Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Tue, 5 Feb 2008 00:35:53 +0100
Dear Vicky (Hope this is correct), Thanks for your input, please see comments inline :)
- Are you employees allowed to check email through Outlook Web Interface integrated by MS Exchange Server? If Yes, then there is a problem.
The server is not directly reachable from the outside, we don't use OWI
- Do you have Trust-Relationship with either employee who could be able to do such things? (Internal Threat)
Noted
- 0day exploits will not be easily available to anybody until and unless you have connections with those people who work 24/7 over this.
They only have to be available to the attacker, I guess ;) Depends on who you have against you, the level we protect ourselves against is industrial espionage. Let's say we are an interesting target.
- This might be caused by some third-party application exploit present on your outgoing/incoming open network (internet - untrusted zone) gateway.
Noted, checks ongoing actually :)
- Deploy/develop custom signatures (customize the Firewall/IDS rules for incoming email to check for any specific patterns) for similar spam emails to stop them from entering you mail server.
The data that went out were not your typical e-mails unfortunately :(
While in consideration of above statements, there are many other dimensions to look at before approaching to the results of investigation directly. Good Luck!
Thanks :)
Current thread:
- Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- RE: Possible Mail server compromise ? Worrell, Brian (Feb 04)
- Re: Possible Mail server compromise ? Jon R. Kibler (Feb 04)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 05)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Gary Baribault (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)