password hacked

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 21031
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

password hacked

Post by mattg » 2017-02-26 04:14

One of my user accounts had password sniffed or perhaps user used same strong password on some dodgy web site (User is my teenage daughter).
Anyway two days ago her account was used to send a single message to smtpbid@rambler.ru with the word 'text' as the email body, and a subject 'hello'. There was no guessing of passwords, they got it right first time.
Then about 4 hours later her account was used to send over 64 000 messages before I caught it, and changed her password. I caught the mass spamming less than 11 hours after it started, and there was only some 2500 mail in the queue at this time.

Researching since this event I found that I am on a single blacklist which seems timed. Not a bad outcome overall. Much better than it could have been.

To send these messages, they had to authenticate with full user /domain name combo, complex password, on port 465, after negotiating SSL connections with a TLSv1.2 certificate. There is only specific IP addresses that I allow to send without SSL/TLS for authentication as per IP ranges, all outgoing mail is Authenticated, and port 25 is unavailable for authentication. None of the usual AV or Anti-SPAM mechanisms even checked these mail because they were sent from an authenticated connection.


I'm going to play with this script >> viewtopic.php?f=20&t=28269 to make it work for authenticated mail.
What other ideas do others have for limiting access for authenticated users?
I don't want to implement 'non-standard ports only'; I wish to stay with 'standard ports' if I can, although this may just have to happen...

Is there some way that I can mitigate this outcome with SSL/TLS perhaps?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
delphiham
New user
New user
Posts: 13
Joined: 2016-03-10 22:33

Re: password hacked

Post by delphiham » 2017-02-28 12:51

Hi mattg,

i have the same problem on last year with an account from my friends on the mailserver. I set the logins from this moment to three logins. Get the 3 logins fails, then i ban the user for 48 h and disable the ip-range.

Check the mailadresses on https://haveibeenpwned.com/ for an leak.

I used the script and is very helpful! You stopped with this Spam over the from Header from outgoing mails!
o

L_
OL
This is Schäuble. Copy Schäuble into your signature to help him on his way to Überwachungsstaat.

User avatar
SorenR
Senior user
Senior user
Posts: 3743
Joined: 2006-08-21 15:38
Location: Denmark

Re: password hacked

Post by SorenR » 2017-02-28 14:13

mattg wrote:One of my user accounts had password sniffed or perhaps user used same strong password on some dodgy web site (User is my teenage daughter).
Anyway two days ago her account was used to send a single message to smtpbid@rambler.ru with the word 'text' as the email body, and a subject 'hello'. There was no guessing of passwords, they got it right first time.
Then about 4 hours later her account was used to send over 64 000 messages before I caught it, and changed her password. I caught the mass spamming less than 11 hours after it started, and there was only some 2500 mail in the queue at this time.

Researching since this event I found that I am on a single blacklist which seems timed. Not a bad outcome overall. Much better than it could have been.

To send these messages, they had to authenticate with full user /domain name combo, complex password, on port 465, after negotiating SSL connections with a TLSv1.2 certificate. There is only specific IP addresses that I allow to send without SSL/TLS for authentication as per IP ranges, all outgoing mail is Authenticated, and port 25 is unavailable for authentication. None of the usual AV or Anti-SPAM mechanisms even checked these mail because they were sent from an authenticated connection.


I'm going to play with this script >> viewtopic.php?f=20&t=28269 to make it work for authenticated mail.
What other ideas do others have for limiting access for authenticated users?
I don't want to implement 'non-standard ports only'; I wish to stay with 'standard ports' if I can, although this may just have to happen...

Is there some way that I can mitigate this outcome with SSL/TLS perhaps?
What was the HELO/EHLO string of the offending IP Address ??
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21031
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: password hacked

Post by mattg » 2017-02-28 15:51

"TCPIP" 5888 "2017-02-24 16:18:01.439" "TCP - 158.255.211.165 connected to 192.168.0.220:465."
"DEBUG" 5888 "2017-02-24 16:18:01.439" "Executing event OnClientConnect"
"DEBUG" 5888 "2017-02-24 16:18:01.470" "Event completed"
"DEBUG" 5888 "2017-02-24 16:18:01.470" "TCP connection started for session 4875"
"DEBUG" 5888 "2017-02-24 16:18:01.470" "Performing SSL/TLS handshake for session 4875. Verify certificate: False"
"TCPIP" 6944 "2017-02-24 16:18:01.955" "TCPConnection - TLS/SSL handshake completed. Session Id: 4875, Remote IP: 158.255.211.165, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 6944 4875 "2017-02-24 16:18:01.970" "158.255.211.165" "SENT: 220 ***MYDOMAIN.com*** ESMTP"
"SMTPD" 5888 4875 "2017-02-24 16:18:02.611" "158.255.211.165" "RECEIVED: EHLO idea-PC"



connected on port 465, which requires SSL. They used TLSv1.2

At OnClientConnect I logged the HELO/EHLO as '' (ie an empty string)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3743
Joined: 2006-08-21 15:38
Location: Denmark

Re: password hacked

Post by SorenR » 2017-02-28 16:32

mattg wrote:"TCPIP" 5888 "2017-02-24 16:18:01.439" "TCP - 158.255.211.165 connected to 192.168.0.220:465."
"DEBUG" 5888 "2017-02-24 16:18:01.439" "Executing event OnClientConnect"
"DEBUG" 5888 "2017-02-24 16:18:01.470" "Event completed"
"DEBUG" 5888 "2017-02-24 16:18:01.470" "TCP connection started for session 4875"
"DEBUG" 5888 "2017-02-24 16:18:01.470" "Performing SSL/TLS handshake for session 4875. Verify certificate: False"
"TCPIP" 6944 "2017-02-24 16:18:01.955" "TCPConnection - TLS/SSL handshake completed. Session Id: 4875, Remote IP: 158.255.211.165, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 6944 4875 "2017-02-24 16:18:01.970" "158.255.211.165" "SENT: 220 ***MYDOMAIN.com*** ESMTP"
"SMTPD" 5888 4875 "2017-02-24 16:18:02.611" "158.255.211.165" "RECEIVED: EHLO idea-PC"



connected on port 465, which requires SSL. They used TLSv1.2

At OnClientConnect I logged the HELO/EHLO as '' (ie an empty string)
Ah, you would need OnHELO(oClient) or later to catch that one - OnClientConnect is only a TCP/IP Connect/Start Session.

This should take care of Non-RFC Compliant HELO/EHLO's.. One I have not included here is when the EHLO string is your own IP Address in brackets...

Port 25 = allow only FQDN greetings, no IP addresses (seems to work for me)
Port != 25 = These are client ports and to support mobile devices IP addresses are needed. Mostly EHLO [IPAddress] != oClient.IPAddress as most mobile companies use NAT firewalls.

IPAddress must be enclosed in brackets to comply.

I have found Windows 10 Outlook 365 can have problems with EHLO FQDN as it seems to use EHLO PC-NAME :roll:
In that case I have told my children to use webmail... "If nothing works => use webmail. If webmail don't work => call daddy." :mrgreen:

Code: Select all

   Sub OnHELO(oClient) OR! Sub OnSMTPData(oClient, oMessage)

      Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
      Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
      Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
      If (oClient.Port = 25) Then
         strRegEx = strFQDN
      Else
         strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
      End If
      If (oClient.HELO = "[127.0.0.1]") Or Not Lookup(strRegEx, oClient.HELO) Then
         Result.Value = 2
         Result.Message = "5.7.1 ... I'm sorry, Dave. I'm afraid I can't do that."
         Exit Sub
      End If

   End Sub

   Function Lookup(strRegEx, strMatch)
      With CreateObject("VBScript.RegExp")
         .Global = False
         .Pattern = strRegEx
         .IgnoreCase = True
         If .Test(strMatch) Then
            Lookup = True
         Else
            Lookup = False
         End If
      End With
   End Function
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
SorenR
Senior user
Senior user
Posts: 3743
Joined: 2006-08-21 15:38
Location: Denmark

Re: password hacked

Post by SorenR » 2017-02-28 16:41

By the way, I came across this many years ago... http://peep.sourceforge.net/intro.html

Network traffic made audiable. No need to watch screen, just listen for abnormalities in "the jungle"
http://peep.sourceforge.net/demo/demo2.mp3

https://sourceforge.net/projects/peep/

https://www.usenix.org/legacy/event/lis ... lfix_html/
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21031
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: password hacked

Post by mattg » 2017-03-03 02:39

So almost a week later, I get added to the spamhaus PBL - easy enough to get de-listed from

Way I found out was that protectionservices.outlook.com bounced an email - OK
I cleared the spamhaus listing, but Outlook still bounces me.... AGGHHH

lodged with Outlook for a clearance - but the internet seems to think it might be days or weeks until this is fixed... AGGGHHH

The other weird thing is that the emails going out were those terrible invoice attached type rubbish (really a trojan, not an invoice)
My daughter had about 30 emails asking her for further details about the attached invoice... :roll:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8715
Joined: 2011-09-08 17:48

Re: password hacked

Post by jimimaseye » 2017-03-03 03:03

Apparently this is what Microsoft use for their spam check viewtopic.php?f=21&t=29763&p=187179#p187179
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply