Re: New e-mail attack using valid webmail accounts

["Bruggeman, John" <jbruggeman () HUC EDU>]

Did you find out what account was compromised or who was sending the
spam?  What I'm wondering is if the attack was random or if someone
targeted your site?

Thank you for sharing how you monitor your queues, I was wondering that
myself.

Best,
John

===================================================
John Bruggeman     Director of Information Systems
Hebrew Union College - Jewish Institute of Religion
Cincinnati   *  New York  * Los Angeles *  Jerusalem
jbruggeman () huc edu    http://www.huc.edu 

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew
Sent: Wednesday, March 05, 2008 9:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] New e-mail attack using valid webmail accounts

I wanted to make everyone aware of a new technique used by spammers.  I
am sure we are not the first nor the last organization that this will
happen to.  This affected our OWA 2003 (Outlook Web Access) system.  The
attacker gains access to a compromised account by one of any means
(phishing, compromised external database, brute force, etc.).  The
attacker then uses a set of scripts to call webmail scripts to send
mail.  The attack mimics the same actions a user would perform when
sending an e-mail message through the webmail system.  The end result is
the reputation on your MTA and domain destroyed in an instant, and the
inability of you to send mail to thousands of businesses that implement
real time black lists and other lists such as SenderBase.  It's amazing
how many messages they can get out a highly robust, well trusted e-mail
system sitting behind a couple of descent Internet pipes.

Luckily we monitor our queues and were paged when this attack took
place.  We quickly responded by investigating, disabling the account,
and then purging our queues from messages sent from that specific
account.  We were only blacklisted by one smaller blacklist and a couple
ISPs, which were easily resolved using web submission forms found on
their site.  Unfortunately our SBRS (SenderBase Reputation Score) was
reduced and we were given a poor reputation.  Fixing this proved
difficult and had to involve senior management, as their support team
was unfortunately slow at responding.  On their behalf, I truly believe
they think our incident was a typical attack and wrote us off us being
another careless educational institution.

I am posting a message below that I sent to their technical support
department so you can see what I explained to their support department
after they finally manually adjusted our SBRS.  I don't feel like
retyping it all here.

I would highly recommend monitoring your mail queues to page your
administrators after they reach size limits beyond what you typically
see during busy periods.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: Jenkins, Matthew
Sent: Wednesday, March 05, 2008 8:33 PM
To: 'support () senderbase org'
Subject: RE: SenderBase reputation score for Fairmont State University

Thank you for your assistance.  I understand the recovery process as I
did some research on SenderBase before contacting you all.  I must say
you all have a very intelligent system.  I was truly amazed by how it
was able to reclassify our mail servers so quickly.  My only suggestion
would be dropping the SBRS more quickly for long standing good reputable
hosts.  It seems that, after the spam attack originating from our mail
servers ceased, the calculations for the SBRS should have factored in
that we had a long good reputation of sending mail and dropped the score
more quickly.

Our issue could not have been prevented without two measures that are
typically not taken due to the cost of implementing them.   First, we
could have had spam protection on all outbound e-mail.  Second, we could
implement some type of mail throttling on inbound accounts to only allow
a certain number of messages to be sent per hour from each of our e-mail
accounts.

In our case, a valid internal account was compromised.  We believe the
attacker gained the credentials by compromising a site the user had used
the same password on, as the user's password was not dictionary based.
The attacker, coming from a host in the Netherlands, then scripted a
routine to cause our webmail system (Outlook Web Access from Microsoft
Exchange 2003 Enterprise) to send the messages using our internal mail
system.  Because the sender's address cannot be changed in our webmail
system, the attacker would have had to use the compromised account to
check for replies.  As I suspected, I was able to find log entries
indicating the attacker came from yet another host in the Netherlands
and was checking for incoming mail in the compromised account.  It was
by far one of the best e-mail attacks I have seen while working here at
Fairmont State University.  Our mail system is extremely robust, and we
prioritize webmail traffic, so the speed of the attack was probably only
limited by the bandwidth on the host in the Netherlands and how fast the
attacker's script ran.  I estimate that we had well over 20,000 spam
messages go out within the timeframe of a couple hours.

We do not allow SMTP, POP3, or IMAP access (not even using SSL) from
inside or outside of campus because of security concerns (internal
employees use Outlook and internal students use webmail).  We have
internal virus scanning, logging, monitoring, and all sorts of other
measures in place to prevent attacks against our e-mail system.  This
attack was caught after our monitoring system caught the mail queues
increasing rapidly in size, and our administrators were all paged.
Unfortunately the e-mails were generated so quickly that the damage was
already done.  This definitely was not a typical e-mail attack.  I
suspect more reputable organizations will begin to see attacks of this
type since the attacker now has a set of scripts.  Because of our good
reputation prior to this attack, the attacker would have had a much
higher success rate sending their messages.

Thanks again for your assistance,

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: IronPort Customer Support Ticketing System
[mailto:support () senderbase org]
Sent: Wednesday, March 05, 2008 5:17 PM
To: Jenkins, Matthew
Subject: SenderBase reputation score for Fairmont State University

Matthew,

As IP 0.0.0.0 was still in the recovery phase, we have gone ahead and
made a short term adjustment to bring it to Neutral so that your
business critical email concerns are alleviated.  The adjustment will be
removed as the reputation for the IP improves of it's own accord.
Please understand that it generally takes 1 to 2 weeks for the
reputation of an IP to fully improve.  The most recent reports of spam
from the IP were from February 26, 2008; 8 days ago. 
Please understand the ISPs and educational domains are highly targeted
by hackers and trojan programs for the propose of sending spam.  Given
that Senderbase is a automated system, we normally let the system
generate the recovery of an IP on it's own.  But we have, as I stated
above, made this exception to alleviate your business critical needs.

We recommend making sure that your network is virus and trojan free and
the all port 25 access is secured.

Regards,
Senderbase Support.