Partial hacked?
Question asked by Steve Guluk - 8/20/2019 at 11:36 AM
Answered
Hello,
Anyone get partially hacked recently?

I have a current condition where a Russian source (185.211.245.170) is sending login attempts to our server (Enterprise Version - 100.0.6956). They seem to have a list of our users.

Of interest is that they are testing with email accounts from multiple domains on our mail server.

Any ideas on how this could happen?
We run a firewall, require complicated passwords (though there could be some older ones that are simple).

Is there a known exploit where a hacker can get a list of all email addresses in Smartermail?

4 Replies

Reply to Thread
0
Ben Gilstrap Replied
Employee Post Marked As Answer
Steve,

There is no known exploit that would allow a hacker to do this.  However, if they had access to the system administrator credentials, they could in theory write a script that could call the SmarterMail API and return a list of all email addresses.
Ben Gilstrap
Regional Sales Executive
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Steve Guluk Replied
Thanks for the reply Ben.

Looks like the blackhats are doing a Dictionary attack to find a response that notes an incorrect password rather than a non-existent user.

[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <boone@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<rania@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <rania@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<roxie@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <roxie@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<azra@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <azra@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<qiong@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <qiong@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<yonatan@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <yonatan@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<kathem@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <kathem@nutrendhomes.com> No such user here

Wouldn't it make sense to remove the responses that tell a would-be hacker information that they could use to gauge their attack?

Can we disable verbose error replies?
2
Kyle Kerst Replied
Employee Post
Steve,

Lists of users/domains are typically obtained using a variety of tactics including autoresponder probing, website scraping, brute-force attempts, etc. Typically a hacker will leverage a toolset that combines all of these to put together a target profile, and this is likely why they seem to know more about you than you'd like! I recommend making sure your SMTP IN protocol settings (Settings>Protocol Settings) are set up not to allow relay for anyone but authenticated user, terminate sessions after 5 bad commands, etc to prevent any kind of probing occurring. Additionally I recommend adjusting the Intrusion Detection System rules to fire on more strict scenarios like this: 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Steve Guluk Replied
Thanks Kyle, I have those settings in place.  

I also bumped up the times excluded to 4 hours rather than the 1 hour though not too sure how automated hacking programs handle "patience".



 


Reply to Thread