|
|
| Re: Hijacked User Account [message #127363 is a reply to message #127358] |
Thu, 21 January 2016 20:46   |
BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
|
|
|
|
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 12:10The mail log should identify which user account was compromised, and the protocol that was used. You will have to locate the log event that shows how the message(s) was first received by your server.
Here is an example:
[25/Jun/2014 10:39:19] Recv: Queue-ID: 53aaa6d7-000000f4, Service: Kerio Connect client, From: <user<_at_>domain>, To: <user<_at_>domain>, Size: 854, Sender-Host: 10.10.10.1, User: user@domain, SSL: yes, Subject: test, Msg-Id: <3533420989-24989@domain>
OK. I've been digging in the Mail.log file and I believe I've identified the first spam. I've attached a screen capture of that portion of the mail.log showing the transition for legitimate to spam. The thing that jumps out is the change from "Service: Kerio Connect Client" to "Service: SMTP"
|
|
|
|
| Re: Hijacked User Account [message #127365 is a reply to message #127362] |
Thu, 21 January 2016 21:23 |
BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
|
|
|
|
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 12:49The sender address can be spoofed if you don't enable sender anti-spoofing protection (described in KB 1491). You need to locate the original log event where the message was received by the server (like the example I provided in my previous reply). This will provide more details regarding the compromise, specifically, the protocol, the authenticated user, and the offending IP address.
If there should be any viable proposal to improve the security of Kerio Connect we would need to know if the attack could not have been prevented by one of the many security features already available in the product.
We have "User must authenticate in order to send messages from a local domain" and "Never reject messages from this IP address group: Whitelist" checked.
I have not checked "Reject messages with spoofed local domain". Our SAAS ERP system sends out email for us from their mail servers using our domain. We also have an E commerce website that does the same thing. I have the email server IP addresses for these outside services in our Whitelist. Will that supercede the "Reject messages with spoofed local domain" setting?
|
|
|
|
|
|
| Re: Hijacked User Account [message #127378 is a reply to message #127368] |
Fri, 22 January 2016 13:11 |
BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
|
|
|
|
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 16:30We can see from the log event that the messages were sent via SMTP, they were sent by an authenticated user, and the offending host is in Russia (79.104.198.37). This host is also on several blacklists.
Probably a bot guessed this user's password by brute force.
Ways to prevent this:
Password complexity, probably you don't have it enabled.
Blacklists, maybe you don't have any enabled.
Password guessing protection, probably you don't have it enabled.
These settings are all described or linked in KB 1239
Verifying...
Password complexity is enabled.
Black Lists Enabled: SpamCop and SpamHaus
Block user accounts probably targeted by password guessing is enabled.
Just to throw in another hypothetical way things could be compromised. User accesses their Kerio Connect email from a their home computer or a tablet or cellphone. I have no control over that security. Nothing you've suggested so far would protect against a keylogger. I've had execs for my company bring in their home PCs and they often are loaded with bad stuff. I install or update their AV clean stuff up but chances are they'll let it lapse again.
After all this back and forth on whether this is turned on or is that configured correctly just makes the case for the SpamHaus article linked by freakinvibe. No matter how many things are implemented to prevent an email account being compromised, it will still happen, just less often.
|
|
|
|
|
|
| Re: Hijacked User Account [message #127407 is a reply to message #127362] |
Mon, 25 January 2016 17:32 |
BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
|
|
|
|
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 12:49If there should be any viable proposal to improve the security of Kerio Connect we would need to know if the attack could not have been prevented by one of the many security features already available in the product.
Brian,
I've responded to all you questions concerning our configuration and how the might be tweaked to improve security and prevent a user's account from being compromised. Since you haven't responded I'm guessing you don't think my situation qualifies as an example of a problem that couldn't be handled by existing security features. Fair enough.
However, with the input of others to this topic about things that existing security features wouldn't address along with the SpamHaus call for email providers to add an email limit for outgoing email to their servers I think there's enough to make the argument that something more is needed.
Excerpt from SpamHaus...
1. Implement default per-account limits on numbers of outgoing emails.
2. Log the authenticated user account for each email sent.
3. Include the authenticated user account name in the email headers.
4. Monitor the mail flow from each account!
5. Check for and reject weak passwords.
6. Rate limit authentication attempts to prevent password cracking.
Kerio Connect already has most of these recommendations implemented. Please add the outgoing email limits as well.
|
|
|
|
|
|
| Re: Hijacked User Account [message #127415 is a reply to message #127410] |
Mon, 25 January 2016 20:50 |
BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
|
|
|
|
Brian Carmichael (Kerio) wrote on Mon, 25 January 2016 11:27In your case, as with previous cases I've seen, the offending host uses SMTP. This means that the messages were first injected into the queue via incoming SMTP. Therefore the security options in the SMTP server apply.
Just to make sure I'm understanding things correctly ...
Currently, under "Relay Control" for the SMTP server, we have "Allow relay for - Users authenticated through SMTP for outgoing mail. This requires email clients to authenticate when sending email."
If a spammer has obtained a password for a local email account, by whatever means they do, then they can freely send as many emails as they want? Or until someone happens to check the outgoing mail queue or the server effectively stops working under the sheer number of emails in the queue?
If this is the case, what setting(s) would I implement or change that would prevent 50,000+ files winding up in our outgoing queue?
If nothing else, could Kerio develop a utility that would monitor the size of the outgoing queue and if it exceeds a threshold start sending alert emails to the administrator? This probably wouldn't work very well since spammers like to do their dirty work after hours.
|
|
|
|
|
|
| Re: Hijacked User Account [message #127419 is a reply to message #127417] |
Mon, 25 January 2016 21:54 |
BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
|
|
|
|
Brian Carmichael (Kerio) wrote on Mon, 25 January 2016 14:11In KB 1833 there are some example settings you can use based on the screenshots.
http://kb.kerio.com/product/kerio-connect/server-configurati on/services/securing-the-smtp-server-1833.html
MXtoolbox.com has some nice online tools to help measure the responsiveness of your SMTP server and they can notify you in case of an issue.
I've attached a screen capture of the SMTP Server Security Options that the knowledgebase article you sent a link for references. The difference between the article settings and our settings are minimal.
So the final recommendation is to have a third-party website monitor our Kerio Connect server and let us know when there's a problem? That's pretty disappointing...honest but disappointing.
|
|
|
|
| Re: Hijacked User Account [message #134774 is a reply to message #127419] |
Wed, 22 March 2017 18:37 |
Toraih
Messages: 2
Registered: March 2017
Location: CH
|
|
|
|
We had the same problem, 50k+ spammails sent through a compromised account (probably cross-password-phishing, since the user used the same password for many other services in the net), 33k in the queue the rest was already sent out as we stopped the server.
The costs were about 1-2 days work-time to clean everything up (queue, mailbox, blacklists, spam-signature-lists, explaining to internal and external workers and customers, contact to other postmasters etc.)
This could be prevented, if there were a option to "limit the amount of mails sent by a single user-account"... there would be only few hundreds spammails be sent, if we could set a limit of 100 per hour/user.
We could setup an alert if the logs would contain a warning that the limit was exceeded.
I made a feature-request, please vote up:
feedback.kerio.com/forums/161327-kerio-connect-client/sugges tions/18692392-limit-emails-sent-by-user-by-hour
(remove spaces in url, it's my first message in this forum and can't post links yet)
[Updated on: Fri, 24 March 2017 10:09] Report message to a moderator |
|
|
|
| Re: Hijacked User Account [message #134780 is a reply to message #134774] |
Fri, 24 March 2017 01:54 |
zebby
Messages: 154
Registered: March 2009
|
|
|
|
Toraih wrote on Wed, 22 March 2017 17:37We had the same problem, 50k+ spammails sent through a compromised account (probably cross-password-phishing, since the user used the same password for many other services in the net), 33k in the queue the rest was already sent out as we stopped the server.
The costs were about 1-2 days work-time to clean everything up (queue, mailbox, blacklists, spam-signature-lists, explaining to internal and external workers and customers, contact to other postmasters etc.)
This could be prevented, if there were a option to "limit the amount of mails sent by a single user-account"... there would be only few hundreds spammails be sent, if we could set a limit of 100 per hour/user.
We could setup an alert if the logs would contain a warning that the limit was exceeded.
I made a feature-request, please vote up:
feedback.kerio.com/forums/161327-kerio-connect-client/sugges tions/18692392-limit-emails-sent-by-user-by-hour
I've posted this in elsewhere here but the mDaemon solution for this is screaming out for Kerio to copy
http:// www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Num ber=KBA-02433
Configurable setting to disable an account that sends x number of messages in x number of minutes.
|
|
|
|
| Re: Hijacked User Account [message #134788 is a reply to message #134780] |
Fri, 24 March 2017 15:16 |
j.a.duke
Messages: 239
Registered: October 2006
|
|
|
|
I had the same issue in October, only we didn't see a problem until over 24 hours in when we started getting blocked by Google & others. Took two weeks to get off all the lists.
@zebby: The mDaemon article you reference also has a "Don't block IP if SMTP authentication is used" option, which would likely limit the effectiveness of the other options (or at least that's my take). Unless those options at the top of the dialog override those further down. That's not clear.
I agree that there could be much more done within Kerio to give us better tools for dealing with something like this.
Cheers,
Jon
|
|
|
|
| Re: Hijacked User Account [message #134795 is a reply to message #127342] |
Sun, 26 March 2017 07:10 |
vomsupport
Messages: 80
Registered: October 2008
|
|
|
|
We also have had several accounts hijacked by botnets..
Tums out the user used the same password on our Kerio server as their Yahoo account ( actually SBC)
Luckily we have a barracuda that keeps the mail from going out..
|
|
|
|
Members
Search
Help
Register
Login
Home
