Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Michael Peddemors via mailop]

On 2021-09-23 11:25 a.m., Robert L Mathews via mailop wrote:

Or "This message is verified as being from gmail.com, but there's no
previous message fromevild...@gmail.com  in your mailbox."


For the record, the scammers are trickier than that, they take an old 
thread from the compromised account, and simply add the phishing lure to 
it now..


But of course, all email 'clients' are working towards better 
understanding and presentation of emails, and webmail's also need to 
keep up.


But we need to do more to stop the compromise in the first place, or 
recognize it immediately, because the damage is already done, even 
BEFORE they attempt to 'phish' other users from that account.


Frankly, all the measures we do can REDUCE the amount, but until 
transparent 2FA is routinely used, they still will be only stop gap 
measures.


Of course, reducing by over 95% is still a win.

Platform vendors need to make that 95% savings simpler to the 
administrator. but of course recouping that investment is the hard part, 
especially when the bad guys can rent a 'phishing' service for less than 
the cost of one hour of development time.


IMHO not enough government and policing goes into stopping these 
threats, otherwise all the Digital Ocean 'phishing' platform would have 
been shut down by now ;)





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Robert L Mathews via mailop]

On 9/23/21 9:42 AM, Jay Hennigan via mailop wrote:

> While you do this, also tell them to ignore phishing emails that claim
> to be from their provider warning that their email account is at risk.

A lot of this now seems like just poor user interface. Email software
authors (and many of us, including me) could be doing a lot better at
exposing what we know (based on DKIM etc.) to the user.

For example, "This message is verified as being from keycodes.com, and
mailop-l...@keycodes.com was first seen in your mailbox more than six
months ago."

Or "This message claims to be from li...@tigertech.com, but it isn't
signed by tigertech.com as we'd expect. Be careful."

Or "This message is verified as being from gmail.com, but there's no
previous message from evild...@gmail.com in your mailbox."

etc.

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Peter Nicolai Mathias Hansteen via mailop]

This discussion made me think of one of the several bizarre episodes involving 
my spamtraps apparently becoming part of the must-try user IDs for other 
services - 
https://bsdly.blogspot.com/2014/08/password-gropers-take-spamtrap-bait.html 
 
which lead eventually to me publishing the list of IP addresses that have tried 
and failed to access pop3 here.

A slightly newer piece gives an overview of the various lists we generate for 
free consumption: 
https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html 
.

The data presented is all free to use. If you repackage, please include some 
sort of indicator of where the data came from; if you find any errors or 
unreasonable inclusions, please let me know.

All the best,
Peter


—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Grant Taylor via mailop]

Hi Sidsel,

On 9/23/21 12:21 AM, Sidsel Jensen via mailop wrote:
Each hash  in haveibeenpwned is associated with a count based on 
how many breaches it’s been found in. If we find a match on the 
hash we check the count towards a set threshold, and if the count is 
higher than the threshold the user will get a big red box in his or 
her webmail saying - “We really think it would be a good idea if 
you changed your password. Please do it now.


Would you please elucidate as to why you have the threshold higher than 
one?  I would have naively thought that even being listed one time would 
be enough to warrant asking users to change their password.


I'm trying to understand why you / your company is apparently using a 
threshold higher than one.


Thank you and have a good day.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Jay Hennigan via mailop]

On 9/23/21 02:45, Jaroslaw Rafa via mailop wrote:

Dnia 23.09.2021 o godz. 08:21:40 Sidsel Jensen via mailop pisze:


Unfortunately we can only do this in our Webmail, we have no good way of
sending this message to a user of a 3rd party mail client. If someone on
this list has a good idea on how that can be accomplished with a good UX I
am very eager to hear it :-)


Maybe just send mail to them? :)


While you do this, also tell them to ignore phishing emails that claim 
to be from their provider warning that their email account is at risk.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Hans-Martin Mosner via mailop]

23. September 2021 14:32, "Christian Mack via mailop"  
schrieb:

> Hello
> 
> On 23.09.21 12:59, Geert Ijewski via mailop wrote:
> 
>> On 23.09.21 11:45, Jaroslaw Rafa via mailop wrote:
>>> Dnia 23.09.2021 o godz. 08:21:40 Sidsel Jensen via mailop pisze:
>> 
>> Unfortunately we can only do this in our Webmail, we have no good way of
>> sending this message to a user of a 3rd party mail client. If someone on
>> this list has a good idea on how that can be accomplished with a good UX I
>> am very eager to hear it :-)
>>> Maybe just send mail to them? :)
>> 
>> An email telling users to change their password because it has been
>> compromised, will -- rightfully -- be seen as a phishing attempt; even
>> if in this case it would be true.
> 
> Yes, but it should be cryptographically signed by the domain owner, with
> this users can see/check that it is a legitimate one.
> 
Users who are competent enough to understand cryptographic signatures are 
probably a 1-digit percentage of the domain owner's user base, and they are 
probably much less likely to fall for phishing/trojans or re-use passwords 
across domains :-)

Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Michael Sofka via mailop]

We have had to do this to select users when there's evidence of a 
password compromise. And yes, it could be mistaken for a phish, so we 
don't include a password change link, direct people to our helpdesk page 
with instructions on finding the change password instructions, provide a 
local contact, and when appropriate include a link to a local web page 
explaining changes to procedure, etc.  We also have a daily newsletter 
that announces system changes.


Of course even with all this some people require multiple contacts, and 
when that doesn't work the password is preemptively changed and we wait 
for them to contact us.  (This last might not be appropriate in all 
circumstances, or with all business models.)


Mike

On 9/23/21 6:59 AM, Geert Ijewski via mailop wrote:


On 23.09.21 11:45, Jaroslaw Rafa via mailop wrote:

Dnia 23.09.2021 o godz. 08:21:40 Sidsel Jensen via mailop pisze:

Unfortunately we can only do this in our Webmail, we have no good way of
sending this message to a user of a 3rd party mail client. If someone on
this list has a good idea on how that can be accomplished with a good UX I
am very eager to hear it :-)

Maybe just send mail to them? :)


An email telling users to change their password because it has been
compromised, will -- rightfully -- be seen as a phishing attempt; even
if in this case it would be true.


--
Michael D. Sofka   sof...@rpi.edu
ITI Software Architect,   Email, TeX, Epistemology
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Christian Mack via mailop]

Hello

On 23.09.21 12:59, Geert Ijewski via mailop wrote:
> 
> On 23.09.21 11:45, Jaroslaw Rafa via mailop wrote:
>> Dnia 23.09.2021 o godz. 08:21:40 Sidsel Jensen via mailop pisze:
>>>
>>> Unfortunately we can only do this in our Webmail, we have no good way of
>>> sending this message to a user of a 3rd party mail client. If someone on
>>> this list has a good idea on how that can be accomplished with a good UX I
>>> am very eager to hear it :-)
>>
>> Maybe just send mail to them? :)
>>
> 
> An email telling users to change their password because it has been
> compromised, will -- rightfully -- be seen as a phishing attempt; even
> if in this case it would be true.
> 

Yes, but it should be cryptographically signed by the domain owner, with
this users can see/check that it is a legitimate one.


Kind regards,
Christian Mack

-- 
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung und Lehre
78457 Konstanz
+49 7531 88-4416



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Geert Ijewski via mailop]

On 23.09.21 11:45, Jaroslaw Rafa via mailop wrote:
> Dnia 23.09.2021 o godz. 08:21:40 Sidsel Jensen via mailop pisze:
>>
>> Unfortunately we can only do this in our Webmail, we have no good way of
>> sending this message to a user of a 3rd party mail client. If someone on
>> this list has a good idea on how that can be accomplished with a good UX I
>> am very eager to hear it :-)
> 
> Maybe just send mail to them? :)
> 

An email telling users to change their password because it has been
compromised, will -- rightfully -- be seen as a phishing attempt; even
if in this case it would be true.

-- 
https://patadams.de/
+49 2359 2959580
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Renaud Allard via mailop]

On 9/23/21 10:56 AM, Steve Freegard via mailop wrote:

Hi Alessio,

You could try our Authentication Blocklist: 
https://docs.abusix.com/ami-production-zones/authbl


This doesn't pre-emptively list cloud IPs, it only lists IPs where we've 
seen evidence of compromise/abuse and these come from a variety of 
sources, some of them I believe to be novel to us and is updated every 
minute.


There's a free trial available on our website if you're interested and 
you're welcome to contact me off-list.




I agree, I am using abusix authbl, along with
spamhaus authbl and it works quite well.



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Steve Freegard via mailop]

Hi Alessio,

You could try our Authentication Blocklist: 
https://docs.abusix.com/ami-production-zones/authbl


This doesn't pre-emptively list cloud IPs, it only lists IPs where we've 
seen evidence of compromise/abuse and these come from a variety of 
sources, some of them I believe to be novel to us and is updated every 
minute.


There's a free trial available on our website if you're interested and 
you're welcome to contact me off-list.


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence


On 21/09/2021 16:08, Alessio Cecchi via mailop wrote:


Hi,

we are an email hosting provider, and as you know many users use weak 
passwords, or have trojan on their PC that stolen their password that 
are used to sent spam or doing some kinds of fraud.


We already have a "script" that checks, from log files, the country of 
the IP address and "do something" to detect if is an unusual login. 
But is not really sufficient.


For "do something" I means:

- too many logins from different country
- too many fast login

So we are always looking for a system/software/service/script to 
detect login to POP IMAP or SMTP not made by the user.


I have also test the AWS SageMaker IP Insights service but without 
success.


Have someone experienced about these problems?
Thanks

--
Alessio Cecchi
Postmaster @http://www.qboxmail.it
https://www.linkedin.com/in/alessice

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Jaroslaw Rafa via mailop]

Dnia 23.09.2021 o godz. 08:21:40 Sidsel Jensen via mailop pisze:
> 
> Unfortunately we can only do this in our Webmail, we have no good way of
> sending this message to a user of a 3rd party mail client. If someone on
> this list has a good idea on how that can be accomplished with a good UX I
> am very eager to hear it :-)

Maybe just send mail to them? :)
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Sidsel Jensen via mailop]

> On 22 Sep 2021, at 21.44, Jarland Donnell via mailop  
> wrote:
> 
> This is true. While brute force attacks persist, we rarely see a connection 
> between that and compromised accounts these days. Most often the attacker 
> knew the password immediately. Now what would be cool, and has always been on 
> my list of "maybe one day" features, would be either using an API from 
> haveibeenpwned.com or merely keeping a copy of publicly released database 
> leaks, and then testing results internally. If an email in a database dump 
> matches one in your system, test the password leaked with it. If it works, 
> force password change.
> 

We use haveibeenpwned - but a bit differently than what you propose here. We 
have a local copy of haveibeenpwned running that compare the passwd hash with 
the hash in haveibeenpwned. Each hash  in haveibeenpwned is associated with a 
count based on how many breaches it’s been found in. If we find a match on the 
hash we check the count towards a set threshold, and if the count is higher 
than the threshold the user will get a big red box in his or her webmail saying 
- “We really think it would be a good idea if you changed your password. Please 
do it now. Your password is insecure”

Unfortunately we can only do this in our Webmail, we have no good way of 
sending this message to a user of a 3rd party mail client. If someone on this 
list has a good idea on how that can be accomplished with a good UX I am very 
eager to hear it :-)

Kind Regards,
  Sidsel, Postmistress @ one.com


> I think a lot more people will be doing things like this in the future, it's 
> hardly a fresh idea. But the amount of compromises it would prevent are 
> likely enough to justify the overhead of building it out.
> 
> On 2021-09-22 01:38, Lena--- via mailop wrote:
>>> From: Alessio Cecchi 
>>> we are an email hosting provider, and as you know many users use weak
>>> passwords, or have trojan on their PC that stolen their password that
>>> are used to sent spam or doing some kinds of fraud.
>>> We already have a "script" that checks, from log files, the country of
>>> the IP address and "do something" to detect if is an unusual login. But
>>> is not really sufficient.
>> I suspect that stealing passwords with trojans is more successful
>> than brute-forcing passwords via POP, IMAP or SMTP.
>> Therefore, detecting logins for brute-forcing is not enough.
>> You need to detect when stolen passwords are used to send spam
>> via your server. One approach is to check rate of attempts to send
>> to non-existent recipient email addresses, because spammers usually
>> send to dirty lists of email addresses full of message-ids,
>> truncated email addreses or prepended with garbage.
>> I wrote an implementation for Exim:
>> https://github.com/Exim/exim/wiki/BlockCracking
>> It also detects some brute-forcing, but the main is automatic blocking
>> of accounts used for spamming with trojan-stolen passwords.
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop



signature.asc
Description: Message signed with OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Jarland Donnell via mailop]

This is true. While brute force attacks persist, we rarely see a 
connection between that and compromised accounts these days. Most often 
the attacker knew the password immediately. Now what would be cool, and 
has always been on my list of "maybe one day" features, would be either 
using an API from haveibeenpwned.com or merely keeping a copy of 
publicly released database leaks, and then testing results internally. 
If an email in a database dump matches one in your system, test the 
password leaked with it. If it works, force password change.


I think a lot more people will be doing things like this in the future, 
it's hardly a fresh idea. But the amount of compromises it would prevent 
are likely enough to justify the overhead of building it out.


On 2021-09-22 01:38, Lena--- via mailop wrote:

From: Alessio Cecchi 



we are an email hosting provider, and as you know many users use weak
passwords, or have trojan on their PC that stolen their password that
are used to sent spam or doing some kinds of fraud.

We already have a "script" that checks, from log files, the country of
the IP address and "do something" to detect if is an unusual login. 
But

is not really sufficient.


I suspect that stealing passwords with trojans is more successful
than brute-forcing passwords via POP, IMAP or SMTP.
Therefore, detecting logins for brute-forcing is not enough.
You need to detect when stolen passwords are used to send spam
via your server. One approach is to check rate of attempts to send
to non-existent recipient email addresses, because spammers usually
send to dirty lists of email addresses full of message-ids,
truncated email addreses or prepended with garbage.
I wrote an implementation for Exim:
https://github.com/Exim/exim/wiki/BlockCracking
It also detects some brute-forcing, but the main is automatic blocking
of accounts used for spamming with trojan-stolen passwords.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Jaroslaw Rafa via mailop]

Dnia 21.09.2021 o godz. 22:25:26 Darrell Budic via mailop pisze:
> 
> If you follow NANOG and some other groups, you’re probably aware of the
> spate of VPN blocking recently from various Video providers like Netflix
> and Amazon Prime.  This seems to be (as an email provider and (separately,
> day job) a ISP) to be related to simple heuristic, if several people log
> in from one ip, it might be a VPN.

It might be also an ISP using carrier-grade NAT. Or a big corporation's
internal network (even spanning multiple countries) connecting to Internet
through corporate gateway...
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Lena--- via mailop]

> From: Alessio Cecchi 

> we are an email hosting provider, and as you know many users use weak 
> passwords, or have trojan on their PC that stolen their password that 
> are used to sent spam or doing some kinds of fraud.
> 
> We already have a "script" that checks, from log files, the country of 
> the IP address and "do something" to detect if is an unusual login. But 
> is not really sufficient.

I suspect that stealing passwords with trojans is more successful
than brute-forcing passwords via POP, IMAP or SMTP.
Therefore, detecting logins for brute-forcing is not enough.
You need to detect when stolen passwords are used to send spam
via your server. One approach is to check rate of attempts to send
to non-existent recipient email addresses, because spammers usually
send to dirty lists of email addresses full of message-ids,
truncated email addreses or prepended with garbage.
I wrote an implementation for Exim:
https://github.com/Exim/exim/wiki/BlockCracking
It also detects some brute-forcing, but the main is automatic blocking
of accounts used for spamming with trojan-stolen passwords.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Darrell Budic via mailop]

> On Sep 21, 2021, at 2:25 PM, Michael Peddemors via mailop  
> wrote:
> 
> On 2021-09-21 12:09 p.m., Mark Milhollan via mailop wrote:
>>> Block AUTH from Amazon/Gcloud/Azure by default
>> Would you include other clouds, like Alibaba, Oracle, OVH, Rackspace, etc., 
>> perhaps especially those that are "too easy" for spammers and miscreants to 
>> get a machine going on?  I can understand this sentiment but be aware it 
>> might block your more advanced users, e.g., those hosting a VPN or mail 
>> archive there or a service that does.
> 
> Funny you should mention it, the SpamRats team is working on a RATS-CLOUD 
> RBLDNSD lookup which contain lists of cloud providers with common problems ;)
> 
> While meant to be more of an informative nature, there are certain activity 
> that you should not really expect from a cloud IP, except MAYBE desktop in 
> the cloud..
> 
> But a person can make special exemptions for the few IP(s) on those clouds 
> that you expect to do AUTH behavior.. I mean really, not many of the 21 
> million Azure IP(s) need to connect via AUTH to your email server ;)

How you handle clients using Starlink, which mostly looks like their connection 
is coming from google cloud, with some Azure on the side? Does this encounter 
any issues with CGN where dozens to hundreds of users may appear to be coming 
from the same IP?

If you follow NANOG and some other groups, you’re probably aware of the spate 
of VPN blocking recently from various Video providers like Netflix and Amazon 
Prime. This seems to be (as an email provider  and  (separately, day job) a 
ISP) to be related to simple heuristic, if several people log in from one ip, 
it might be a VPN. Looking for ideas on beefing up my own email security while 
avoiding the false positives Amazon seems more willing to deal with…

  -Darrell
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Michael Peddemors via mailop]

More good points..

.. for the record, compromises via SMTP are easier to identify, the 
scary ones are IMAP authentication ones, as the hacker can log in simply 
once every week, and search your inbox for personal information, 
password reset links, services that you use, credit card information, 
account id's, contact information and other things, and unless you start 
in depth IMAP analysis, difficult to do for most admin's, you would 
never pick up on the odd login.


Country AUTH has pushed miscreants to move to servers geo located with 
their targets though.


The lazy hackers are easy to stop, the very dangerous ones are harder.

Oh, and watch for the increase of attacks using public VPN services.. It 
makes for another whole conversation, on privacy vs accountability.  We 
all get why someone traveling might prefer to use a VPN to access their 
email, or a person trapped in an oppressive regime, but if the admin 
can't validate the source of the traffic, you can understand why they 
might block access via VPN's.


(Notice a lot more contact form spammers utilizing Geo located VPN's for 
instance, as well as an increase in Webmail access abuse attempts from them)




On 2021-09-21 9:52 a.m., Brandon Long via mailop wrote:

Control over account creation (this is more a free mailbox kind of thing)
Risk based analysis at login time based on the available signals
Risk based analysis of the overall connection
Spam analysis of the sent mail

All of which needs to feed into each other.

For the larger providers, this is an ongoing workload for an engineering 
group.


At login time, the signals are weak, it's basically the user/password/ip 
... and if you're lucky, some small amount of uniqueness (do they ask 
for capability first?).  geohop is of course the first line of defense 
there, and the ever popular "imap/pop before smtp".  For many login 
types, you have the actual password here given the logging in client, 
and so you can also evaluate that for strength, and have stricter 
analysis for weak passwords.  It may also be useful to spend some effort 
on "have I been pawned" or other sites to get lists of your users (and 
maybe their passwords) that are known, and force those users to reset 
their password.  You will have people upset that they have to change 
their password, even though it's circulating on the web and actively 
being abused.


IP reputation is another thing, it's utility varies.

One problem is that there's really terrible feedback for denying logins 
in these protocols, a lot of clients don't display the error message, 
they'll just say "bad password".  You need to make sure the user's can 
see why their logins are disabled in the admin pages on your site.


The various client-id proposals would have been useful if they became 
popular, it's basically an extra nonce at login that's unique to a 
single client configuration.  If you have something like that, you can 
do better with geohop (ie, their phone polls imap when they travel 
somewhere else, and it has CID, so you trust it, and trust the hop).  
oauth is what the bigger folks are pushing towards, but client support 
for that is hard... I don't know how easy it is to get on the oauth 
lists for your most popular clients.


Analysis of the connection, individual clients have very obvious and 
specific sets of requests they make, you can fingerprint them.  You can 
also check for things "good" clients tend to do, like store sent 
messages in the sent folder.  This is easiest with IMAP than with pop or 
smtp, those are more trivial.  That said, most clients generate email in 
a particular way as well, fingerprinting that may be useful.


And of course, if the account is sending spam, it needs to be limited.  
Generally limiting most accounts to a small number of messages/day or 
hour is a first line.


Spam is only the most obvious issue with these hijackings, you're also 
exposing customer data to a random person, who might go through the 
messages for specific content, or use the access to hijack other online 
accounts that allow password reset via email, or delete their data.  
Preventing the hijacking should be as important as preventing the spamming.


Brandon

On Tue, Sep 21, 2021 at 9:29 AM Alessio Cecchi via mailop 
mailto:mailop@mailop.org>> wrote:


Hi,

we are an email hosting provider, and as you know many users use
weak passwords, or have trojan on their PC that stolen their
password that are used to sent spam or doing some kinds of fraud.

We already have a "script" that checks, from log files, the country
of the IP address and "do something" to detect if is an unusual
login. But is not really sufficient.

For "do something" I means:

- too many logins from different country
- too many fast login

So we are always looking for a system/software/service/script to
detect login to POP IMAP or SMTP not made by the user.

I have also test the AWS SageMaker IP Insights 

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Michael Peddemors via mailop]

On 2021-09-21 12:09 p.m., Mark Milhollan via mailop wrote:

Block AUTH from Amazon/Gcloud/Azure by default


Would you include other clouds, like Alibaba, Oracle, OVH, Rackspace, 
etc., perhaps especially those that are "too easy" for spammers and 
miscreants to get a machine going on?  I can understand this sentiment 
but be aware it might block your more advanced users, e.g., those 
hosting a VPN or mail archive there or a service that does.


Funny you should mention it, the SpamRats team is working on a 
RATS-CLOUD RBLDNSD lookup which contain lists of cloud providers with 
common problems ;)


While meant to be more of an informative nature, there are certain 
activity that you should not really expect from a cloud IP, except MAYBE 
desktop in the cloud..


But a person can make special exemptions for the few IP(s) on those 
clouds that you expect to do AUTH behavior.. I mean really, not many of 
the 21 million Azure IP(s) need to connect via AUTH to your email server ;)



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Brandon Long via mailop]

Control over account creation (this is more a free mailbox kind of thing)
Risk based analysis at login time based on the available signals
Risk based analysis of the overall connection
Spam analysis of the sent mail

All of which needs to feed into each other.

For the larger providers, this is an ongoing workload for an engineering
group.

At login time, the signals are weak, it's basically the user/password/ip
... and if you're lucky, some small amount of uniqueness (do they ask for
capability first?).  geohop is of course the first line of defense there,
and the ever popular "imap/pop before smtp".  For many login types, you
have the actual password here given the logging in client, and so you can
also evaluate that for strength, and have stricter analysis for weak
passwords.  It may also be useful to spend some effort on "have I been
pawned" or other sites to get lists of your users (and maybe their
passwords) that are known, and force those users to reset their password.
You will have people upset that they have to change their password, even
though it's circulating on the web and actively being abused.

IP reputation is another thing, it's utility varies.

One problem is that there's really terrible feedback for denying logins in
these protocols, a lot of clients don't display the error message, they'll
just say "bad password".  You need to make sure the user's can see why
their logins are disabled in the admin pages on your site.

The various client-id proposals would have been useful if they became
popular, it's basically an extra nonce at login that's unique to a single
client configuration.  If you have something like that, you can do better
with geohop (ie, their phone polls imap when they travel somewhere else,
and it has CID, so you trust it, and trust the hop).  oauth is what the
bigger folks are pushing towards, but client support for that is hard... I
don't know how easy it is to get on the oauth lists for your most popular
clients.

Analysis of the connection, individual clients have very obvious and
specific sets of requests they make, you can fingerprint them.  You can
also check for things "good" clients tend to do, like store sent messages
in the sent folder.  This is easiest with IMAP than with pop or smtp, those
are more trivial.  That said, most clients generate email in a particular
way as well, fingerprinting that may be useful.

And of course, if the account is sending spam, it needs to be limited.
Generally limiting most accounts to a small number of messages/day or hour
is a first line.

Spam is only the most obvious issue with these hijackings, you're also
exposing customer data to a random person, who might go through the
messages for specific content, or use the access to hijack other online
accounts that allow password reset via email, or delete their data.
Preventing the hijacking should be as important as preventing the spamming.

Brandon

On Tue, Sep 21, 2021 at 9:29 AM Alessio Cecchi via mailop 
wrote:

> Hi,
>
> we are an email hosting provider, and as you know many users use weak
> passwords, or have trojan on their PC that stolen their password that are
> used to sent spam or doing some kinds of fraud.
>
> We already have a "script" that checks, from log files, the country of the
> IP address and "do something" to detect if is an unusual login. But is not
> really sufficient.
>
> For "do something" I means:
>
> - too many logins from different country
> - too many fast login
>
> So we are always looking for a system/software/service/script to detect
> login to POP IMAP or SMTP not made by the user.
>
> I have also test the AWS SageMaker IP Insights service but without success.
>
> Have someone experienced about these problems?
> Thanks
>
> --
> Alessio Cecchi
> Postmaster @ http://www.qboxmail.ithttps://www.linkedin.com/in/alessice
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Slavko via mailop]

Hi,

Dňa Tue, 21 Sep 2021 17:08:54 +0200 Alessio Cecchi via mailop
 napísal:

> For "do something" I means:
> 
> - too many logins from different country
> - too many fast login

You do not tell what IMAP/POP3 server are you using, but eg. with
dovecot you can use/apply these (and more) policies by its auth_policy
facility and dedicated policy daemon.

The policy daemon is here https://github.com/PowerDNS/weakforced and
it can be used as standalone (without dovecot) by its HTTP API.

regards

-- 
Slavko
http://slavino.sk


pgpfnBcGHZYQc.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Mark Milhollan via mailop]

On Tue, 21 Sep 2021, Michael Peddemors wrote:


Use RATS-AUTH to block auth attacks, from known dedicated IP(s) ;)


I've tried this, so far it has blocked 7 of 4933 AUTH attempts since I 
began using it.



Block AUTH from Amazon/Gcloud/Azure by default


Would you include other clouds, like Alibaba, Oracle, OVH, Rackspace, 
etc., perhaps especially those that are "too easy" for spammers and 
miscreants to get a machine going on?  I can understand this sentiment 
but be aware it might block your more advanced users, e.g., those 
hosting a VPN or mail archive there or a service that does.



but the MOST IMPORTANT THING!!

Stop allowing unencrypted AUTH.. eg port 110, 143, 25.

#didyouknow that by turning off unencrypted AUTH you can reduce compromised 
accounts by as much as 90%?


I've seen attempts try clear even though authentication isn't offered 
w/o TLS, but also explicit-TLS and implicit-TLS so yes some of them 
would be blocked and that's good, just don't anybody expect a silver 
bullet.  Lately I've closed all but 25 which cannot AUTH -- they still, 
blindly, try -- and only open the other ports upon port knocking and 
locally which a VPN can reach.



/mark
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Jarland Donnell via mailop]

Though a bit of a non-standard approach, I collect email subjects and 
recipients from accounts that were compromised and used by the attacker 
to send email. I use rspamd to mark them, and then I use bash scripts to 
check for emails that hit the rspamd triggers and alert via Pushover 
that an event needs to be investigated. It's so consistently on point 
that I later plan to automate suspension and/or force password changes 
on users that trigger them. Off the top of my head I'd say I catch 9 out 
of 10 compromised email accounts with this process.


A couple examples of the data I use:

- Including the IMAP server hostname in the email subject (there's an 
attacker out there that emails themselves, from the compromised account, 
username+password+imapserver as an email subject to test login 
credentials)


- Email subject "LARAVEL SMTP CRACK" means the user left their email 
credentials exposed in a Laravel installation


On 2021-09-21 10:08, Alessio Cecchi via mailop wrote:

Hi,

we are an email hosting provider, and as you know many users use weak
passwords, or have trojan on their PC that stolen their password that
are used to sent spam or doing some kinds of fraud.

We already have a "script" that checks, from log files, the country of
the IP address and "do something" to detect if is an unusual login.
But is not really sufficient.

For "do something" I means:

- too many logins from different country
- too many fast login

So we are always looking for a system/software/service/script to
detect login to POP IMAP or SMTP not made by the user.

I have also test the AWS SageMaker IP Insights service but without
success.

Have someone experienced about these problems?
Thanks

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Jay Hennigan via mailop]

On 9/21/21 08:08, Alessio Cecchi via mailop wrote:

Hi,

we are an email hosting provider, and as you know many users use weak 
passwords, or have trojan on their PC that stolen their password that 
are used to sent spam or doing some kinds of fraud.


Fail2ban for weak passwords.

There are also scripts that can test for weak and common passwords. 
Enforce strong passwords. Length trumps complexity.


We already have a "script" that checks, from log files, the country of 
the IP address and "do something" to detect if is an unusual login. But 
is not really sufficient.


Many DNSBLs also track IPs used for authentication attacks as well as 
spam sources, so this can be helpful.



For "do something" I means:

- too many logins from different country
- too many fast login


Also consider rate-limiting your users as well as Bayes filters on 
outgoing mail for spam signs. User-generated From: and Reply-to: headers 
are often but not always a spam sign.


So we are always looking for a system/software/service/script to detect 
login to POP IMAP or SMTP not made by the user.


Think defense in depth. Multiple overlapping spam detection mechanisms 
rather than a one-size-fits-all approach. It sounds like you're on the 
right track. And don't think that you're finished once you have these 
things in place. There will always be new attack vectors.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to detect fraud login in POP IMAP or SMTP?

[Michael Peddemors via mailop]

Use RATS-AUTH to block auth attacks, from known dedicated IP(s) ;)

Block AUTH from Amazon/Gcloud/Azure by default

Consider transparent 2FA like CLIENTID

Fail2Ban is a stop gap mentioned often on the list.. but be careful, as 
it might block a large CGNAT range.


Country authentication controls are very effective if used wisely, but 
the MOST IMPORTANT THING!!


Stop allowing unencrypted AUTH.. eg port 110, 143, 25.

#didyouknow that by turning off unencrypted AUTH you can reduce 
compromised accounts by as much as 90%?



On 2021-09-21 8:08 a.m., Alessio Cecchi via mailop wrote:

Hi,

we are an email hosting provider, and as you know many users use weak 
passwords, or have trojan on their PC that stolen their password that 
are used to sent spam or doing some kinds of fraud.


We already have a "script" that checks, from log files, the country of 
the IP address and "do something" to detect if is an unusual login. But 
is not really sufficient.


For "do something" I means:

- too many logins from different country
- too many fast login

So we are always looking for a system/software/service/script to detect 
login to POP IMAP or SMTP not made by the user.


I have also test the AWS SageMaker IP Insights service but without success.

Have someone experienced about these problems?
Thanks

--
Alessio Cecchi
Postmaster @http://www.qboxmail.it
https://www.linkedin.com/in/alessice


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] How to detect fraud login in POP IMAP or SMTP?

[Alessio Cecchi via mailop]

Hi,

we are an email hosting provider, and as you know many users use weak 
passwords, or have trojan on their PC that stolen their password that 
are used to sent spam or doing some kinds of fraud.


We already have a "script" that checks, from log files, the country of 
the IP address and "do something" to detect if is an unusual login. But 
is not really sufficient.


For "do something" I means:

- too many logins from different country
- too many fast login

So we are always looking for a system/software/service/script to detect 
login to POP IMAP or SMTP not made by the user.


I have also test the AWS SageMaker IP Insights service but without success.

Have someone experienced about these problems?
Thanks

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop