SMTP Authentication without password?
Question asked by Information Technology - July 13 at 7:48 AM
Unanswered
We recently had 2 accounts compromised on our server. Each account was from a different client.
 
We received IDS notification that one of the users had received too many bounces in a given time. While researching that account we discovered another account dropping hundreds of emails in the spool.
 
Upon further review we discovered their accounts were being used by foreign actors to send spam. The only connection they were making to the server was an authenticated SMTP connection.
 
We disabled the users accounts, dropped the connections, changed their passwords, then enabled their accounts. Immediately we saw foreign actors authenticating as these users. But how, we just changed their password.
 
So we went through the process again using the server this time just to eliminate the possibility of a middle man in the SSL stream. Sure enough, we changed the users passwords and as soon as they account were enabled we see foreign actors authenticating.
 
Can anyone here explain how this is possible. When the accounts are disabled we see authentication failures and as soon as the account is enabled, even after changing the passwords and not using them anywhere, the attackers are able to authenticate.
 
Is it possible the attackers discovered a universal hash or anything like that? All of our communications are protected with SSL. We haven't deprecated TLS 1.0 yet but we do have our system restricted to secure ciphers. Our server is not an open relay, the attackers are authenticating with the server.
 
This must be an advanced operation because we are importing ip ranges in to windows firewall to block entire countries. As these ranges are imported we immediately see the attackers moving the attack to other countries almost instantly.
 
All help and input is appreciated.
 
 

4 Replies

Reply to Thread
0
Information Technology Replied
Just look at these attempts.

[2018.07.13] 09:45:24 [221.163.32.101][56762334] rsp: 535 Authentication failed
[2018.07.13] 09:45:28 [189.153.131.205][35337891] rsp: 535 Authentication failed
[2018.07.13] 09:45:36 [109.190.37.172][3374720] rsp: 535 Authentication failed
[2018.07.13] 09:45:46 [190.182.88.54][57671034] rsp: 535 Authentication failed
[2018.07.13] 09:45:49 [59.180.220.116][44812029] rsp: 535 Authentication failed
[2018.07.13] 09:45:59 [80.20.45.242][29601510] rsp: 535 Authentication failed
[2018.07.13] 09:46:04 [91.224.6.137][16485641] rsp: 535 Authentication failed
[2018.07.13] 09:46:08 [201.171.112.155][42240375] rsp: 535 Authentication failed
[2018.07.13] 09:46:20 [41.182.179.113][60576716] rsp: 535 Authentication failed
[2018.07.13] 09:46:45 [221.163.32.101][59695241] rsp: 535 Authentication failed
[2018.07.13] 09:46:53 [203.110.85.178][21837354] rsp: 535 Authentication failed
[2018.07.13] 09:47:03 [103.18.10.74][21999352] rsp: 535 Authentication failed
[2018.07.13] 09:47:04 [189.165.194.27][63623869] rsp: 535 Authentication failed
[2018.07.13] 09:47:05 [197.233.97.150][59229857] rsp: 535 Authentication failed
[2018.07.13] 09:47:09 [189.165.194.27][45276090] rsp: 535 Authentication failed
[2018.07.13] 09:47:24 [187.189.168.54][60606599] rsp: 535 Authentication failed
[2018.07.13] 09:47:29 [189.194.128.55][64645454] rsp: 535 Authentication failed
[2018.07.13] 09:48:22 [221.163.32.101][30709411] rsp: 535 Authentication failed
[2018.07.13] 09:48:25 [151.127.26.193][1754869] rsp: 535 Authentication failed
[2018.07.13] 09:48:33 [189.217.8.111][20472631] rsp: 535 Authentication failed
[2018.07.13] 09:48:49 [202.142.177.90][14358224] rsp: 535 Authentication failed
[2018.07.13] 09:49:06 [27.97.147.189][9578299] rsp: 535 Authentication failed
0
Linda Pagillo Replied
I have seen this happen before as well. What I do is change the password, disable the account and restart the SM service. That has kicked them off for me every time. Also, you mentioned compromised accounts. My company, Mail's Best Friend, offers a free program called Declude. It comes with a component called Hijack which prevents mass amounts of spam from leaving your server in the case of a compromised account. When it stops the mail from going out, it alerts you via email so you can log into your server and see who's account is compromised. If you would like to give it a try, you can download it at the following link: http://mailsbestfriend.com/downloads/ Please let me know if you have any questions. Thanks!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Information Technology Replied
Thank you Linda for your response. I am definitely going to check in to that. Declude sounds familiar from a while back.
0
Linda Pagillo Replied
My pleasure! Yes, Declude has been around for many years. The company went out of business several years back, but we purchased the Declude software and give it away free of charge to anyone who wants to use it.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread