airaghi@speedspan.com]
Sent: Monday, September 17, 2012 10:55 PM
To: surgemailHIDDEN@etwinsite.com
Subject: Re: [SurgeMail List] hackers & pop3

 

Thanks for the alert, Lyle.

Our logs show that 1272 attemps were logged (login_failed.log) from 93.114.45.x

and 104 from 89.44.0.x (all on Sept 17)

the logs show that Surgemail also identified the IP's as "guessing passwords detected" and eventually locked the IP address.

The surprising thing to me is that ~90% of the names used in the failed login attempts were valid for the multiple domains they tried to penetrate.

They seem to be targetting just email addresses known to be coming from our Surgemail server.

Larry

SpedSpan

=========================================

 

On Monday 09/17/2012 at 10:39 pm, Lyle Giese wrote:

Had an account here get hacked. Nothing really new or unusual about that. The account had been dormant for a while and I just deleted it. I got notices from AOL feedback and the size of the outbound mail queue(I have a script to monitor the size of the queue) and that's how I found the issue.

During the post investigation, I found two subnets(!) were sending directed POP3 queries and knew when they hit the blacklist threshold of Surgemail. I think they are still playing with the time out. But they would back off for a few minutes and try again.

The unusual part was they were trying full email addresses instead of just user names as most script kiddies would do. These ip addresses started poking less than 24 hrs before they gained access to that one account.

89.44.0.0/24
93.114.45.0/24

I have taken the unusual step of blocking them in our cisco router so they can not access TCP port 110 on our mail servers.

Guess my next project is to data mine ip address from the mail logs for password failures and find the frequent violators now.

Lyle Giese
LCR Computer Services, Inc.