More good points..
.. for the record, compromises via SMTP are easier to identify, the
scary ones are IMAP authentication ones, as the hacker can log in simply
once every week, and search your inbox for personal information,
password reset links, services that you use, credit card information,
account id's, contact information and other things, and unless you start
in depth IMAP analysis, difficult to do for most admin's, you would
never pick up on the odd login.
Country AUTH has pushed miscreants to move to servers geo located with
their targets though.
The lazy hackers are easy to stop, the very dangerous ones are harder.
Oh, and watch for the increase of attacks using public VPN services.. It
makes for another whole conversation, on privacy vs accountability. We
all get why someone traveling might prefer to use a VPN to access their
email, or a person trapped in an oppressive regime, but if the admin
can't validate the source of the traffic, you can understand why they
might block access via VPN's.
(Notice a lot more contact form spammers utilizing Geo located VPN's for
instance, as well as an increase in Webmail access abuse attempts from them)
On 2021-09-21 9:52 a.m., Brandon Long via mailop wrote:
Control over account creation (this is more a free mailbox kind of thing)
Risk based analysis at login time based on the available signals
Risk based analysis of the overall connection
Spam analysis of the sent mail
All of which needs to feed into each other.
For the larger providers, this is an ongoing workload for an engineering
group.
At login time, the signals are weak, it's basically the user/password/ip
... and if you're lucky, some small amount of uniqueness (do they ask
for capability first?). geohop is of course the first line of defense
there, and the ever popular "imap/pop before smtp". For many login
types, you have the actual password here given the logging in client,
and so you can also evaluate that for strength, and have stricter
analysis for weak passwords. It may also be useful to spend some effort
on "have I been pawned" or other sites to get lists of your users (and
maybe their passwords) that are known, and force those users to reset
their password. You will have people upset that they have to change
their password, even though it's circulating on the web and actively
being abused.
IP reputation is another thing, it's utility varies.
One problem is that there's really terrible feedback for denying logins
in these protocols, a lot of clients don't display the error message,
they'll just say "bad password". You need to make sure the user's can
see why their logins are disabled in the admin pages on your site.
The various client-id proposals would have been useful if they became
popular, it's basically an extra nonce at login that's unique to a
single client configuration. If you have something like that, you can
do better with geohop (ie, their phone polls imap when they travel
somewhere else, and it has CID, so you trust it, and trust the hop).
oauth is what the bigger folks are pushing towards, but client support
for that is hard... I don't know how easy it is to get on the oauth
lists for your most popular clients.
Analysis of the connection, individual clients have very obvious and
specific sets of requests they make, you can fingerprint them. You can
also check for things "good" clients tend to do, like store sent
messages in the sent folder. This is easiest with IMAP than with pop or
smtp, those are more trivial. That said, most clients generate email in
a particular way as well, fingerprinting that may be useful.
And of course, if the account is sending spam, it needs to be limited.
Generally limiting most accounts to a small number of messages/day or
hour is a first line.
Spam is only the most obvious issue with these hijackings, you're also
exposing customer data to a random person, who might go through the
messages for specific content, or use the access to hijack other online
accounts that allow password reset via email, or delete their data.
Preventing the hijacking should be as important as preventing the spamming.
Brandon
On Tue, Sep 21, 2021 at 9:29 AM Alessio Cecchi via mailop
<mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
Hi,
we are an email hosting provider, and as you know many users use
weak passwords, or have trojan on their PC that stolen their
password that are used to sent spam or doing some kinds of fraud.
We already have a "script" that checks, from log files, the country
of the IP address and "do something" to detect if is an unusual
login. But is not really sufficient.
For "do something" I means:
- too many logins from different country
- too many fast login
So we are always looking for a system/software/service/script to
detect login to POP IMAP or SMTP not made by the user.
I have also test the AWS SageMaker IP Insights service but without
success.
Have someone experienced about these problems?
Thanks
--
Alessio Cecchi
Postmaster @http://www.qboxmail.it <http://www.qboxmail.it>
https://www.linkedin.com/in/alessice <https://www.linkedin.com/in/alessice>
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
