Yes, yes, and yes... Hacked systems, weak passwords and tricksy emails or phone calls that get people to divulge passwords are all parts of the equation.
A few months ago, Imail HAMR was disabling as many as 10 accounts per day on our server. A few weeks before had been that big password theft event. A few weeks later, the Open SSL exploit was big news. Anyway, I sent this message at that time to every account we host (mailall -ALL). I send similar every few months... " Over the past couple days, we have seen a pattern of greatly increasing frequency of hijacked email accounts. What this means is that spammer/scammer/hacker types are gaining access to email accounts. When they do so, they then use those accounts to send vast amounts of spam, phishing attacks, scam messages, etc. When thresholds for the number of messages sent from a single account in certain amounts of time are exceeded, our defense systems automatically disable email accounts. How do spammer/scammer/hacker types get passwords to hijack an email account? Well, sometimes people make it too easy for them by using weak passwords. Examples of weak passwords are simple English words, names, short strings of numbers, etc. An example of a strong password is one that contains at least 14 characters (more is better) and contains a mixture of upper and lower case letters, numbers and symbols. Another way that spammer/scammer/hacker bad guys have harvested passwords in recent months has been through hacks on other networks. For example, in just one recent event, over 2 million LinkedIn, Facebook, Twitter, Gmail, Adobe, and SnapChat passwords were stolen. If people have the same password on those accounts and their email accounts, the hacker is then able to hijack a person's email account as well. If people also use the same password on banking, credit card, payment systems, tax services, etc., those accounts are exposed as well. So, what can you do to protect your email (and other online account) security? 1) DO NOT use easy passwords. Instead, create passwords that are a minimum of 14 characters long and that include a mixture of upper and lower case letters, numbers and symbols. Don’t include your name, your mother’s maiden name, your pet’s name, your street name, your business name, etc. in your password. All of that information is too easily obtained online – particularly if you use social media like Facebook, etc. 2) DO NOT use the same password for every online account. When people use easy passwords and the same password for every online account, they don’t just make it easy for themselves – they also make it easy for hackers. We urge all of our subscribers to protect all of their online accounts. If you use the same password on your LinkedIn, Facebook, Twitter, Gmail, Adobe, or SnapChat accounts as other accounts, you should change your password everywhere that the password was used. When doing so, create strong passwords and don’t use the same password on every online account. Routinely changing passwords is also recommended. You can change your password for your email account by logging in at http://mail.centric.net and clicking Action then Change Password. As always, we also remind you to protect your personal and password information. Never give any personal, password or PIN information to anyone in response to telephone, email or text communication that you did not initiate. " Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 22, 2014 3:49 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts 6) the user was tricked into divulging their email address & password We see new variations of this every day; the user happily divulges their details in a website or replies by email after they are spammed a credentials phishing scam, which pretend to be *any* organization that they might plausibly belong to, such as NetFlix, or from the "email security team". The responses are scraped by bots which automatically try to send spam through *many* kinds of authentication and web forms. The bad guy does not need to know in advance that a particular email account uses Exchange OWA, or IMail, or Hotmail, it is all hands-free for him. When we see a mailbox that has been used in this way, there are zero authentication failures, it works the first time because the bad guy had the correct credentials. Andrew. -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Monday, July 21, 2014 6:27 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts 5) and fairly common in my experience: They compromise the account elsewhere, be it through a hacked online account with "target", "yahoo", etc etc, or a sniffed wifi transaction, or a direct connect to an evil twin server lurking around starbucks or something like xfinitiwfi / attwifi, and compounded by the fact that the end user uses the same passwords everywhere; reverse engineering known passwords associated with e-mail address domain names / reverse dns to guess mail settings is then fairly trivial. Think about it. That list from Target or Bob's Discount Golf Clubs probably has their password, or a hash that can be bounced off a rainbow table, and the customer's e-mail address. Follow the MX trail of that e-mail account back to your mail server. Where they use the same password. I see a compromised account every other week or so, and when I research the SMTP logs, I see that it almost always wasn't brute forced (brute forcing is so passé these days) - it was guessed correctly on the first try (they already HAD it from SOMEWHERE) and then passed around a RU/TR/IN botnet until I shut it down. This kind of compromised account info is bought and sold on the internet in large lists, and then mined over time by bots. I find the SmarterMail high volume sender notifications pretty handy in these cases, letting me shut the offending account down before I get blacklisted. I change their password immediately and advise the client to check their systems for malware, tell them that they might have gotten the password from another online account, advise them to use different passwords everywhere, tell them about services like LastPass, yada yada. Things y'all probably already do yourselves. When they assure me their system has been checked out I give them a new password. Also, some people use hijack to help out, but hijack would nab my own customers as they spam their industry peers with brokerage listings and whatnot. Hope my rambling was useful to someone. It's late, and I'm tired. :) -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Monday, July 21, 2014 5:30 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts Sounds like you have a larger problem than you think. The only way they can log onto an account is to know the password. There are only 4 ways that they would know the password: 1) Brute Force on the account in question. Highly unlikely in this case if it is happening to so many accounts. 2) The accounts in question have the same password or very weak passwords like in the top 25 of known passwords. 3) They have access to an admin account and are changing passwords. 4) Your server itself is compromised and they are obtaining the passwords from the registry. If you do not have logs enabled, might as well pack your bags. You will need the logs to determine what is going on, where they are logging on from, and how to stop it. -----Original Message----- From: "Daniel Ivey" <d...@gcrcompany.com> Sent: Sunday, July 20, 2014 5:22am To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts I am running Imail 8.22 on Windows Server 2003. These are different accounts each time, as once I identify one account, I disable that account to fix the issue for the time being. I do not have my logs enabled. Daniel -----Original Message----- From: Heimir Eidskrem [mailto:hei...@i360.net] Sent: Friday, July 18, 2014 5:06 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts Are you using smartermail or Imail? Version? Are they using the same account every time? What does your log files say? Cordially, Heimir Eidskrem i360 Consulting 11152 Westheimer Suite 147 Houston, TX 77042 Ph: 713-981-4900 hei...@i360.net www.i360.net www.smart-it-services.com Houston's Leading Internet Consulting Company -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Friday, July 18, 2014 3:42 PM To: community@mailsbestfriend.com Subject: [MBF] hijacked accounts I am having an issue with one of my mail servers where a SPAMMER is hijacking an email account and then is causing my webmail interface to quit working because they are logged in X number of times sending SPAM. I have HiJack turned on and the thresholds set very low and these SPAMMERS keep getting under my thresholds. Has anyone else had this issue and if so, what was the fix? Thanks, Daniel ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l’information confidentielle ou exclusive. L’accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>