Re: New e-mail attack using valid webmail accounts

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

A good cautionary tale, containing what seems like sound advice.  This is not the first I've heard of increasing 
amounts of spam pressure via non-SMTP injection methods.  The problem isn't limited to academic sites, but has been 
noted in commercial webmail systems such as Yahoo and gMail.  And not only to send spam, but to propagate malware.

Monitoring such as described below is just plain a good idea.

    -jml


John Ladwig - 
Minnesota State Colleges and Universities 
ITS
Wells Fargo Place 
30 7th St. E., Suite 350
St. Paul, MN  55101-7804

Email: John.Ladwig () csu mnscu edu
Voice: +1.651.201.1458
Fax: +1.651.917.4731
IM: xmpp:ladwigjo () jabber its mnscu edu

> > > "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU> 03/05/08 8:08 PM >>>
I wanted to make everyone aware of a new technique used by spammers.  I am sure we are not the first nor the last 
organization that this will happen to.  This affected our OWA 2003 (Outlook Web Access) system.  The attacker gains 
access to a compromised account by one of any means (phishing, compromised external database, brute force, etc.).  The 
attacker then uses a set of scripts to call webmail scripts to send mail.  The attack mimics the same actions a user 
would perform when sending an e-mail message through the webmail system.  The end result is the reputation on your MTA 
and domain destroyed in an instant, and the inability of you to send mail to thousands of businesses that implement 
real time black lists and other lists such as SenderBase.  It's amazing how many messages they can get out a highly 
robust, well trusted e-mail system sitting behind a couple of descent Internet pipes.

Luckily we monitor our queues and were paged when this attack took place.  We quickly responded by investigating, 
disabling the account, and then purging our queues from messages sent from that specific account.  We were only 
blacklisted by one smaller blacklist and a couple ISPs, which were easily resolved using web submission forms found on 
their site.  Unfortunately our SBRS (SenderBase Reputation Score) was reduced and we were given a poor reputation.  
Fixing this proved difficult and had to involve senior management, as their support team was unfortunately slow at 
responding.  On their behalf, I truly believe they think our incident was a typical attack and wrote us off us being 
another careless educational institution.

I am posting a message below that I sent to their technical support department so you can see what I explained to their 
support department after they finally manually adjusted our SBRS.  I don't feel like retyping it all here.

I would highly recommend monitoring your mail queues to page your administrators after they reach size limits beyond 
what you typically see during busy periods.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: Jenkins, Matthew 
Sent: Wednesday, March 05, 2008 8:33 PM
To: 'support () senderbase org'
Subject: RE: SenderBase reputation score for Fairmont State University

Thank you for your assistance.  I understand the recovery process as I did some research on SenderBase before 
contacting you all.  I must say you all have a very intelligent system.  I was truly amazed by how it was able to 
reclassify our mail servers so quickly.  My only suggestion would be dropping the SBRS more quickly for long standing 
good reputable hosts.  It seems that, after the spam attack originating from our mail servers ceased, the calculations 
for the SBRS should have factored in that we had a long good reputation of sending mail and dropped the score more 
quickly.

Our issue could not have been prevented without two measures that are typically not taken due to the cost of 
implementing them.   First, we could have had spam protection on all outbound e-mail.  Second, we could implement some 
type of mail throttling on inbound accounts to only allow a certain number of messages to be sent per hour from each of 
our e-mail accounts.

In our case, a valid internal account was compromised.  We believe the attacker gained the credentials by compromising 
a site the user had used the same password on, as the user's password was not dictionary based.  The attacker, coming 
from a host in the Netherlands, then scripted a routine to cause our webmail system (Outlook Web Access from Microsoft 
Exchange 2003 Enterprise) to send the messages using our internal mail system.  Because the sender's address cannot be 
changed in our webmail system, the attacker would have had to use the compromised account to check for replies.  As I 
suspected, I was able to find log entries indicating the attacker came from yet another host in the Netherlands and was 
checking for incoming mail in the compromised account.  It was by far one of the best e-mail attacks I have seen while 
working here at Fairmont State University.  Our mail system is extremely robust, and we prioritize webmail traffic, so 
the speed of the attack was probably only limited by the bandwidth on the host in the Netherlands and how fast the 
attacker's script ran.  I estimate that we had well over 20,000 spam messages go out within the timeframe of a couple 
hours.

We do not allow SMTP, POP3, or IMAP access (not even using SSL) from inside or outside of campus because of security 
concerns (internal employees use Outlook and internal students use webmail).  We have internal virus scanning, logging, 
monitoring, and all sorts of other measures in place to prevent attacks against our e-mail system.  This attack was 
caught after our monitoring system caught the mail queues increasing rapidly in size, and our administrators were all 
paged.  Unfortunately the e-mails were generated so quickly that the damage was already done.  This definitely was not 
a typical e-mail attack.  I suspect more reputable organizations will begin to see attacks of this type since the 
attacker now has a set of scripts.  Because of our good reputation prior to this attack, the attacker would have had a 
much higher success rate sending their messages.

Thanks again for your assistance,

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: IronPort Customer Support Ticketing System [mailto:support () senderbase org] 
Sent: Wednesday, March 05, 2008 5:17 PM
To: Jenkins, Matthew
Subject: SenderBase reputation score for Fairmont State University

Matthew,

As IP 0.0.0.0 was still in the recovery phase, we have gone ahead
and made a short term adjustment to bring it to Neutral so that your
business critical email concerns are alleviated.  The adjustment will be
removed as the reputation for the IP improves of it's own accord.
Please understand that it generally takes 1 to 2 weeks for the
reputation of an IP to fully improve.  The most recent reports of spam
from the IP were from February 26, 2008; 8 days ago. 
Please understand the ISPs and educational domains are highly targeted
by hackers and trojan programs for the propose of sending spam.  Given
that Senderbase is a automated system, we normally let the system
generate the recovery of an IP on it's own.  But we have, as I stated
above, made this exception to alleviate your business critical needs.

We recommend making sure that your network is virus and trojan free and
the all port 25 access is secured.

Regards,
Senderbase Support.