Great post! Got another one for you all today:
coteru...@gmail.com
This one hit one of our customers pretty hard (password reuse, virus,
bad variables).
On 2023-02-21 12:10, Steve Freegard wrote:
I recently wrote an entire blog post on this topic that might be of
interest:
https://abusix.com/resources/blocklists/compromised-account-detection-with-abusix-mail-intelligence-and-postfix/
It's based on Postfix, but adapting this for Exim shouldn't be
difficult.
Kind regards,
Steve.
On Wed, 8 Feb 2023 at 13:48, Jarland Donnell via mailop
<mailop@mailop.org> wrote:
Hey everyone. I've been thinking about how I could add some more
value
to this list and there's one thing I've been working on for a while
that
I think will be really helpful to share.
Email accounts get compromised. It happens. Especially when using
base
standards (IMAP/POP/SMTP) that inherently lack two-factor
authentication
mechanisms. As I discover ways to identify when accounts have been
compromised, I'd like to share them with you all.
Today I discovered a new trend based on an abuse complaint, which
allowed me to further identify several compromised user email
accounts
across our platform. I'd like to share with you the headers and
body,
censored of any customer information, that was sent to me in an
abuse
complaint (I also removed the recipient that actually reported it):
https://paste.mxrouteapps.com/?862a67d53b18e8df#2k9DaEP1V9pPe6Th5CmeMS4JbyD38ZkTdDoLpYuWEvcT
I expect that this bad actor will change their behavior, and I'll of
course adjust. However, if you turn your attention to these two
variables in your logs today you will find anyone who has been
compromised very recently by this actor:
1. Email subject appears blank in logs (ex. T="" in exim log)
2. The first recipient they send to is jackgrelesh...@gmail.com
If you find someone sending email to jackgrelesh...@gmail.com on
your
platform today, most especially with a blank subject, I will gladly
take
the beating for you if you suspend the user and find it to be a
false
positive. The idea that following these trends could produce a false
positive has, in my case at least, proven to be more of a rough
theory
than a reality.
Some bonus indications of similar but different compromises:
- Any email sent to ollegas2...@gmail.com, glob22aa.fun, or
mx373.com [1]
consistently links to what I believe is a virus that sends out a
user's
email credentials to the bad actor.
Keep up the good fight friends.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
Steve Freegard
|
Senior Product Owner
T.
+44 7740 364348
abusix.com [2]
Book a meeting [3]
[4]
[5]
[6]
[7]
CONFIDENTIALITY This email and any attachments are confidential and
may also be privileged or otherwise protected from disclosure. If you
are not the named recipient, please notify the sender immediately and
do not disclose the contents to another person, use it for any
purpose, or store or copy the information in any medium.
You’ll find further information about privacy here [8].
Links:
------
[1] http://mx373.com
[2]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDzZTf64_AIC7pyl-xmo2L5eYJtYu1PnTYrDUUBmQW-VxiqyfDuPS_3WZnIEFz1xocGdBhnxAEyhHhg3_G29KPX5gu0-0JxXoL3Lw4zV1rZI4zA5EgDWnGc90iUX1HRTDIs=
[3]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDzdypi6WPqhVkFKkuLiMX0pY_5fawxs7P25-lwfZUyr7w==
[4]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDyIo6EwBskR6pg3M12nuwEx_9G03qmurLHy8H_IjsK3cg==
[5]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDweOZAf2SFcCyyLHlLyd4j2GB_p_YWWJ_3WJxEqTQND2A==
[6]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDz5UNyOTEm_EvRFXdshn5-xBpkDGWEZYln2qrkxaFuQc-FVdHa5XQ8gkUA8UK9te-A=
[7]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDyEop3qI2i2HFrm2U65Sd5oxcB4tERwhAI5MzR-NKIKtw==
[8]
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDwp6TTQAR8uw54LR3mph76uODAm2MU0ep-sVltZqsar_A==
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
