| Hacking local account to relay messages (how to stop?) [message #126610] |
Tue, 22 December 2015 06:30  |
ferro
Messages: 18
Registered: January 2015
Location: Kuwait
|
|
|
|
Hi All,
My organization is currently evaluating Kerio before ordering the latest version.
The version that we use is an old version (7.1).
Problem definition: A local account was hacked (most probably a user mistake) and mail queue was flooded by emails.
Example from security log:
[20/Dec/2015 18:32:45] Recv: Queue-ID: 5676ca1d-0000169d, Service: HTTP, From: <bh9770183@gmail.com>, To: <aspoitou@gmail.com>, Size: 11837, Sender-Host: 41.174.144.155, User: localuser<_at_>ourdomain.com
- Please note that the local user account was used to send an email from a non-local address to another non-local address
What I need to inquire about is the following:
1- Why is this happening while relay is stopped from configuration? What else should be done to avoid using local address in sending messages between two non-local addresses?
2- IT needs to change all email account passwords. For example: new password = current password + employee number + employee birth day. Can this be done by mass-updating all account passwords?
3- I am sure this is available, but is there a document that describes how can we connect Kerio to Active Directory so that user information and credentials are taken from AD?
Thanks a lot,
Ferro
Thanks,
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Hacking local account to relay messages (how to stop?) [message #126628 is a reply to message #126627] |
Tue, 22 December 2015 11:53  |
ferro
Messages: 18
Registered: January 2015
Location: Kuwait
|
|
|
|
Dear Pavel Dobry,
Quote:
Latest version has protection called Sender Policy to avoid sender spoofing.
So I understand that even if I have no open relay, a compromised account can be used to send emails between two non-local users unless I upgrade to latest Kerio verion (it Kerio 7.0 that has this issue).
Please correct/confirm my understanding.
Also, is there any way to avoid "sender spoofing" through Kerio 7.0 admin configuration or it is completely unavoidable except by the upgrade?
Thanks,
Ferro
Thanks,
[Updated on: Tue, 22 December 2015 12:01] Report message to a moderator |
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Hacking local account to relay messages (how to stop?) [message #126650 is a reply to message #126636] |
Tue, 22 December 2015 18:50 |
Bud Durland
Messages: 586
Registered: December 2013
Location: Plattsburgh, NY
|
|
|
|
|
@ferro -- any anti-spoofing tools are the second layer of defense, the first being SMTP login authentication. That part of your system is compromised, and you need to fix it first by changing the password of the compromised account. I don't recall if version 7 had any anti-spoofing tools. It was updated several years ago, after all.
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
