account hacked and used to send spam
Question asked by Lenny Estrin - February 4, 2016 at 8:03 AM
Answered
We have Smartermail 12.3 installed which we use to host several domains. Last few days one account was hacked and used to send unsolicited e-mail (spam) through our server. Unfortunately this is not the first time this happened. Does Smartermail offer solution to this problem? Like blocking outbound mail if particular account sends more emails than allowed in amount of time? Please advise.
 
Regards,
Drazen

6 Replies

Reply to Thread
0
Andrea Rogers Replied
Employee Post Marked As Answer
Hi Drazen,
 
SmarterMail has many features that are meant to provide security for your mail server. The one it sounds like you're looking for would be throttling. This is a feature available in the Enterprise edition, where you can set a limit on the number of outbound emails per hour and either block or delay those messages going out. Learn more at our KB article, Set Up Throttling for Domains.
 
You may also benefit from reviewing a couple of blog posts regarding locking down your server:
 
 
Other SmarterMail admins may be offer some of their own feedback (and I hope they do!), but that should give you a good start. Hope it helps!

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Andrea Rogers Replied
Employee Post
On second thought, I also want to note that you can throttle email per user as well: http://portal.smartertools.com/kb/a2770/set-up-throttling-for-users.aspx

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Lenny Estrin Replied
Thank you for your reply.
I would like to have more details on setting up system events.
For example notification when domain is throttled.
Also, how to be notified when number of outgoing mails in spool has increased above threshold?
 
Regards,
Drazen
0
Bruce Barnes Replied
Larry;
 
SmarterMail does have these solutions built in, but there are a couple of caveats:
  1. You will need the Enterprise edition of SmarterMail to take advantage of throttling, it's not available in the Professional edition.
     
    SmarterMail Enterprise Edition - Domain Defaults - THROTTLING
    SmarterMail Enterprise Edition - Domain Defaults - THROTTLING
    The screen above shows the THROTTLING settings in the DOMAIN DEFAULTS screen of SmarterMail Enterprise edition.

    Throttling will allow you to set maximum traffic for:
     
    • Outgoing Messages
    • Bandwidth
    • Bounces
      • Note that bounces should, for all practical purposes, be disabled. 
      • If you leave bounces disabled and are spammed, you will run the risk of being blacklisted for BACKSCATTER
         
  2. SmarterMail also allows you to setup INTERNAL SPAMMER notifications in the ABUSE DETECTION settings tab under the SECURITY area:

    NOTE: You must be logged in as the SMARTERMAIL ADMIN to access this area.
     
    Internal Spammer Notification Settings
    Internal Spammer Notification Settings

    Here are the available settings (from the SmarterMail online HELP files)

    Internal Spammer - Enabling this rule in SmarterMail will block or quarantine an account from sending mail, as well as alert an administrator, whenever multiple emails from a single sender are received on the server during a specified time frame:
     
    • Action - Choose whether to send a notification email only, block messages from the sender or quarantine messages from the sender.
    • Time Frame - The period of time in the past that is examined to determine if the rule triggers. Too many emails from a single sender in this period of time, and the email notification is sent and the Action chosen is performed.
    • Messages Before Notify - After this many messages are received within the time period specified, the email notification is sent and the Action chosen is performed.
    • Time to Block - The number of minutes that a block will be placed once an IP address hits the threshold.
    • Email to Notify - The email address of the administrator account to which the notification will be sent.
    • Description - A friendly name or brief description of the rule.
       
  3. SmarterMail also allows you to setup BOUNCES INDICATE SPAMMER notifications in the ABUSE DETECTION settings tab under the SECURITY area:

    NOTE: You must be logged in as the SMARTERMAIL ADMIN to access this area.
     
    Bounces Indicate Spammer Notification Settings
    Bounces Indicate Spammer Notification Settings

    Here are the available settings (from the SmarterMail online HELP files)

    Bounces Indicate Spammer - Enabling this rule in SmarterMail will block or quarantine an account from sending out mail, as well as alert an administrator, after receiving a certain number of bounce messages in the specified time frame.
     
    • Action - Choose whether to send a notification email only, block messages from the sender or quarantine messages from the sender.
    • Time Frame - The period of time in the past that is examined to determine if the rule triggers. Too many emails from a single sender in this period of time, and the email notification is sent and the Action chosen is performed.
    • Bounce Threshold - After this many bounce messages are received within the time period specified, the email notification is sent and the Action chosen is performed.
    • Time to Block - The number of minutes that a block will be placed once an IP address hits the threshold.
    • Email to Notify - The email address of the administrator account to which the notification will be sent.
    • Description - A friendly name or brief description of the rule.

       
  4. While you didn't say how they hacked the compromised account, SmarterMail has a very powerful tool in the abuse detection section which prevents PASSWORD BRUTE FORCE attacks
     
    PASSWORD BRUTE FORCE ATTACK settings
    PASSWORD BRUTE FORCE ATTACK settings

    Between enforcing secure passwords, and monitoring, and blocking on, password brute force attacks, you can prevent a lot of damage by blocking attacks on user's passwords.

    Here's a screenshot of all of my ABUSE DETECTION settings (SmarterMail 14.5 / 15.0).  This is also included in my ANTISPAM SETTINGS document.
     
    SmarterMail 14.5 / 15.0 BETA Abuse Detection Settings for ChicagoNetTech
    SmarterMail 14.5 / 15.0 BETA Abuse Detection Settings for ChicagoNetTech
  5. The best way to prevent problems is to make certain your SmarterMail server is properly locked down:
     
    • Setup PASSWORD BRUTE FORCE checks (shown immediately above)
    • Require SECURE passwords:
       
      • Make them at least 12 characters long
      • Require a mixture of UPPERcase and lowercase letters, numbers, and special characters
         
    • Require SMTP authentication from everything that goes through your SmarterMail server.  This means enforcing SMTP authentication on:
       
      • Webforms
      • Shopping carts
      • Contact forms
      • Sales confirmation invoices and orders
      • any other automatically generated form or e-mail which does not originate on a client or smart device
         
    • Make certain you are running under IIS and not using the SmarterMail web server.  It was designed only to setup SmarterMail and cannot provide SSL/TLS security on web connections.
       
    • If you don't already have one, get an SSL certificate, of at least 2,048 bit SHA256 bit, encryption.  If you shop around you can find both WILDCARD and WILDCARD ENTERPRISE versions of those certificates for about $60.00 per year:
       
      • Go for the five (5) year cert and get it over with - it takes too long to install and configure to do that work annually, and, if you're like the rest of us, you're way to busy to deal with an annual certificate re-issue and reinstall.
      • Make certain you have the certificate issuer's secondary certificates up-to-date and installed properly
      • Make certain you have properly exported the certificate and bound it to your SmarterMail PORT configurations, per the SmarterMail SSL/TLS instructions
      • Make certain your server's registry has been properly patched to DISABLE SSL and ENABLE TLS - it is not automatically done by Microsoft.
         
    • NEVER whitelist any IP address, domain, or e-mail address - for any reason
       
    • NEVER SMTP BYPASS any IP address
       
    • Do not allow domains to be setup without SMTP authentication.  Make certain they are properly setup and the REQUIRE SMTP AUTHENTICATION box is checked in the EDIT screen for every domain you host:
       
      Make Certain the REQUIRE SMTP AUTHENTICATION box is checked in the DOMAIN EDIT Box for Every Hosted Domain
      Make Certain the REQUIRE SMTP AUTHENTICATION box is checked
      (in the DOMAIN EDIT Box) for Every Hosted Domain


      You can also set DOMAIN SPECIFIC throttling settings in the Domain Edit box:
       
      Setting Domain Specific Throttling in Domain Edit Throttling Tab
      Setting Domain Specific Throttling in Domain Edit Throttling Tab
       
      • Setup good antispam settings. 
      • A lot of spam can be blocked before it ever gets delivered
      • See the most recent version of my antispam document at: SmarterMail Antispam Settings Document   The document article will always contain a link to the most recent version and is currently in the process of being updated for SmarterMail 15.X
         
    • Enforce GREYLISTING.  With the proper settings, it only blocks ONCE, for about 2 minutes, and will save your butt:
       
      Institute, and ENFORCE, Greylisting
      Institute, and ENFORCE, Greylisting
  6. If you have upgrade protection, you should also consider upgrading to SmarterMail 14.5, as it provides significant improvements to both processing and overall security.
 
Good luck.  If this is over your head, you can either open a ticket with SmarterTools, and ask them to consult on your security, or contact someone from these forums to assist you.
 
- Bruce
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Andrea Rogers Replied
Employee Post
Hi Drazen,
 
Please check out the KB, Create an Event to Notify of Domain/User Throttle. To be notified when your spool has reached a certain threshold, follow these steps: 
  1. Log in as System Admin and click on Settings Icon.
  2. Expand the Events folder and click Events
  3. Click New and name your event. For the Event Category, choose System. For the Event Type, choose Spool Count
  4. Checkmark the Spool Count field and enter your threshold. I'd recommend using Greater Than (rather than Equals) so you're always notified when the spool is above your threshold. 
  5. On the Actions tab, click Add Action. Choose your notification type in the Action menu.
  6. Click Save twice - once to save the action and again to save the event. 
Alternatively, or in conjunction with, you can also use an external monitoring program, such as PRTG Network Monitor, to monitor the spool folder on your server and track the folder count. 
 
I hope this helps!

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
raj Replied
 
I too faced the same issue on same day similar pattern
 
we have a smartermail enterprise 12.5 installed and one of the account on one domain was hacked and its password was set as user name itself.
 
Luckily I had the throttling enabled 100 mails per hour and the client complained that all mails are bouncing 
 
Still I didn't get any idea how the password got changed in the administration log I couldn't find any such information.
 
Does smartermail provide a log for the password change, ip, user and related information other than one which can be created using events?
 
Also the threshold notification I received was also surprising 
 
"The sender fidelity2015 (at) yandex.com has exceeded the auto spam notification threshold of 25 messages in 5 minutes"
 
It was not on the real user name which was hacked
 
I doubt there is some security hole which need to be patched...
 
kindly advise

Reply to Thread