scan getting from the company servers to domains.co.za..?

There's nothing wrong with emails coming from European IP addresses, assuming the IPs are owned and operated by a legitimate entity, which they most likely are..
Click to expand...
Let me clarify the specific concern that makes this situation more suspicious:


The issue isn't just about emails coming from European IPs - it's about the unexpected routing path:


  1. Current flow:
    • Document is scanned at local printer in South Africa
    • Instead of going directly to the printer company's servers
    • It first routes through an IP in Europe
    • Then goes to the printer company (also in South Africa)
    • Finally reaches the intended recipient
  2. Expected flow should be:
    • Document scanned at local printer in South Africa
    • Directly to printer company's servers in South Africa
    • Then to intended recipient

The concern is: Why is a local scan, meant for a local service provider, taking an unexplained detour through Europe? This isn't about legitimate European email servers - it's about an unexpected and potentially unauthorized middleman in the routing path between two South African endpoints.


Additionally, the printer company claims they detected extra code being added to the PDFs during this European routing detour. This is what raised their security concerns.


Does this additional context change your perspective on the situation? What would be your thoughts on this specific routing pattern?
 
Xman said:
Hi MyBroadband community,


I'm facing an interesting situation and would appreciate your technical insights and opinions.


Background: I manage websites and email hosting for clients through Domains.co.za. One of my clients recently got a new office printer/scanner from a printer service company. The setup works as follows:


  • Documents are scanned at the printer
  • The scan is sent to the printer company's servers
  • They then forward it to the final recipient
  • All scanned documents must pass through their system

The Issue: The printer company is making some serious claims about Domains.co.za's security:


  1. They claim to have detected:
    • Emails being routed through European IPs
    • Unauthorized code being added to PDF attachments
    • Our domain is being flagged as spam
  2. They state Domains.co.za lacks:
    • Sufficient firewall protection
    • Flow control protection
    • Sophos protection
  3. They suggest these "deficiencies" make users vulnerable to:
    • Email hijacking
    • Unauthorized access to business information
    • Document interception

Technical Questions:


  1. Is it normal for a printer company to require all scanned documents to go through their servers?
  2. How concerning is email routing through European IPs?
  3. What's your experience with Domains.co.za's security?
  4. Are Sophos and flow control protection industry standards for hosting companies?

The printer company is using these claims to suggest my client should change service providers. I'm trying to understand if these are legitimate concerns or if there's something else going on here.


Would appreciate any technical insights or similar experiences from the community.


Thanks in advance!
Click to expand...


Hi,

Just to clarify some of the points mentioned:

1) If the printer is set to relay email through our servers using SMTP authentication with TLS encryption, then this would be no different to a customer sending an email with a PDF attachment to another person outside of their organisation. Our SMTP servers do not alter any PDF code or any attachments.

2) We do not route any emails through European IPs what-so-ever. All email routing is done via our SpamExperts cluster which sits in Teraco, Isando, Johannesburg. This can be confirmed by looking up the SPF record of _spf.tld-mx.com which lists the IP ranges we use for email delivery. These IP ranges are all South African based.

3) We take security very seriously and thus we have multiple security measures from on server security, TLS communication and transport, Fortigate Firewalls, Malware & virus protections, bot protections, DDoS Protection, DPI exploit analysis, etc.

4) We do not make use of Sophos as a product. We use other malware and virus tools like Imunify360, Monarx and SpamExperts own built in protection. Flow control protection is more of an internal enterprise requirement which establishes rules for the data movement between entitles. This isn't really applicable as we (as a hosting company) can not decide what data you want to allow to move between entities (unless its illegal data of course).

If your SPF, DKIM and DMARC records are setup correctly for the domain name, and the domain is delivering/relaying email via TLS encryption, then there is no risk of email hijacking during the commutation of the email between servers.


Let me know if you have any other questions, I'm happy to answer them.

Regards,
Dave @ Domains.co.za
 
Xman said:
Let me clarify the specific concern that makes this situation more suspicious:


The issue isn't just about emails coming from European IPs - it's about the unexpected routing path:


  1. Current flow:
    • Document is scanned at local printer in South Africa
    • Instead of going directly to the printer company's servers
    • It first routes through an IP in Europe
    • Then goes to the printer company (also in South Africa)
    • Finally reaches the intended recipient
  2. Expected flow should be:
    • Document scanned at local printer in South Africa
    • Directly to printer company's servers in South Africa
    • Then to intended recipient

The concern is: Why is a local scan, meant for a local service provider, taking an unexplained detour through Europe? This isn't about legitimate European email servers - it's about an unexpected and potentially unauthorized middleman in the routing path between two South African endpoints.


Additionally, the printer company claims they detected extra code being added to the PDFs during this European routing detour. This is what raised their security concerns.


Does this additional context change your perspective on the situation? What would be your thoughts on this specific routing pattern?
Click to expand...

My thoughts are that locally scanned emails from a printer should traverse the company that owns the printer's email infra and then directly to the intended recipient from there..



There are still pieces missing though, since it's not clear what endpoint is specified as the destination for the scan on the printer.. if that endpoint is an email service owned by domains.co.za and they operate an inbound email security gateway that's hosted in Europe, there is no security concern with that..

Too many pieces missing to this puzzle though..

Edit: I see domains confirmed their inbound email security gateway is not in Europe per above post..

Your journey starts with the configuration of the printer and what's set as the destination for scanned documents...
 
Murmaider said:
Hi,

Just to clarify some of the points mentioned:

1) If the printer is set to relay email through our servers using SMTP authentication with TLS encryption, then this would be no different to a customer sending an email with a PDF attachment to another person outside of their organisation. Our SMTP servers do not alter any PDF code or any attachments.

2) We do not route any emails through European IPs what-so-ever. All email routing is done via our SpamExperts cluster which sits in Teraco, Isando, Johannesburg. This can be confirmed by looking up the SPF record of _spf.tld-mx.com which lists the IP ranges we use for email delivery. These IP ranges are all South African based.

3) We take security very seriously and thus we have multiple security measures from on server security, TLS communication and transport, Fortigate Firewalls, Malware & virus protections, bot protections, DDoS Protection, DPI exploit analysis, etc.

4) We do not make use of Sophos as a product. We use other malware and virus tools like Imunify360, Monarx and SpamExperts own built in protection. Flow control protection is more of an internal enterprise requirement which establishes rules for the data movement between entitles. This isn't really applicable as we (as a hosting company) can not decide what data you want to allow to move between entities (unless its illegal data of course).

If your SPF, DKIM and DMARC records are setup correctly for the domain name, and the domain is delivering/relaying email via TLS encryption, then there is no risk of email hijacking during the commutation of the email between servers.


Let me know if you have any other questions, I'm happy to answer them.

Regards,
Dave @ Domains.co.za
Click to expand...

@Murmaider
Dave, I gave the details of the person making the accusations in my ticket to domains.co.za. Did you phone him and get the details of what he is saying and claiming, from the horse's mouth? He claims that the email is irregularly routed to an IP in Europe before that mail is then routed to him and that a piece of code is added to the mail. Can you try and clarify what is happening there?

Re: If your SPF, DKIM, and DMARC records are set up correctly...
According to me, it is set up correctly, but you have access to them and would be able to point out if they are not.
 
I have found your ticket and the server logs. I will provide you with the technical specifics in the ticket response.

In summary, we are only the end receiving server of the email. The email is being sent from your clients email address and originating from this IP in Europe (Russian to be exact). When this IP attempts to deliver the email to our Spam filters (for delivery to the clients mailbox), our spamexperts cluster is rejecting the email on two reasons:

1) The email's from address is set to your clients email address and the email is coming form the russian IP.
SPF and DKIM are failing as this IP is not authorized to send email on behalf of your clients domain, so SPF and DKIM are rejecting the email.

2) The russian IP is blacklisted for spam on multiple SPAM RBL lists including https://spamrl.com - hence why our Spam filters are also rejecting the email.

As mentioned, we are at the end of the of the email delivery, so email isn't going through us and then to a russian IP and then out again. Instead the email, is coming from this russian IP and trying to be passed to our spam filters, but is getting rejects for the reasons mentioned above.

I do however question the security intelligence of the person making these bold security claims against us (Domains.co.za) as it would seem they have very little understanding of email bounce back messages.

What @WAslayer mentioned here:

WAslayer said:
Your journey starts with the configuration of the printer and what's set as the destination for scanned documents...
Click to expand...

He is correct in what is saying, you need to start with destination set on the printer and move forward from there.
 
Quick and dirty solution to this is to share the printer's SMTP configuration. If the printer routes through the print provider's own SMTP servers, then the Russian IP factors in on their end.
 
This seems really weird and I'm somewhat confused. Is this printer on his premises or is he going into a print shop to scan documents?

If the former, I would humbly tell them where the door is if they want to dictate how my scanning is done.
 
acidrain said:
This seems really weird and I'm somewhat confused. Is this printer on his premises or is he going into a print shop to scan documents?

If the former, I would humbly tell them where the door is if they want to dictate how my scanning is done.
Click to expand...
Agreed.

Some of my clients use a [email protected] email on all their printers. Others have a jhbscans or cptscans etc. mail address. The scans goes from the printer to the SP and then gets mailed out.

Why does your scans need to go to the printer supplier's server first?

Does not make sense.
 
Murmaider said:
I do however question the security intelligence of the person making these bold security claims against us (Domains.co.za) as it would seem they have very little understanding of email bounce back messages.
Click to expand...

This is the first thing I wanted to say but then decided against it since there wasn't really enough information to go on initially..
 
Murmaider said:
I have found your ticket and the server logs. I will provide you with the technical specifics in the ticket response.

In summary, we are only the end receiving server of the email. The email is being sent from your clients email address and originating from this IP in Europe (Russian to be exact). When this IP attempts to deliver the email to our Spam filters (for delivery to the clients mailbox), our spamexperts cluster is rejecting the email on two reasons:

1) The email's from address is set to your clients email address and the email is coming form the russian IP.
SPF and DKIM are failing as this IP is not authorized to send email on behalf of your clients domain, so SPF and DKIM are rejecting the email.

2) The russian IP is blacklisted for spam on multiple SPAM RBL lists including https://spamrl.com - hence why our Spam filters are also rejecting the email.

As mentioned, we are at the end of the of the email delivery, so email isn't going through us and then to a russian IP and then out again. Instead the email, is coming from this russian IP and trying to be passed to our spam filters, but is getting rejects for the reasons mentioned above.

I do however question the security intelligence of the person making these bold security claims against us (Domains.co.za) as it would seem they have very little understanding of email bounce back messages.

What @WAslayer mentioned here:



He is correct in what is saying, you need to start with destination set on the printer and move forward from there.
Click to expand...
@Murmaider

Dave, thanks for your effort and investigation. I appreciate it a lot and it goes a long way in confirming my trust in Domains.co.za

Can you just explain to me something I still do not understand? You say the mail from Russia originates at the Russian IP. And that Domains is the last to receive it. The 'printer guy' claims that when he gets the mail, there is a line of code injected into the scan. I do not understand how the Russian IP gets hold of the scan if the mail originates from him. In other words, how is he getting hold of the scan to inject the line of code? Can it be because the printer was not configured with Domains's SMTP, as someone here said? I do not know how the printer was configured. All I have is the accusations that you adequately laid to rest for me.
 
Xman said:
@Murmaider

Dave, thanks for your effort and investigation. I appreciate it a lot and it goes a long way in confirming my trust in Domains.co.za

Can you just explain to me something I still do not understand? You say the mail from Russia originates at the Russian IP. And that Domains is the last to receive it. The 'printer guy' claims that when he gets the mail, there is a line of code injected into the scan. I do not understand how the Russian IP gets hold of the scan if the mail originates from him. In other words, how is he getting hold of the scan to inject the line of code? Can it be because the printer was not configured with Domains's SMTP, as someone here said? I do not know how the printer was configured. All I have is the accusations that you adequately laid to rest for me.
Click to expand...
Domains should be able to provide you with the email headers, from where you can trace the path the email took from source to destination..

Ideally though, you want to look at what the printer is configured with in terms of destination for the scans..
 
Does the printer have SMTP client capabilities? Or is it Cloud scanning? I have an HP that couldn't do SMTP, but it could link to an HP cloud account and from there you could configure your cloud account to auto email somewhere.

Although it still doesn't explain the mystery SMTP servers domains.co.za is seeing.....
 
Xman said:
@Murmaider

Dave, thanks for your effort and investigation. I appreciate it a lot and it goes a long way in confirming my trust in Domains.co.za

Can you just explain to me something I still do not understand? You say the mail from Russia originates at the Russian IP. And that Domains is the last to receive it. The 'printer guy' claims that when he gets the mail, there is a line of code injected into the scan. I do not understand how the Russian IP gets hold of the scan if the mail originates from him. In other words, how is he getting hold of the scan to inject the line of code? Can it be because the printer was not configured with Domains's SMTP, as someone here said? I do not know how the printer was configured. All I have is the accusations that you adequately laid to rest for me.
Click to expand...
I think what mostly everyone needs to understand and has pointed out is how the printer was configured.

You need to establish that first before carrying on with the back and forth because you are playing middle man to a he said / she said game.

For all we know, "printer guy"'s printer is compromised and has had it's settings altered
 
  • Like
Reactions: OCP
Xman said:
@Murmaider

Dave, thanks for your effort and investigation. I appreciate it a lot and it goes a long way in confirming my trust in Domains.co.za

Can you just explain to me something I still do not understand? You say the mail from Russia originates at the Russian IP. And that Domains is the last to receive it. The 'printer guy' claims that when he gets the mail, there is a line of code injected into the scan. I do not understand how the Russian IP gets hold of the scan if the mail originates from him. In other words, how is he getting hold of the scan to inject the line of code? Can it be because the printer was not configured with Domains's SMTP, as someone here said? I do not know how the printer was configured. All I have is the accusations that you adequately laid to rest for me.
Click to expand...

Hi,

Can the "printer guy" provide us with the email headers of the email he receives with the line of code injected, then we trace the email path and provide some clarity on this.

If not, then can you confirm what the SMTP settings are on the printer or if it even lets you set custom SMTP settings.

I have a suspicion that the email path is going:

Printer -> Printer companies servers (which make use of SmartApe (https://www.smartape.net/) infrastructure, these are the guys who own the russian IP) -> out to end user
or
Printer -> Printer companies servers -> SmartApe server (russian IP) -> out to end user

The key to this mystery is the SMTP settings on the printer or the full email headers.

Dave @ Domains.co.za
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter