Back to Community Threads
2
SMTP Authentication without password?
Question asked by Information Technology - 7/13/2018 at 7:48 AM
Unanswered
We recently had 2 accounts compromised on our server. Each account was from a different client.
 
We received IDS notification that one of the users had received too many bounces in a given time. While researching that account we discovered another account dropping hundreds of emails in the spool.
 
Upon further review we discovered their accounts were being used by foreign actors to send spam. The only connection they were making to the server was an authenticated SMTP connection.
 
We disabled the users accounts, dropped the connections, changed their passwords, then enabled their accounts. Immediately we saw foreign actors authenticating as these users. But how, we just changed their password.
 
So we went through the process again using the server this time just to eliminate the possibility of a middle man in the SSL stream. Sure enough, we changed the users passwords and as soon as they account were enabled we see foreign actors authenticating.
 
Can anyone here explain how this is possible. When the accounts are disabled we see authentication failures and as soon as the account is enabled, even after changing the passwords and not using them anywhere, the attackers are able to authenticate.
 
Is it possible the attackers discovered a universal hash or anything like that? All of our communications are protected with SSL. We haven't deprecated TLS 1.0 yet but we do have our system restricted to secure ciphers. Our server is not an open relay, the attackers are authenticating with the server.
 
This must be an advanced operation because we are importing ip ranges in to windows firewall to block entire countries. As these ranges are imported we immediately see the attackers moving the attack to other countries almost instantly.
 
All help and input is appreciated.
 
 

4 Replies

Reply to Thread
0
Just look at these attempts.

[2018.07.13] 09:45:24 [221.163.32.101][56762334] rsp: 535 Authentication failed
[2018.07.13] 09:45:28 [189.153.131.205][35337891] rsp: 535 Authentication failed
[2018.07.13] 09:45:36 [109.190.37.172][3374720] rsp: 535 Authentication failed
[2018.07.13] 09:45:46 [190.182.88.54][57671034] rsp: 535 Authentication failed
[2018.07.13] 09:45:49 [59.180.220.116][44812029] rsp: 535 Authentication failed
[2018.07.13] 09:45:59 [80.20.45.242][29601510] rsp: 535 Authentication failed
[2018.07.13] 09:46:04 [91.224.6.137][16485641] rsp: 535 Authentication failed
[2018.07.13] 09:46:08 [201.171.112.155][42240375] rsp: 535 Authentication failed
[2018.07.13] 09:46:20 [41.182.179.113][60576716] rsp: 535 Authentication failed
[2018.07.13] 09:46:45 [221.163.32.101][59695241] rsp: 535 Authentication failed
[2018.07.13] 09:46:53 [203.110.85.178][21837354] rsp: 535 Authentication failed
[2018.07.13] 09:47:03 [103.18.10.74][21999352] rsp: 535 Authentication failed
[2018.07.13] 09:47:04 [189.165.194.27][63623869] rsp: 535 Authentication failed
[2018.07.13] 09:47:05 [197.233.97.150][59229857] rsp: 535 Authentication failed
[2018.07.13] 09:47:09 [189.165.194.27][45276090] rsp: 535 Authentication failed
[2018.07.13] 09:47:24 [187.189.168.54][60606599] rsp: 535 Authentication failed
[2018.07.13] 09:47:29 [189.194.128.55][64645454] rsp: 535 Authentication failed
[2018.07.13] 09:48:22 [221.163.32.101][30709411] rsp: 535 Authentication failed
[2018.07.13] 09:48:25 [151.127.26.193][1754869] rsp: 535 Authentication failed
[2018.07.13] 09:48:33 [189.217.8.111][20472631] rsp: 535 Authentication failed
[2018.07.13] 09:48:49 [202.142.177.90][14358224] rsp: 535 Authentication failed
[2018.07.13] 09:49:06 [27.97.147.189][9578299] rsp: 535 Authentication failed
0
Linda Pagillo Replied
7/13/2018 at 12:55 PM
I have seen this happen before as well. What I do is change the password, disable the account and restart the SM service. That has kicked them off for me every time. Also, you mentioned compromised accounts. My company, Mail's Best Friend, offers a free program called Declude. It comes with a component called Hijack which prevents mass amounts of spam from leaving your server in the case of a compromised account. When it stops the mail from going out, it alerts you via email so you can log into your server and see who's account is compromised. If you would like to give it a try, you can download it at the following link: http://mailsbestfriend.com/downloads/ Please let me know if you have any questions. Thanks!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Thank you Linda for your response. I am definitely going to check in to that. Declude sounds familiar from a while back.
0
Linda Pagillo Replied
7/13/2018 at 1:51 PM
My pleasure! Yes, Declude has been around for many years. The company went out of business several years back, but we purchased the Declude software and give it away free of charge to anyone who wants to use it.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Setting Up Two-Step Authentication (2FA, MFA, etc.)SmarterMail > Desktop and Mobile Synchronization
Windows Mail and SmarterMailSmarterMail > Desktop and Mobile Synchronization
Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
Configure Outlook 2007 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization