Educause Security Discussion mailing list archives
Re: SMTP attacks, anyone ?
From: "Tonkin, Derek K" <Derek_Tonkin () BAYLOR EDU>
Date: Wed, 10 Oct 2012 22:38:39 +0000
I'm sure you've already checked this but did the user re-use the password on another site that was compromised (LinkedIn perhaps)? Derek Tonkin Andrew Daviel <advax () TRIUMF CA> wrote: In the last few months on two occasions we've had a user's email credentials compromised and used to send spam via SMTP. We have a Postfix mail relay where users can authenticate via SASL to send mail from offsite, and this was what was used. There was no obvious trace of a dictionary attack; it seems the attackers knew a password somehow and then proceeded to use it from a couple of hundred different client addresses around the world (which themselves appear to be SMTP servers, rather than home PCs). Both the users in question deny "risky network behaviour" and are fairly clueful - would not fall for phishing, do not frequent cybercafes etc. Their passwords (now changed of course) were robust enough not to fall to a few hours of "John the Ripper" so I doubt they were trivially guessed. I wondered if anyone else had seen this kind of abuse. Right now it's not a serious problem, but of course if we've got unexplained compromises I want to understand. I'll probably write some kind of filter to flag/block excessive offsite logins, or impossibly short travel times like the credit card companies do. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- SMTP attacks, anyone ? Andrew Daviel (Oct 10)
- Re: SMTP attacks, anyone ? Tonkin, Derek K (Oct 10)
- Re: SMTP attacks, anyone ? Steven Alexander (Oct 10)
- Re: SMTP attacks, anyone ? Mike Iglesias (Oct 10)
- Re: SMTP attacks, anyone ? Valdis Kletnieks (Oct 11)