HACKERS SEEM TO KNOW MY ACCOUNT NAMES

[craigbaker]

I am seeing a lot of Auto Bans where the attempted login mirrors actual unique mailbox account names, aliases and domain names (not admin,help etc)

It doesn't appear they are successful in getting past auto ban, but I am concerned they seem to have some insight into the account structure.

Does anybody have any thoughts on where they are deriving this info?

I am using SQL 2008 R2 as the DB

[mattg]

Dictionary attacks are common

Do you have a 'catch-all' set?

[palinka]

Does anybody have any thoughts on where they are deriving this info?

Some lists come from scraping websites, some from website database hacks, some from dictionary attacks (bot net guessers). If you enforce strong passwords, you'll be fine.

[SorenR]

I am seeing a lot of Auto Bans where the attempted login mirrors actual unique mailbox account names, aliases and domain names (not admin,help etc)

It doesn't appear they are successful in getting past auto ban, but I am concerned they seem to have some insight into the account structure.

Does anybody have any thoughts on where they are deriving this info?

I am using SQL 2008 R2 as the DB

https://haveibeenpwned.com/

https://haveibeenpwned.com/Passwords

https://www.politie.nl/en/information/c ... rhack.html <== YES, The (real) Dutch Police !

SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organization’s Cybersecurity
https://www.sans.org/press/announcement ... rsecurity/

[SorenR]

Operation Cookie Monster (no joke!)

https://www.youtube.com/watch?v=2gljXDYedzg

[craigbaker]

I can understand them knowing all the domains on my sans certificate, but NOT the mailbox account names or aliases, some of which are obscure, or inactive.

The only places some of these show up are in the hmail admin interface, and in the SQL database tables. They seem to have specific knowledge, but not the passwords.

I am using strong(ish) passwords, and will further harden them.

Thanks for the suggestions.

[SorenR]

I can understand them knowing all the domains on my sans certificate, but NOT the mailbox account names or aliases, some of which are obscure, or inactive.

The only places some of these show up are in the hmail admin interface, and in the SQL database tables. They seem to have specific knowledge, but not the passwords.

I am using strong(ish) passwords, and will further harden them.

Thanks for the suggestions.

You will be surprised how much information you reveal even when you claim you don't!

Did you check with the links above?

[craigbaker]

I can understand them knowing all the domains on my sans certificate, but NOT the mailbox account names or aliases, some of which are obscure, or inactive.

The only places some of these show up are in the hmail admin interface, and in the SQL database tables. They seem to have specific knowledge, but not the passwords.

I am using strong(ish) passwords, and will further harden them.

Thanks for the suggestions.

You will be surprised how much information you reveal even when you claim you don't!

Did you check with the links above?

I'm definitely familiar with hibp. The issue is they are using various valid user names against various domains in the sans certificate which are all valid email addresses (i.e. "user1@test.com" is the same mailbox as "user1@test2.com" so entering "user1@test.com" at hibp wouldn't bring up any results if user1@test2.com is the leaked address.

They somehow seem have access to the actual list of accounts (mailbox names) and aliases. This morning it's just run of the mill guessing, but last night there was a long list of IP addresses that resolved to various parts of the planet and all had UNCANNY knowledge of my account list.

[SorenR]

I can understand them knowing all the domains on my sans certificate, but NOT the mailbox account names or aliases, some of which are obscure, or inactive.

The only places some of these show up are in the hmail admin interface, and in the SQL database tables. They seem to have specific knowledge, but not the passwords.

I am using strong(ish) passwords, and will further harden them.

Thanks for the suggestions.

You will be surprised how much information you reveal even when you claim you don't!

Did you check with the links above?

I'm definitely familiar with hibp. The issue is they are using various valid user names against various domains in the sans certificate which are all valid email addresses (i.e. "user1@test.com" is the same mailbox as "user1@test2.com" so entering "user1@test.com" at hibp wouldn't bring up any results if user1@test2.com is the leaked address.

They somehow seem have access to the actual list of accounts (mailbox names) and aliases. This morning it's just run of the mill guessing, but last night there was a long list of IP addresses that resolved to various parts of the planet and all had UNCANNY knowledge of my account list.

Try google one of those email addresses and see what comes up ... A challenge

[craigbaker]

Try google one of those email addresses and see what comes up ... A challenge

Tried several. No pwnage found.

[johang]

They somehow seem have access to the actual list of accounts (mailbox names) and aliases.

i have been running hmailserver for a while now.. the only emailadresses that spammers has gotten ahold of are the ones that have been used on internet.. i have never recieved a spam for an account not being used (but availiable) on the internet, they are however not of "easy" guessable sort.. they are utility accounts like cam001@mydomain esxi001@mydomain winserver2008@mydomain, some are guessable swedish-firstname@mydomain but that firstname is not normally found as american names...

users retrieving their email over various hotspots when travelling and registered with many external services on the internet are very familiar with getting emails from spammers.. at least to my experience

[SorenR]

They somehow seem have access to the actual list of accounts (mailbox names) and aliases.

i have been running hmailserver for a while now.. the only emailadresses that spammers has gotten ahold of are the ones that have been used on internet.. i have never recieved a spam for an account not being used (but availiable) on the internet, they are however not of "easy" guessable sort.. they are utility accounts like cam001@mydomain esxi001@mydomain winserver2008@mydomain, some are guessable swedish-firstname@mydomain but that firstname is not normally found as american names...

users retrieving their email over various hotspots when travelling and registered with many external services on the internet are very familiar with getting emails from spammers.. at least to my experience

I do have a few "known" email addresses, all can be found by Googling them, found in forums and newsgroups from back in the day. I changed my domain in 2003 and dropped the old so ... Before that I only appear in a directory around late 1980's in a list of pre-internet network guys at two sites; DKTC11 (Copenhagen Technical College) and DKSFI11 (Danish National Institute of Social Research)

[mattg]

...but last night there was a long list of IP addresses that resolved to various parts of the planet and all had UNCANNY knowledge of my account list.

So, only your actual accounts and no extras?

Do you have an active web interface for managing hMailserver (eg the PHPWebAdmin tool)
How many domains do you host?
How many of those were targeted?

How many actual accounts of how many you host were targeted?

Can you share some logs (with actual accounts tested removed)

[craigbaker]

So, only your actual accounts and no extras?

Lots of extras too, but those are mixed in with the ones of concern.

Do you have an active web interface for managing hMailserver (eg the PHPWebAdmin tool)

Only via RDP firewalled to my IP.

How many domains do you host?

About 75 on a SANS certificate. They are all aliases of each other.

How many of those were targeted?

Unknown. I saw a list last night as a snapshot with many different IP addresses. They were testing mailbox/domain combinations.

How many actual accounts of how many you host were targeted?

Unknown.

Can you share some logs (with actual accounts tested removed)

Here is one from Brazil. Lightly obfuscated.

"TCPIP" 9708 "2023-09-17 18:12:44.936" "TCP - 45.179.149.42 connected to 192.168.200.10:25."
"SMTPD" 9708 211 "2023-09-17 18:12:44.945" "45.179.149.42" "SENT: 220 xxxxxxxxxxxxxxxxxxx. AUTHORIZED USERS ONLY."
"SMTPD" 9624 211 "2023-09-17 18:12:46.869" "45.179.149.42" "RECEIVED: EHLO [45.179.149.42]"
"SMTPD" 9624 211 "2023-09-17 18:12:46.878" "45.179.149.42" "SENT: 250-xxxxxxxxxxxxxxxxxxxxxxxx[nl]250-SIZE 35000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 5440 211 "2023-09-17 18:12:48.287" "45.179.149.42" "RECEIVED: AUTH LOGIN"
"SMTPD" 5440 211 "2023-09-17 18:12:48.295" "45.179.149.42" "SENT: 334 VXNlcmhbWU6"
"SMTPD" 9708 211 "2023-09-17 18:12:49.520" "45.179.149.42" "RECEIVED: c3RY3k="
"SMTPD" 9708 211 "2023-09-17 18:12:49.528" "45.179.149.42" "SENT: 334 UGFcdvcmQ6"
"SMTPD" 5440 211 "2023-09-17 18:12:51.051" "45.179.149.42" "RECEIVED: ***"
"SMTPD" 5440 211 "2023-09-17 18:12:51.064" "45.179.149.42" "SENT: 535 Authentication failed. Too many invalid logon attempts."

[mattg]

This line makes me think that you have a default domain set

"SMTPD" 9708 211 "2023-09-17 18:12:49.520" "45.179.149.42" "RECEIVED: c3RY3k="

[craigbaker]

This line makes me think that you have a default domain set

"SMTPD" 9708 211 "2023-09-17 18:12:49.520" "45.179.149.42" "RECEIVED: c3RY3k="

I do have a default domain, but they are also trying other domains on the sans certificate in combination with account names (unique_account_name_or_alias@alias_domains)

[mattg]

Default domain will always get you more spam

The domains can be sourced from the SAN certificate

Is there a reason that you have a default domain?

[craigbaker]

Default domain will always get you more spam

The domains can be sourced from the SAN certificate

Is there a reason that you have a default domain?

My concern isn't so much spam as it is that chinese hackers seem to know what comes "before" the @domain in the list of domains/accounts and domains/aliases - some of which are pretty unique. As far as I can tell, this information is only seen in the hmailserver admin interface, and in the dbo.hm_accounts and dbo.hmail_aliases DB tables. I don't allow internet access to SQL Server, and reserve RDP access to one IP address, but it sure seems like they can see the contents of these tables somehow.

The passwords are all relatively strong and aren't going to be guessed before auto-ban kicks in

I am not clear on where the default domain is. I do have a single domain set up under domains/general and then the alias domains under domains/general/names

I do not have a catch all address set up, so any "guesses" or typos are rejected.

[mattg]

I am not clear on where the default domain is. I do have a single domain set up under domains/general and then the alias domains under domains/general/names

GUI >> Settings >> Advanced


Another thought, in your windows firewall are you allowing hmailserver the program or the ports used by hmailserver, through the firewall?

And obvious question, have you ran an intense virus scan on your hmailserver computer

[SorenR]

I am not clear on where the default domain is. I do have a single domain set up under domains/general and then the alias domains under domains/general/names

GUI >> Settings >> Advanced


Another thought, in your windows firewall are you allowing hmailserver the program or the ports used by hmailserver, through the firewall?

And obvious question, have you ran an intense virus scan on your hmailserver computer

Which firewall? I allow the program "hmailserver.exe" in Defender Firewall but only a limited subset of ports in my Router firewall.

I did try to allow the Service "hMailServer" in Defender Firewall but never worked properly. On my development machine I have two instanses of hMailServer - the installed one and the compiled one, only one will be referenced in the service as per compiler directive or installer script.

Defender Firewall behind Router Firewall = Safe from Internet
Defender Firewall = Potentially UN-safe from LAN!

Before Microsoft made security "mandatory" I would run my LAN with no firewalls (only causes problems) and a Cisco ASA Firewall behind my Router.

Now I run two Internet Connections on one LAN with two Routers - Cisco gear with IoT licenses (50 user license for a family of 4) went through the roof so now my 10 user ASA support manuals in my bookcase

[craigbaker]

I am not clear on where the default domain is. I do have a single domain set up under domains/general and then the alias domains under domains/general/names

GUI >> Settings >> Advanced


Another thought, in your windows firewall are you allowing hmailserver the program or the ports used by hmailserver, through the firewall?

And obvious question, have you ran an intense virus scan on your hmailserver computer

Thanks. No default domain. They're all interchangeable with each other anyway. Firewall IS open to mail ports. It's an external firewall at ISP. I'm running Windows security essentials AND Malwarebytes.