[MBF]Re: Great number of hijacked accounts last few days

[Carl Wagar]

I added 

HEADERS 100 PCRE (?:mycmputer) to my filter-spam filter file. helps

 

 

J. Carl Wagar

EntreNet Communications Inc
 <http://www.entrenet.com> www.entrenet.com
<http://www.thehostingservice.com> www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email:  <mailto:jcwa...@entrenet.com> jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Michael Cummins
Sent: Wednesday, February 26, 2014 2:22 PM
To: community@mailsbestfriend.com
Subject: [MBF]Re: Great number of hijacked accounts last few days

 

Until I have a better solution I am grepping through my SM SMTP logs a
couple of times a day and looking for "EHLO mycomputer" because this botnet
kindly identifies itself.  Later versions might not be so kind.

 

I grep each mail ID I get from that, and see if the attempt succeeds at
authentication or not.

 

If it does, I change that user's password and then notify them.  I usually
catch it when the botnest does its testing; it takes notes of the successes
for later use.  By checking a couple of times a day, I catch it before it is
actually abused.  When it fails a couple of times it seems to stop trying
for that account.

 

The passwords I have changed thus far have not been re-compromised.

 

It's very clumsy but it works, until I have a better solution.

 

I don't want to find out an account was compromised well after the fact.

 

- Michael Cummins

 

 

From: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com>
[mailto:community@mailsbestfriend.com] On Behalf Of Katie La Salle-Lowery
Sent: Wednesday, February 26, 2014 2:17 PM
To: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> 
Subject: [MBF]Re: Great number of hijacked accounts last few days

 

Now NINE.  Four different domains.  The originating IP's are all foreign -
and lots of them.  In fact, they are changing spoofed IP's after just a few
messages, so Declude hijack isn't working as well as HAMR, since it is IP
based, but it has pegged 2 of the 9 while HAMR has done its thing on all
nine so far.  So, while I'm suggesting that clients run independent scans
just as general good practice, I don't suspect infected customer computers.
I am certainly advising that that password is compromised and that if it is
used for other accounts, those accounts need to be changed as well and
urging them to not use the same password for everything, but, as you are all
quite well aware, people are very resistant to that idea.  They don't get
that making it easy for themselves also makes it easy for the bad guys.  

 

 

 <http://www.centric.net/> 

 

Katie LaSalle-Lowery

ka...@centric.net <mailto:ka...@centric.net> 

1120 S. Russell; Ste B

Missoula, MT 59801

ph (406)549-3337

fax (406)541-9338

 

From: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com>
[mailto:community@mailsbestfriend.com] On Behalf Of David Barker
Sent: Wednesday, February 26, 2014 11:58 AM
To: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> 
Subject: [MBF]Re: Great number of hijacked accounts last few days

 

Sometimes the problem is that a user's computer is infected by a virus which
then has access to the mail client in which case the password is irrelevant
to the conversation.

 

From: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com>
[mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar
Sent: Wednesday, February 26, 2014 1:49 PM
To: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> 
Subject: [MBF]Re: Great number of hijacked accounts last few days

 

We are seeing a 3 to 4 fold increase in spam in the last months and a few
hijacked accounts, almost one a day, 

where they seem to magically know the password.

Someone suggested I'ts because they have hacked Linked-in, adobe, target
and other database in recent

months. People have to use different passwords for every system!

Carl

 

 

J. Carl Wagar

EntreNet Communications Inc
 <http://www.entrenet.com> www.entrenet.com
<http://www.thehostingservice.com> www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email:  <mailto:jcwa...@entrenet.com> jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com>
[mailto:community@mailsbestfriend.com] On Behalf Of Katie La Salle-Lowery
Sent: Wednesday, February 26, 2014 1:40 PM
To: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> 
Subject: [MBF]Great number of hijacked accounts last few days

 

We have had EIGHT hijacked accounts in the last two days.  For us, that's a
great many.  Imail HAMR and Declude hijack have been doing their jobs, for
which I am very grateful.  Is anyone else seeing an increase in hijacked
accounts the last couple days, or are they just picking on us?

 

 

 <http://www.centric.net/> 

 

Katie LaSalle-Lowery

ka...@centric.net <mailto:ka...@centric.net> 

1120 S. Russell; Ste B

Missoula, MT 59801

ph (406)549-3337

fax (406)541-9338

 

<<image001.jpg>>