Re: [mailop] How to detect fraud login in POP IMAP or SMTP?
> On 22 Sep 2021, at 21.44, Jarland Donnell via mailop > wrote: > > This is true. While brute force attacks persist, we rarely see a connection > between that and compromised accounts these days. Most often the attacker > knew the password immediately. Now what would be cool, and has always been on > my list of "maybe one day" features, would be either using an API from > haveibeenpwned.com or merely keeping a copy of publicly released database > leaks, and then testing results internally. If an email in a database dump > matches one in your system, test the password leaked with it. If it works, > force password change. > We use haveibeenpwned - but a bit differently than what you propose here. We have a local copy of haveibeenpwned running that compare the passwd hash with the hash in haveibeenpwned. Each hash in haveibeenpwned is associated with a count based on how many breaches it’s been found in. If we find a match on the hash we check the count towards a set threshold, and if the count is higher than the threshold the user will get a big red box in his or her webmail saying - “We really think it would be a good idea if you changed your password. Please do it now. Your password is insecure” Unfortunately we can only do this in our Webmail, we have no good way of sending this message to a user of a 3rd party mail client. If someone on this list has a good idea on how that can be accomplished with a good UX I am very eager to hear it :-) Kind Regards, Sidsel, Postmistress @ one.com > I think a lot more people will be doing things like this in the future, it's > hardly a fresh idea. But the amount of compromises it would prevent are > likely enough to justify the overhead of building it out. > > On 2021-09-22 01:38, Lena--- via mailop wrote: >>> From: Alessio Cecchi >>> we are an email hosting provider, and as you know many users use weak >>> passwords, or have trojan on their PC that stolen their password that >>> are used to sent spam or doing some kinds of fraud. >>> We already have a "script" that checks, from log files, the country of >>> the IP address and "do something" to detect if is an unusual login. But >>> is not really sufficient. >> I suspect that stealing passwords with trojans is more successful >> than brute-forcing passwords via POP, IMAP or SMTP. >> Therefore, detecting logins for brute-forcing is not enough. >> You need to detect when stolen passwords are used to send spam >> via your server. One approach is to check rate of attempts to send >> to non-existent recipient email addresses, because spammers usually >> send to dirty lists of email addresses full of message-ids, >> truncated email addreses or prepended with garbage. >> I wrote an implementation for Exim: >> https://github.com/Exim/exim/wiki/BlockCracking >> It also detects some brute-forcing, but the main is automatic blocking >> of accounts used for spamming with trojan-stolen passwords. >> ___ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop signature.asc Description: Message signed with OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to detect fraud login in POP IMAP or SMTP?
This is true. While brute force attacks persist, we rarely see a connection between that and compromised accounts these days. Most often the attacker knew the password immediately. Now what would be cool, and has always been on my list of "maybe one day" features, would be either using an API from haveibeenpwned.com or merely keeping a copy of publicly released database leaks, and then testing results internally. If an email in a database dump matches one in your system, test the password leaked with it. If it works, force password change. I think a lot more people will be doing things like this in the future, it's hardly a fresh idea. But the amount of compromises it would prevent are likely enough to justify the overhead of building it out. On 2021-09-22 01:38, Lena--- via mailop wrote: From: Alessio Cecchi we are an email hosting provider, and as you know many users use weak passwords, or have trojan on their PC that stolen their password that are used to sent spam or doing some kinds of fraud. We already have a "script" that checks, from log files, the country of the IP address and "do something" to detect if is an unusual login. But is not really sufficient. I suspect that stealing passwords with trojans is more successful than brute-forcing passwords via POP, IMAP or SMTP. Therefore, detecting logins for brute-forcing is not enough. You need to detect when stolen passwords are used to send spam via your server. One approach is to check rate of attempts to send to non-existent recipient email addresses, because spammers usually send to dirty lists of email addresses full of message-ids, truncated email addreses or prepended with garbage. I wrote an implementation for Exim: https://github.com/Exim/exim/wiki/BlockCracking It also detects some brute-forcing, but the main is automatic blocking of accounts used for spamming with trojan-stolen passwords. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Gmail putting messages to spam
Hi, $ dig +short TXT _dmarc.gmail.com "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-repo...@google.com"; .. but then refusing to receive them ¯\_(ツ)_/¯ Google Groups for receiving DMARC reports and then refusing them because of spam or nobody external is allowed to post there is also a popular behaviour. Regards Bjoern ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Gmail putting messages to spam
On Tue, 21 Sep 2021, Jaroslaw Rafa via mailop wrote: Dnia 20.09.2021 o godz. 14:17:27 Jaroslaw Rafa via mailop pisze: I want to return to an old issue, which repeatedly happens again and again, that is, Google putting emails from me to recipient's spam folder. What's absurd, this happens not only to Gmail addresses to which I am writing for the first time, but also to recipients with whom I have previously corresponded and who marked my messages as non-spam. It even happens when I'm replying to a message I got from a Gmail user, which is totally absurd! It can even happen in a middle of an email exchange - ie. I have once exchanged a few messages with a Gmail user without problems, then suddenly one of my subsequent messages in the conversation went to Spam. Well, Gmail is a comedy :). I also manage an email account of some organization that I am a member of, which is on Gmail. Just today I found out that Gmail has dropped to Spam a few *replies from other Gmail users* (our members) to messages that we sent out from that account to them! Regular replies, to regular messages, *from Gmail user to Gmail user*. If that is not a whole new level of absurd, then what is...? You want absurd? :) : host aspmx.l.google.com[173.194.76.26] said: 550-5.2.1 The user you are trying to contact is receiving mail at a rate that 550-5.2.1 prevents additional messages from being delivered. For more 550-5.2.1 information, please visit 550 5.2.1 https://support.google.com/mail/?p=ReceivingRatePerm e10si1566563wrq.336 - gsmtp (in reply to RCPT TO command) This is Google saying "we want those DMARC reports", $ dig +short TXT _dmarc.gmail.com "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-repo...@google.com"; .. but then refusing to receive them ¯\_(ツ)_/¯___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to detect fraud login in POP IMAP or SMTP?
Dnia 21.09.2021 o godz. 22:25:26 Darrell Budic via mailop pisze: > > If you follow NANOG and some other groups, you’re probably aware of the > spate of VPN blocking recently from various Video providers like Netflix > and Amazon Prime. This seems to be (as an email provider and (separately, > day job) a ISP) to be related to simple heuristic, if several people log > in from one ip, it might be a VPN. It might be also an ISP using carrier-grade NAT. Or a big corporation's internal network (even spanning multiple countries) connecting to Internet through corporate gateway... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
