SurgeMail Archive: Re: [SurgeMail List] customer email account hijacked

Subject:	Re: [SurgeMail List] customer email account hijacked - anything ican do?
From:	Tom Cross
Date:	29-Jun-2012
The other way this could have happened is that his email address was on an associates PC, not necessarily at same workplace. The spammer then sends out emails and "fakes" the from address, and the bounces then goto the faked from address. On Friday 29/06/2012 at 07:59:36, David Camm wrote: On 6/28/2012 2:59 PM, VinnyHIDDEN@@Dell.com wrote: The most common way I see this happen is a user receives a forged email from "support" phishing for their email credentials. They supply them and then it's a free-for-all from a botnet of accounts sending as that user through your mail server. that certainly didn't happen in this case. the particular user is VERY tech savvy and would never do anything like taht. the password must have been compromised in some other way. The most effective way I've found to combat this is to apply the recommended settings, in particular g_safe_smtp which requires that users authenticating to relay via SMTP have recently also authenticated via POP3/IMAP. This seems to have effectively stopped all of this type of abuse on the systems I run. This doesn't stop end users from giving away their credentials of course, but it helps prevent the abuse of your server in the end... at least until the people stealing the credentials realize they can get around this by authenticating via POP3/IMAP prior to relaying via auth SMTP. :( i had this set MANY moons ago on dmail. however, i stopped using it, since as i recollect, you couldn't set the allowable interval between pop/imap login and send request. and, as you say, it's easily gotten around. david camm advanced web systems keller, tx -Vinny -----Original Message----- From: David Camm [mailtoHIDDEN@advwebsys.com] Sent: Thursday, June 28, 2012 2:32 PM To: SurgeMail List Subject: [SurgeMail List] customer email account hijacked - anything i can do? just got a call from a customer. he's getting a huge number of non-delivery notices for emails he did not send. none of the 'to' addresses are in his address book so it's not a trojan or virus on his workstation. i looked at a few of the returned messages and they all look like this: X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=77.222.42.120; THIS IP IS DIFFERENT ON EACH MSG Date: Thu, 28 Jun 2012 21:30:40 +0300 From: Paul DeLay <HIDDEN@r@onebrainmarketing.com> THE NAME IS DIFFERENT ON EACH MSG Organization: mbpdsy X-Priority: 3 (Normal) Message-ID: <744914006HIDDEN@28213040@onebrainmarketing.com> To: chris@baker884.fsnet.co.uk Subject: Look at Pic No. 776 MIME-Version: 1.0 Content-Type: text/plain; charset=us-asciislplavsic Content-Transfer-Encoding: 8bit X-Authenticated-User:HIDDEN@r@onebrainmarketing.com then there's some nasty text. i had him change his password immediately. looking at the outbound queue, there are still a few message from him awaiting delivery. they all have different 'from' ip addresses. i've deleted them. since we're very strict about requiring authentication for smtp, the only thing i can think of is that his password was guessed. anyone have any ideas as to how this can be prevented - other than strong passwords? david camm advanced web systems keller, tx

Last Message | Next Message


Search website: