Re: [mailop] Compromised email account trends

2023-02-21 Thread Ted Cooper via mailop 


That's exfiltrating the useful information of the compromise without 
needing to maintain control of the device, keep records, or have a bot 
controller.



On 22/2/23 09:14, Jarland Donnell via mailop wrote:

Forgot to add on to this:

If your SMTP hostnames, as your customers would configure in Outlook, is 
a strange and very unlikely thing for them to send in the subject of an 
email, you can also catch these even earlier. This is a censored example 
of an email subject sent by this virus today:


T="longhorn.mxrouting.net 587 u...@domain.tld password"

It seems to pull hostname, port, user, and pass to combine and make an 
email subject. As best I can tell, from Outlook config files.


On 2023-02-21 17:04, jarl...@mxroute.com wrote:

Great post! Got another one for you all today:

coteru...@gmail.com

This one hit one of our customers pretty hard (password reuse, virus, 
bad variables).


On 2023-02-21 12:10, Steve Freegard wrote:

I recently wrote an entire blog post on this topic that might be of
interest:

https://abusix.com/resources/blocklists/compromised-account-detection-with-abusix-mail-intelligence-and-postfix/

It's based on Postfix, but adapting this for Exim shouldn't be
difficult.

Kind regards,
Steve.

On Wed, 8 Feb 2023 at 13:48, Jarland Donnell via mailop
 wrote:


Hey everyone. I've been thinking about how I could add some more
value
to this list and there's one thing I've been working on for a while
that
I think will be really helpful to share.

Email accounts get compromised. It happens. Especially when using
base
standards (IMAP/POP/SMTP) that inherently lack two-factor
authentication
mechanisms. As I discover ways to identify when accounts have been
compromised, I'd like to share them with you all.

Today I discovered a new trend based on an abuse complaint, which
allowed me to further identify several compromised user email
accounts
across our platform. I'd like to share with you the headers and
body,
censored of any customer information, that was sent to me in an
abuse
complaint (I also removed the recipient that actually reported it):


https://paste.mxrouteapps.com/?862a67d53b18e8df#2k9DaEP1V9pPe6Th5CmeMS4JbyD38ZkTdDoLpYuWEvcT


I expect that this bad actor will change their behavior, and I'll of

course adjust. However, if you turn your attention to these two
variables in your logs today you will find anyone who has been
compromised very recently by this actor:

1. Email subject appears blank in logs (ex. T="" in exim log)
2. The first recipient they send to is jackgrelesh...@gmail.com

If you find someone sending email to jackgrelesh...@gmail.com on
your
platform today, most especially with a blank subject, I will gladly
take
the beating for you if you suspend the user and find it to be a
false
positive. The idea that following these trends could produce a false

positive has, in my case at least, proven to be more of a rough
theory
than a reality.

Some bonus indications of similar but different compromises:

- Any email sent to ollegas2...@gmail.com, glob22aa.fun, or
mx373.com [1]
consistently links to what I believe is a virus that sends out a
user's
email credentials to the bad actor.

Keep up the good fight friends.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--

Steve Freegard

|

Senior Product Owner

T.

+44 7740 364348

abusix.com [2]

Book a meeting [3]

 [4]

 [5]

 [6]

 [7]

CONFIDENTIALITY This email and any attachments are confidential and
may also be privileged or otherwise protected from disclosure. If you
are not the named recipient, please notify the sender immediately and
do not disclose the contents to another person, use it for any
purpose, or store or copy the information in any medium.

You’ll find further information about privacy here [8].



Links:
--
[1] http://mx373.com
[2] 
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDzZTf64_AIC7pyl-xmo2L5eYJtYu1PnTYrDUUBmQW-VxiqyfDuPS_3WZnIEFz1xocGdBhnxAEyhHhg3_G29KPX5gu0-0JxXoL3Lw4zV1rZI4zA5EgDWnGc90iUX1HRTDIs=
[3] 
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDzdypi6WPqhVkFKkuLiMX0pY_5fawxs7P25-lwfZUyr7w==
[4] 
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDyIo6EwBskR6pg3M12nuwEx_9G03qmurLHy8H_IjsK3cg==
[5] 
https://cloud.letsignit.com/collect/bc/5fc7cedc63ed1d1d78e45272?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nLiDvwE1FDvAnv56cZf8gHOlGcXNTPUHN-wE0IIEJbWkBqUZ5n-wh878kG0mKc-TDweOZAf2SFcCyyLHlLyd4j2GB_p_YWWJ_3WJxEqTQND2A==
[6]

Re: [mailop] Extreme multiple posting (was Re: OVH Bulk Mailer? Anyone know this one?)

2020-08-08 Thread Ted Cooper via mailop 
On 8/8/20 7:31 am, Jaroslaw Rafa via mailop wrote:
> Dnia  5.08.2020 o godz. 11:16:05 Large Hadron Collider via mailop pisze:
>> you know, Mr Allard, it appears that you sent this message to the list at 
>> least 5 times...
> 
> I have received it only once. Maybe it's something on your side. Mailop
> server seemed to have issues since Wednesday, my message to list was staying
> in queue with 421 response and I didn't receive any messages from list. They
> did pass through today.
> 

I received the message 43 times over a period of 21 hours starting at
2020-08-05 14:04:23 UTC.

After junking the message id, it was blocked a further 52 times. The
last one being at 2020-08-07 12:31:22 UTC.

This is the only message (that I know of) I've had issues with.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Abusix Potentially Compromised Account Report

2020-03-21 Thread Ted Cooper via mailop 
Has anyone run into "Abusix" /potentially/ compromised account
notification emails before?

Their website "abusix.ai" looks to be about a week old based on the age
of all of the articles. I would have guessed they'd have been around for
longer and their name does ring a bell. Blog announcement on Abusix.com
would indicate they launched Mar 2019.

They've sent us a report from "nore...@abusix.org" to postmaster@ here
in some kind of misguided attempt to help us because "Over the last 24
hour period our traps have detected 1 potentially compromised accounts
on your domain."

In the CSV they attached, apparently the IP address 185.234.219.89
(Poland) attempted to send an email at 2020-03-19T17:59:03.000Z using
smtp auth credentials apparently from a domain hosted here. That IP
address is not at all related to any networks or servers for the domain.

They do provide the first 5 characters of the sha1 of the password that
IP address used. I know it used the wrong password because the account
in question does not have a password - it's an alias and not an account.

Given the number of fraudulent auth attempts we all get every day with
wild and whacky unrelated usernames (I get hotmail & others provided as
username), why would anyone think it was a good idea to send out spam to
stop spam when it was clearly a fraudulent email that didn't even go
anywhere? If everyone sent out a spam notification when someone abused a
domain we'd all be getting 10x fold increase in spam, all trying to be
"helpful".

They do ever so helpfully provide an "opt out" link. I am scratching my
head as to think when I opted into such a service. /sarcasm.

My initial thought was to route their domains and IPs to /dev/null,
happy in the thought that I now get one less domain's spam.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop