Educause Security Discussion mailing list archives
Re: New e-mail attack using valid webmail accounts
From: "Bruggeman, John" <jbruggeman () HUC EDU>
Date: Fri, 7 Mar 2008 15:26:41 -0500
Did you find out what account was compromised or who was sending the spam? What I'm wondering is if the attack was random or if someone targeted your site? Thank you for sharing how you monitor your queues, I was wondering that myself. Best, John =================================================== John Bruggeman Director of Information Systems Hebrew Union College - Jewish Institute of Religion Cincinnati * New York * Los Angeles * Jerusalem jbruggeman () huc edu http://www.huc.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Wednesday, March 05, 2008 9:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] New e-mail attack using valid webmail accounts I wanted to make everyone aware of a new technique used by spammers. I am sure we are not the first nor the last organization that this will happen to. This affected our OWA 2003 (Outlook Web Access) system. The attacker gains access to a compromised account by one of any means (phishing, compromised external database, brute force, etc.). The attacker then uses a set of scripts to call webmail scripts to send mail. The attack mimics the same actions a user would perform when sending an e-mail message through the webmail system. The end result is the reputation on your MTA and domain destroyed in an instant, and the inability of you to send mail to thousands of businesses that implement real time black lists and other lists such as SenderBase. It's amazing how many messages they can get out a highly robust, well trusted e-mail system sitting behind a couple of descent Internet pipes. Luckily we monitor our queues and were paged when this attack took place. We quickly responded by investigating, disabling the account, and then purging our queues from messages sent from that specific account. We were only blacklisted by one smaller blacklist and a couple ISPs, which were easily resolved using web submission forms found on their site. Unfortunately our SBRS (SenderBase Reputation Score) was reduced and we were given a poor reputation. Fixing this proved difficult and had to involve senior management, as their support team was unfortunately slow at responding. On their behalf, I truly believe they think our incident was a typical attack and wrote us off us being another careless educational institution. I am posting a message below that I sent to their technical support department so you can see what I explained to their support department after they finally manually adjusted our SBRS. I don't feel like retyping it all here. I would highly recommend monitoring your mail queues to page your administrators after they reach size limits beyond what you typically see during busy periods. Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu -----Original Message----- From: Jenkins, Matthew Sent: Wednesday, March 05, 2008 8:33 PM To: 'support () senderbase org' Subject: RE: SenderBase reputation score for Fairmont State University Thank you for your assistance. I understand the recovery process as I did some research on SenderBase before contacting you all. I must say you all have a very intelligent system. I was truly amazed by how it was able to reclassify our mail servers so quickly. My only suggestion would be dropping the SBRS more quickly for long standing good reputable hosts. It seems that, after the spam attack originating from our mail servers ceased, the calculations for the SBRS should have factored in that we had a long good reputation of sending mail and dropped the score more quickly. Our issue could not have been prevented without two measures that are typically not taken due to the cost of implementing them. First, we could have had spam protection on all outbound e-mail. Second, we could implement some type of mail throttling on inbound accounts to only allow a certain number of messages to be sent per hour from each of our e-mail accounts. In our case, a valid internal account was compromised. We believe the attacker gained the credentials by compromising a site the user had used the same password on, as the user's password was not dictionary based. The attacker, coming from a host in the Netherlands, then scripted a routine to cause our webmail system (Outlook Web Access from Microsoft Exchange 2003 Enterprise) to send the messages using our internal mail system. Because the sender's address cannot be changed in our webmail system, the attacker would have had to use the compromised account to check for replies. As I suspected, I was able to find log entries indicating the attacker came from yet another host in the Netherlands and was checking for incoming mail in the compromised account. It was by far one of the best e-mail attacks I have seen while working here at Fairmont State University. Our mail system is extremely robust, and we prioritize webmail traffic, so the speed of the attack was probably only limited by the bandwidth on the host in the Netherlands and how fast the attacker's script ran. I estimate that we had well over 20,000 spam messages go out within the timeframe of a couple hours. We do not allow SMTP, POP3, or IMAP access (not even using SSL) from inside or outside of campus because of security concerns (internal employees use Outlook and internal students use webmail). We have internal virus scanning, logging, monitoring, and all sorts of other measures in place to prevent attacks against our e-mail system. This attack was caught after our monitoring system caught the mail queues increasing rapidly in size, and our administrators were all paged. Unfortunately the e-mails were generated so quickly that the damage was already done. This definitely was not a typical e-mail attack. I suspect more reputable organizations will begin to see attacks of this type since the attacker now has a set of scripts. Because of our good reputation prior to this attack, the attacker would have had a much higher success rate sending their messages. Thanks again for your assistance, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu -----Original Message----- From: IronPort Customer Support Ticketing System [mailto:support () senderbase org] Sent: Wednesday, March 05, 2008 5:17 PM To: Jenkins, Matthew Subject: SenderBase reputation score for Fairmont State University Matthew, As IP 0.0.0.0 was still in the recovery phase, we have gone ahead and made a short term adjustment to bring it to Neutral so that your business critical email concerns are alleviated. The adjustment will be removed as the reputation for the IP improves of it's own accord. Please understand that it generally takes 1 to 2 weeks for the reputation of an IP to fully improve. The most recent reports of spam from the IP were from February 26, 2008; 8 days ago. Please understand the ISPs and educational domains are highly targeted by hackers and trojan programs for the propose of sending spam. Given that Senderbase is a automated system, we normally let the system generate the recovery of an IP on it's own. But we have, as I stated above, made this exception to alleviate your business critical needs. We recommend making sure that your network is virus and trojan free and the all port 25 access is secured. Regards, Senderbase Support.
Current thread:
- New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 05)
- <Possible follow-ups>
- Re: New e-mail attack using valid webmail accounts John Ladwig (Mar 06)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 06)
- Re: New e-mail attack using valid webmail accounts Bradley, Stephen W. Mr. (Mar 06)
- Re: New e-mail attack using valid webmail accounts Michael H. Martel (Mar 06)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 06)
- Re: New e-mail attack using valid webmail accounts Jesse Thompson (Mar 07)
- Re: New e-mail attack using valid webmail accounts Jesse Thompson (Mar 07)
- Re: New e-mail attack using valid webmail accounts Bruggeman, John (Mar 07)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 10)
- Re: New e-mail attack using valid webmail accounts Zach Jansen (Mar 10)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 10)
- Re: New e-mail attack using valid webmail accounts Zach Jansen (Mar 14)
- New e-mail attack using valid webmail accounts Kenneth Arnold (Mar 14)
- Re: New e-mail attack using valid webmail accounts Brian Friday (Mar 14)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 14)
- Re: New e-mail attack using valid webmail accounts Curt Wilson (Mar 14)