Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Help with compromised accounts

  1. #1
    Userx is offline New Member
    Join Date
    Jul 2008
    Posts
    4
    Rep Power
    7

    Default Help with compromised accounts

    I cannot think I am the only one experiencing this problem and hope to find some suggestions to help mitigate it.

    Earlier in December a SPAM email was delivered to large groups of people in our domain. The SPAM had a simple statement that 'we' were doing webmail maintenance and to click here. The click here took them to a site hosted on a free service that displayed a webmail login page that looked almost exactly the same as ours. Side by side only a few slight differences existed. As users entered their login and password they were taken to a "thank you" page. At that point a remote person has access to multiple webmail accounts.

    The person with this information now has access to an unknown amount of accounts. They are using these accounts periodically to send mass SPAM messages to other domains.

    We identify the problem when our Deferred Mail queue starts getting overloaded. I quickly see the account in question is sending SPAM.

    Here is my problem. I am fighting this reactively after the account is used. We have setup a few jobs to search for changed Signature lines and forwarding addresses. Once the hacker changes the signature line of an account we are notified and lock the account.
    We have requested all students change their password, but hard to get the message out to 10,000 people via email they do not all use regularly. We are aging out our passwords so they expire and are forced to change next week.

    My real question is how to avoid this to begin with. Our spam filters (two systems) do not filter out all the spam. The crap that gets through sometimes is very distructive like my problem above. What tools or processes can we implement to catch this problem in the future. Anybody with external webmail access has to deal with this. Anybody can give their access to webmail away.

    Thanks for any feedback,
    J

  2. #2
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Quote Originally Posted by Userx View Post

    My real question is how to avoid this to begin with.

    Thanks for any feedback,
    J
    This isn't a Zimbra question so much as a user-education issue regarding phishing techniques in general, or did I miss something?

    I personally don't believe you can stop all users from making these kinds of mistakes. So, aside from end-user education (and reinforcement), I'd just be sure I was using an outbound smart host to filter my outbound Zimbra mail, and have it let me know when my Zimbra system (and which account) starts sending spam. That you are being notified by an increasing large deferred queue means you have an opportunity to catch trouble perhaps a day or more earlier than you are now IMHO.

    Hope that helps,
    Mark
    Last edited by LMStone; 01-27-2009 at 10:09 AM.

  3. #3
    mtorres is offline Trained Alumni
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    That's a tough one. I have never had this certain problem, but when we start having phishing problems or malware problems for that matter I really tighten up the content filter. If I haven't unblocked the website and the content filter doesn't have it in it's definitions as ok, it get's blocked. You have to do a lot of unblocking, but imo it is better than having to fix a lot of these kinds of problems. I also tighten up the firewall to block a lot of foreign IP's. Another thing that I implemented was snort and it notifies me if someone visits anyone on the Spamhaus DROP list or any of the RBN IP's. I would bet money you can easily create a snort signature that would alert you if a website your user is visiting has the similar content as your webmail login website and is not your webmail server.

  4. #4
    kirme3 is offline Trained Alumni
    Join Date
    Apr 2006
    Location
    Illinois
    Posts
    194
    Rep Power
    9

    Default

    What 2 spam filters are you using?(if you don't mind)

  5. #5
    hillman's Avatar
    hillman is offline Moderator
    Join Date
    May 2007
    Location
    Vancouver, Canada
    Posts
    75
    Rep Power
    8

    Default

    Luckily we have yet to be bitten by a phisher setting up a clone of our centralized login page, but I'm sure it's just a matter of time.

    On our old Webmail system, it had access to the user's password (because it used POP to grab their mail) and so I was able to scan users' outbound mail *before* it was sent to make sure no password was present. It logged any attempt to send a password and we usually got several hits per week.

    Now that our students are on Zimbra, that particular checker is gone and the number of compromised accounts has shot up (several each week).

    So I'm currently working on an outbound rate-limiting Milter (Sendmail/Postfix plugin) that will prevent anyone from sending to more than 1000 recipients per day. By skipping single-recipient messages and local recipients, I expect to be able to really minimize the false-positives. Any attempt to exceed the limit will silently quarantine the message and notify me. This won't prevent the account from getting compromised, but at least it'll minimize the collateral damage.

    (one of our mailservers is still blocked from Hotmail right now because of a compromised account a couple of weeks ago)
    Steve Hillman
    IT Architect
    Simon Fraser University

  6. #6
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    We get phishing scams approx. once a week and of course, usually on weekends. This is a brief rundown on how we deal with it:

    * Notices on the front webmail page that we never ask for a password
    * Routine email announcements reminding users we never ask for a password
    * As soon as we get details of a possible phishing scam, we get the reply-to address (always different than the sender address)
    * We add it to a list of blacklist recipients (we have a small patch for amavis to add a high score to a recipient address)
    * We then search the logs for users that replied to the email
    * Then we look in their Sent folders for the reply and verify they indeed sent the information
    * If they password was sent out, we lock the accounts and change their passwords

  7. #7
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,505
    Rep Power
    57

    Default

    Quote Originally Posted by su_A_ve View Post
    We get phishing scams approx. once a week and of course, usually on weekends. This is a brief rundown on how we deal with it:

    * Notices on the front webmail page that we never ask for a password
    * Routine email announcements reminding users we never ask for a password
    * As soon as we get details of a possible phishing scam, we get the reply-to address (always different than the sender address)
    * We add it to a list of blacklist recipients (we have a small patch for amavis to add a high score to a recipient address)
    * We then search the logs for users that replied to the email
    * Then we look in their Sent folders for the reply and verify they indeed sent the information
    * If they password was sent out, we lock the accounts and change their passwords
    Just for my own interest, if you don't mind. How many users actually fall for it (out of what userbase) and how much time do you spend rectifying the problem?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    Currently we have about 11,000 mailboxes (students, faculty, staff). Usually we catch this within an hour or so as one of the admins will either get a copy or get one forwarded. On averaget about 5 people would respond with their info. It's been as slow as ZERO, and as high as 20.

    The problem we have now is that many are still replying with "thoughts for the phisher's mother"

  9. #9
    shideg is offline Intermediate Member
    Join Date
    Oct 2006
    Posts
    19
    Rep Power
    8

    Default

    Beyond user education, we've done the following:

    * Put various phisher's sender addresses in the blacklist on our FortiMail anti-spam appliance

    * Disabled Mail Identities in every Class of Service

    * Disabled New mail notification in every Class of Service

    * I wrote a perl script that we run every 10 (lately every 5) minutes that searches Zimbra's LDAP server for Reply-To addresses that aren't in our domain. It also checks forwarding addresses for anything not in a list of known legitimate forwards. If either condition is met, the account is immediately put in a Locked state and administrators are notified.

    Unfortunately, some accounts are also being used without such modifications to them. Those we have to catch and lock manually.

    What I'd like to have is a simple way to black-list recipient addresses. The poster "su_A_ve" mentioned something about a patch to amavis to add a high score to a recipient address. Can someone explain to me how that might be accomplished? I don't know anything about amavis.

    I'm also trying to play around with smtpd_recipient_restrictions and check_client_access in postfix's main.cf file, but that whole mechanism seems quite convoluted to me.

    Thanks.

    —Steve

  10. #10
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    This is how we blacklist outbound emails.... This came from Mark Martinec, author of amavisd-new

    The following goes in /opt/zimbra/conf/amavis.conf.in just before the @decoders section - This is based on 4.5.x, however should be the same for newer amavisd-new versions.

    The format for the recip_scores_sitewide file would be

    reply-to-email@domain.net +100

    This will add 100 SA points to an outbound email message, hence triggering amavis evasive actions and discarding the message.

    Code:
    # Add the following at the end of the  "end of site-wide tables });
    
    ### The following will read a hash of recipients and scores
    { my($hr) = read_hash("/etc/zimbra/recip_scores_sitewide");
      my($outer) = {};
      while (my($recip,$score) = each %$hr) { $outer->{$recip} = [{'.'=>$score}] }
        push(@score_sender_maps, $outer);
    }

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Multiple Mail Accounts, Folders
    By skwdenyer in forum Users
    Replies: 12
    Last Post: 12-01-2013, 08:52 PM
  2. HSP how to count/declare archiving accounts
    By djeebee in forum Administrators
    Replies: 2
    Last Post: 07-30-2008, 07:46 AM
  3. Inaccurate number accounts used
    By zbowden in forum Administrators
    Replies: 1
    Last Post: 12-10-2007, 06:47 AM
  4. Set Zimbra to Automatically Download from POP3 Accounts
    By dbachman in forum Administrators
    Replies: 1
    Last Post: 08-29-2007, 09:05 AM
  5. Replies: 2
    Last Post: 03-20-2006, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •