-2

Enviroment: Plesk v12, latest Windows Server 2012 SmarterMail

My web hosting provider told me that someone hacked into my server a couple of weeks ago and was hitting various mail servers (Gmail, Yahoo, etc).

I worked with the company to cure the problem, basically: * Change all passwords * Update server and all software to latest version * Turn on Windows firewall, was somehow disabled

Doing these tasks and waiting a couple of weeks finally took me off all the blacklists and restored my MXToolbox rating.

I found out today that Microsoft blacklisted my IP (not reported by the free version of MxToolbox). They said that a few days ago (8/28 and 8/29) that there was still Namespace Mining going on, but offered no information on how they know, how to prevent, or anything else that I asked. They wrote me back to my questions a few minutes ago that upon further investigation that they will lift the block.

Questions:

  • How does Namespace mining occur? Is that the result of a hacker finding out or hijacking an email account?

  • Aside from inspecting the logs, how can I determine if there is Namespace mining occuring?

  • How do I prevent Namespace mining beyond what I did? Would that be by installing a professional security software (e.g. third party Antivirus / Firewall / Email security software)?

I resolved the current problem, but I would like to know how to find out if I have the problem. In this case, I tried to send an email to a Microsoft account of mine and received a failure report. There should be a better way to go about a check then accidentally discovering the problem.

Sarah Weinberger
  • 421
  • 2
  • 9
  • 23
  • That is a generalized question, whereas mine is specific to Namespace mining. That makes IMHO 2 questions, not one. That question just states generalities. My issue was specific to Namespace mining. I am trying to find out more about it. – Sarah Weinberger Sep 03 '14 at 02:34
  • 1
    To be "that guy", why would you ever trust that server going forward? Are you in a position to do a complete wipe and rebuild? – joeqwerty Sep 03 '14 at 02:58
  • That is a bit harsh, and I will see what AVG and my web hosting company recommends. Microsoft offers a free scanning. we shall see on the rebuilding option. I am not sure what "that guy" refers to. – Sarah Weinberger Sep 03 '14 at 03:38

1 Answers1

3

As best as I can tell, the term "namespace mining" refers to generating random email addresses at a domain and attempting to send mail to see if the email address actually exists. I found the definition in this blog post.

So you have a hacker who has compromised your server and is running a script on that server, trying to find addresses to send spam to at Hotmail.

What you have done so far is to change your passwords, update your software and turn on your firewall but you haven't yet tried to delete the script or evict the hacker. Your issue is not specific to namespace mining. It really doesn't matter what the hacker is doing, the instructions on how to get rid of him are the same. Running AVG is unlikely to work and even if it does it is even less likely to have fixed the hole that allowed him in or find any backdoors he might have created to allow him back in.

The advice in that linked question is good.

It occurs to me that you asked three questions in your question and I answered only one of them.

How does Namespace mining occur? Is that the result of a hacker finding out or hijacking an email account?

It does not involve an email account on your server. There is no requirement for your server to even have email capabilities. It's just a script running on your server that can generate plausible "local parts" of an email address and then communicate with Hotmail to test the generated email address out.

Aside from inspecting the logs, how can I determine if there is Namespace mining occuring?

Inspecting TCP traffic would be what I would try. If you have a monitoring system such as Cacti, Zabbix, Munin, Nagios or many others set up, there will be bandwidth graphs available and possible even breakdowns by target IP address. You can also run network sniffing software such as Wireshark on your server to see what traffic is being sent. The namespace mining will look much like normal SMTP traffic to Hotmail but it won't show up in the normal SMTP logs. You will probably see lots of errors from Hotmail saying that the requested user does not exist.

naught101
  • 873
  • 8
  • 11
Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • The answer makes an assumption, as does the -2 down votes, one that cannot be made. There are multiple ways to compromise a sever. The introduction of a script being only one of those ways. Namespace mining is a specific thing and cannot be linked to generalities. – Sarah Weinberger Sep 03 '14 at 14:25
  • Your are completely correct that there are numerous ways to compromise a server, but but when you don't 100% reliably know how it was done and what was done to your system since the compromise, the resolution is always going to be the same. – HBruijn Sep 03 '14 at 14:42