Thanks for all of this helpful information guys. What I ultimately ended up doing to remedy this issue was go through all of the accounts and verify them. By doing this, I was able to disable over 600 accounts that are no longer needed on this server. I will purge these accounts in about another week.
This has stepped the issues that we were experiencing periodically. If anything else changes I will let you know, but so far so good. Daniel -----Original Message----- From: Markus Gufler | Limitis [mailto:markus.guf...@limitis.com] Sent: Wednesday, July 23, 2014 1:41 AM To: community@mailsbestfriend.com Subject: [MBF] AW: hijacked accounts Same thing observed here. I've set up a geolocation database and have created some scripts parsing the smtp logs for "authenticated as xxxx" lines. More than x connections from different foreign countries are blocked automatically. Up to now the script changes the password with the drawback that any further communication with the user has to go over phone. But I have ready an improved version who disables only outgoing SMTP access (Smartermail) and send the user a detailed report of whats happened (logins from IP1 Country1, IP2 country2, ... + delivery attempts for x...@ghotmail.xy) and what he should do to get a new password (scan&clean his computer, switch to SSL-protocols, call us or go to a web form and insert their email-address and last bill number) This watchdogs does run and look for different time ranges in order to catch both high and low volume campaigns as fast as possible. I've also noted they send some kind of first test message a couple of minutes before they start their campaign (sometimes it takes also some hours) The test message mostly has .ru freemail recipients. I must admit, they have spend a lot of time to be such tricky. Now they are able to transmit between 10 and 50 messages before the campaign is blocked. All still undelivered messages are removed from the spool. In the worst case we deliver 100 messages as it is the default max msgs/hour volume for every account. Markus -----Ursprüngliche Nachricht----- Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von Colbeck, Andrew Gesendet: Dienstag, 22. Juli 2014 23:49 An: community@mailsbestfriend.com Betreff: [MBF] Re: hijacked accounts 6) the user was tricked into divulging their email address & password We see new variations of this every day; the user happily divulges their details in a website or replies by email after they are spammed a credentials phishing scam, which pretend to be *any* organization that they might plausibly belong to, such as NetFlix, or from the "email security team". The responses are scraped by bots which automatically try to send spam through *many* kinds of authentication and web forms. The bad guy does not need to know in advance that a particular email account uses Exchange OWA, or IMail, or Hotmail, it is all hands-free for him. When we see a mailbox that has been used in this way, there are zero authentication failures, it works the first time because the bad guy had the correct credentials. Andrew. -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Monday, July 21, 2014 6:27 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts 5) and fairly common in my experience: They compromise the account elsewhere, be it through a hacked online account with "target", "yahoo", etc etc, or a sniffed wifi transaction, or a direct connect to an evil twin server lurking around starbucks or something like xfinitiwfi / attwifi, and compounded by the fact that the end user uses the same passwords everywhere; reverse engineering known passwords associated with e-mail address domain names / reverse dns to guess mail settings is then fairly trivial. Think about it. That list from Target or Bob's Discount Golf Clubs probably has their password, or a hash that can be bounced off a rainbow table, and the customer's e-mail address. Follow the MX trail of that e-mail account back to your mail server. Where they use the same password. I see a compromised account every other week or so, and when I research the SMTP logs, I see that it almost always wasn't brute forced (brute forcing is so passé these days) - it was guessed correctly on the first try (they already HAD it from SOMEWHERE) and then passed around a RU/TR/IN botnet until I shut it down. This kind of compromised account info is bought and sold on the internet in large lists, and then mined over time by bots. I find the SmarterMail high volume sender notifications pretty handy in these cases, letting me shut the offending account down before I get blacklisted. I change their password immediately and advise the client to check their systems for malware, tell them that they might have gotten the password from another online account, advise them to use different passwords everywhere, tell them about services like LastPass, yada yada. Things y'all probably already do yourselves. When they assure me their system has been checked out I give them a new password. Also, some people use hijack to help out, but hijack would nab my own customers as they spam their industry peers with brokerage listings and whatnot. Hope my rambling was useful to someone. It's late, and I'm tired. :) -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Monday, July 21, 2014 5:30 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts Sounds like you have a larger problem than you think. The only way they can log onto an account is to know the password. There are only 4 ways that they would know the password: 1) Brute Force on the account in question. Highly unlikely in this case if it is happening to so many accounts. 2) The accounts in question have the same password or very weak passwords like in the top 25 of known passwords. 3) They have access to an admin account and are changing passwords. 4) Your server itself is compromised and they are obtaining the passwords from the registry. If you do not have logs enabled, might as well pack your bags. You will need the logs to determine what is going on, where they are logging on from, and how to stop it. -----Original Message----- From: "Daniel Ivey" <d...@gcrcompany.com> Sent: Sunday, July 20, 2014 5:22am To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts I am running Imail 8.22 on Windows Server 2003. These are different accounts each time, as once I identify one account, I disable that account to fix the issue for the time being. I do not have my logs enabled. Daniel -----Original Message----- From: Heimir Eidskrem [mailto:hei...@i360.net] Sent: Friday, July 18, 2014 5:06 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts Are you using smartermail or Imail? Version? Are they using the same account every time? What does your log files say? Cordially, Heimir Eidskrem i360 Consulting 11152 Westheimer Suite 147 Houston, TX 77042 Ph: 713-981-4900 hei...@i360.net www.i360.net www.smart-it-services.com Houston's Leading Internet Consulting Company -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Friday, July 18, 2014 3:42 PM To: community@mailsbestfriend.com Subject: [MBF] hijacked accounts I am having an issue with one of my mail servers where a SPAMMER is hijacking an email account and then is causing my webmail interface to quit working because they are logged in X number of times sending SPAM. I have HiJack turned on and the thresholds set very low and these SPAMMERS keep getting under my thresholds. Has anyone else had this issue and if so, what was the fix? Thanks, Daniel ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>