11

Currently I’m offering some webhosting to a few advertising agencies for their premium customers. But currently I have a great problem with the E-Mail Service. In the last week, the E-Mail Accounts of about 7 companies were stolen and used to send Spam using my Mail-Server.

Well, I was able to disable the accounts, because the sender was hitting the ratio policies of my server and a lot of mails were in the mail queue. Well, about 40 Mails were actually delivered. But it was enough to get blacklisted and even one user wrote a personal mail to the abuse of the datacenter.

Currently I have no clue, what I can do to prevent Spamming from a stolen mail account. I send every outgoing mail through SA and AV, but it’s not enough. Before the user account don’t hit the ratio of 40 Mails a day or does not flood the message queue, I can’t detect the attack.

How can I detect such problems earlier?

Andrew B
  • 31,858
  • 12
  • 90
  • 128
user39063
  • 121
  • 3
  • 8
    You're catching compromised e-mail accounts after only 40 messages? That's pretty impressive actually. Seems like this is more of a password security issue than an e-mail scanning issue. – Belmin Fernandez Jul 01 '14 at 13:17
  • 4
    Not an answer to your question, but a piece of advice for the next time. When someone writes a personal email to your abuse datacenter, you should respond personally and quickly. Don't just send a form letter - tell them pretty much what you told us here and that you're working to reduce the risk of this happening again. Your personal and prompt response will improve your reputation immensely. At least, this is my experience from taking over as postmaster at an ISP with a spam problem and turning its reputation around in less than a year to one of the best. – Jenny D Jul 01 '14 at 13:33
  • @Jenny D Well, this is the way, I normally answer to abuse reports. And normally the abuse reports are more informative. But in that case it was full of abusive words about me. “Please PERMANENTLY and absolutely shut down the server of this mother*** !!!” – just to quote one sentence of this abuse report. It was somehow impressive, that someone can develop such a rage about a spam mail with just a link to an Asian porn site – maybe with Drive-Buy Malware. But well, may be he had just a bad day (NLP FTW ;) ) – user39063 Jul 01 '14 at 21:53
  • user39063, you may wish at some point to accept one of the answers to this question, which you do by clicking on the "tick" outline you see next to it. Not only is that polite within the local etiquette, it drives the SF reputation system both for you and the author of the accepted answer. My apologies if you already know this. – MadHatter Jul 04 '14 at 14:20

2 Answers2

17

I'm looking forward to seeing other answers to this question, but my feeling is that if you're catching compromised mail accounts after only 40 spams have got through, you're doing really well. I'm not sure I could detect similar abuse so quickly, and the prospect worries me.

But I'm appalled that seven sets of credentials were stolen in the past week alone.

So it seems to me that further improvement will not be in the "abnormal mail detection and removal" end of things, but in the "minimise credential theft" department.

Do you know how these clients lost control of their credentials? If you can see a common pattern, I'd start with mitigating that. If you can't, there are solutions both technical and non-technical to help minimise credential loss.

On the technical front, requiring two-factor authentication makes tokens much harder to steal, and makes such theft much easier to detect. SMTP AUTH doesn't lend itself well to two-factor auth, but you could wrap the SMTP channel in a VPN that does so lend itself; OpenVPN comes to mind, but it's far from unique in that respect.

On the non-technical front, the problem here is that loss of credentials is no headache for those who are supposed to be looking after them. You could consider changing your AUP so that (a) people are clearly responsible for things done with their credentials, and (b) you make a significant charge for each piece of inappropriate mail sent with a set of credentials. This simultaneously reimburses you for the time you're spending dealing with credential loss, and makes your clients aware that they should be looking after these credentials as well as those to their online banking, since the loss of both will cost them real money.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • 2
    I know from two companies, how they lost their credentials. One employee got an E-Mail of one of his customers wondering, he couldn’t open the attached .doc file, he got from another customer. And this employee just opened it. I have the .doc file. According to virustotal even a week after the infection just a few AVs detected the malware. The dropper stole the mail credentials and installed the CryptoWall Malware. And yes, this company had no backups, and yes, they paid the ransom. Another employee also just opened an infected attachment, he thought, he was getting a bill. =>Human Stupidity – user39063 Jul 01 '14 at 09:24
  • That fairly strongly argues for a two-factor technical solution, to me. The "*send them a bill*" option is less helpful with people who don't know they're stuffing up in the first place. – MadHatter Jul 02 '14 at 07:26
7

We mitigated the same issue by using an outside vendor as our e-mail gateway (in our case, Exchange Online Protection but there's many other comparable services). We then configured all our e-mail sending services to use that as the smarthost.

Now, all our outgoing messages are associated with the reputation of the external e-mail gateway. Because of that, these services do a very impressive job in detecting suspicious outgoing e-mail activity and alerting you promptly.

I'm normally a big proponent of developing our solutions in-house but e-mail is one of those things where the return on investment is truly worth it.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145