Partial hacked?

Question asked by Steve Guluk - 8/20/2019 at 11:36 AM

Answered

Hello,
Anyone get partially hacked recently?

I have a current condition where a Russian source (185.211.245.170) is sending login attempts to our server (Enterprise Version - 100.0.6956). They seem to have a list of our users.

Of interest is that they are testing with email accounts from multiple domains on our mail server.

Any ideas on how this could happen?
We run a firewall, require complicated passwords (though there could be some older ones that are simple).

Is there a known exploit where a hacker can get a list of all email addresses in Smartermail?

4 Replies

Reply to Thread

Employee Replied

8/21/2019 at 11:23 AM

Employee Post Marked As Answer

Steve,

There is no known exploit that would allow a hacker to do this. However, if they had access to the system administrator credentials, they could in theory write a script that could call the SmarterMail API and return a list of all email addresses.

Steve Guluk Replied

8/21/2019 at 1:59 PM

Thanks for the reply Ben.

Looks like the blackhats are doing a Dictionary attack to find a response that notes an incorrect password rather than a non-existent user.

[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <boone@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<rania@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <rania@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<roxie@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <roxie@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<azra@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <azra@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<qiong@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <qiong@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<yonatan@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <yonatan@nutrendhomes.com> No such user here
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] cmd: RCPT TO:<kathem@nutrendhomes.com>
[2019.08.21] 01:46:38.528 [193.32.160.140][66425091] rsp: 550 <kathem@nutrendhomes.com> No such user here

Wouldn't it make sense to remove the responses that tell a would-be hacker information that they could use to gauge their attack?

Can we disable verbose error replies?

Kyle Kerst Replied

8/21/2019 at 4:20 PM

Employee Post

Steve,

Lists of users/domains are typically obtained using a variety of tactics including autoresponder probing, website scraping, brute-force attempts, etc. Typically a hacker will leverage a toolset that combines all of these to put together a target profile, and this is likely why they seem to know more about you than you'd like! I recommend making sure your SMTP IN protocol settings (Settings>Protocol Settings) are set up not to allow relay for anyone but authenticated user, terminate sessions after 5 bad commands, etc to prevent any kind of probing occurring. Additionally I recommend adjusting the Intrusion Detection System rules to fire on more strict scenarios like this: