SurgeMail Archive: Re: [SurgeMail List] customer email account hijacked

Subject:	Re: [SurgeMail List] customer email account hijacked - anything i can do
From:	David Camm
Date:	28-Jun-2012
On 6/28/2012 2:59 PM, VinnyHIDDEN@@Dell.com wrote: > The most common way I see this happen is a user receives a forged email from "support" phishing for their email credentials. They supply them and then it's a free-for-all from a botnet of accounts sending as that user through your mail server. that certainly didn't happen in this case. the particular user is VERY tech savvy and would never do anything like taht. the password must have been compromised in some other way. > > The most effective way I've found to combat this is to apply the recommended settings, in particular g_safe_smtp which requires that users authenticating to relay via SMTP have recently also authenticated via POP3/IMAP. This seems to have effectively stopped all of this type of abuse on the systems I run. This doesn't stop end users from giving away their credentials of course, but it helps prevent the abuse of your server in the end... at least until the people stealing the credentials realize they can get around this by authenticating via POP3/IMAP prior to relaying via auth SMTP. :( i had this set MANY moons ago on dmail. however, i stopped using it, since as i recollect, you couldn't set the allowable interval between pop/imap login and send request. and, as you say, it's easily gotten around. david camm advanced web systems keller, tx > > -Vinny > > -----Original Message----- > From: David Camm [mailtoHIDDEN@advwebsys.com] > Sent: Thursday, June 28, 2012 2:32 PM > To: SurgeMail List > Subject: [SurgeMail List] customer email account hijacked - anything i can do? > > just got a call from a customer. he's getting a huge number of > non-delivery notices for emails he did not send. > > none of the 'to' addresses are in his address book so it's not a trojan > or virus on his workstation. > > i looked at a few of the returned messages and they all look like this: > > X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) > x-ip-name=77.222.42.120; THIS IP IS DIFFERENT ON EACH MSG > Date: Thu, 28 Jun 2012 21:30:40 +0300 > From: Paul DeLay HIDDEN@r@onebrainmarketing.com> THE NAME IS DIFFERENT > ON EACH MSG > Organization: mbpdsy > X-Priority: 3 (Normal) > Message-ID: <744914006HIDDEN@28213040@onebrainmarketing.com> > To:HIDDEN@baker884.fsnet.co.uk > Subject: Look at Pic No. 776 > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-asciislplavsic > Content-Transfer-Encoding: 8bit > X-Authenticated-User:HIDDEN@r@onebrainmarketing.com > > then there's some nasty text. > > i had him change his password immediately. > > looking at the outbound queue, there are still a few message from him > awaiting delivery. they all have different 'from' ip addresses. i've > deleted them. > > since we're very strict about requiring authentication for smtp, the > only thing i can think of is that his password was guessed. > > anyone have any ideas as to how this can be prevented - other than > strong passwords? > > david camm > advanced web systems > keller, tx > > > >

Last Message | Next Message


Search website: