How to prevent hacked emails from sending out spam

-1

I am new to this whole server admin thing ...

I work for a small company, in which I am the web developer & server admin (a job I was thrown into). Please note, before taking this job I did not know anything about using SSH or Linux other than playing around with the GUI Ubuntu interface.

I taught myself the ropes, learned SSH, learned how to work almost everything in WHM. I am getting the hang of it, but still I cannot solve everything on my own.

We were having two major issues:

  1. PHP Mail was being compromised to send out spam.
  2. Account passwords were being hijacked to send out spam.

I fixed issue one by securing my scripts, since I wrote many of them myself. I also used RIPS to identify and secure my code vulnerabilities.

I am still however having issues with account passwords of legitimate users getting hijacked and being used to send out spam occasionally. For 95% of my email users it is not a big deal as we are pretty quick at finding the account sending the spam and securing it again.

However one particular user, is always in contact with a person who uses Cisco Senderbase to filter emails. When our mail volume goes up from a compromised email account, Senderbase flags our email reputation and we usually have to wait it out, as their system is completely automated.

What is the best way to secure users passwords from getting hacked or guessed?

Dan

Posted 2014-08-01T16:18:50.450

Reputation: 1

1You can't. You can limit the number of emails sent out in a period of time, but if the password to the account is supplied, you have no way to verify if that is the account holder or somebody else. My suggestion force a password length of password complexity to prevent "brute force" attacks. Outside of that not much you can do, if you do solve it, you have the next hundred billion dollar idea – Ramhound – 2014-08-01T16:26:56.417

What do you mean when you say that email accounts of legitimate users are being used to send out spam? Keep in mind that SMTP by default does zero sender validation; I can send email From: president@whitehouse.gov and make it look, to the casual observer, like it really came from that address. If someone is logging into your system using a compromised account, you have a bigger problem than a few spam emails being sent out under that account, and you need to work to fix that instead (and your currently more visible problem will correct itself). – a CVn – 2014-08-01T16:29:06.650

When I say legitimate emails, I am not referring to anyone being spoofed. Our mail is signed for with SPF and DKIM to sort of prevent what you are referring to. What I am talking about is when I know I set up userabc@mydomain.com and through means of a compromised password that account was used to send out hundreds of spam emails. – Dan – 2014-08-01T16:32:05.600

So your problem is that the email account passwords are routinely being compromised? Not really how to prevent sending spam. – a CVn – 2014-08-01T16:33:55.697

Yeah, I guess you could say that. – Dan – 2014-08-01T16:34:13.507

I've set up ClamAv ... it did not really seem to help. – Dan – 2014-08-01T16:34:42.000

In that case, you need to look at your password management. Start with @Ramhound's comment, and follow up by [edit]ing this question (or even posting a new one) to be about how to prevent compromising of users' passwords. However, be specific; that subject matter could very easily get closed as too broad, unless you're asking some quite specific question about it. – a CVn – 2014-08-01T16:36:55.203

Thanks Michael, I'll investigate a little bit more before updating or asking anything else. – Dan – 2014-08-01T16:38:16.233

It would also be useful if you could say what mail server you're using - sendmail, postfix, exim... I know that you can rate-limit the number of e-mails sent from Postfix using anvil, and you can have more control with policyd. You may want to take a look at them if you're using Postfix! – Valmiky Arquissandas – 2014-08-01T17:44:04.187

And are you still on the same server(s) that have been compromised? Then you have no idea what other malware may be lurking there, and all your tinkering to fix it does not help, because the attacker has left a backdoor with which he can immediately comprimise your system again. Once a server has been compromised there's generally only one thing to do: wipe it, reinstall everything, put your backed-up data back. – Jan Doggen – 2014-08-04T06:49:17.767

I'd recommend looking at a paid-for email service such as Office365 to take care of your email service, fixing a compromised email server with no experience is an uphill battle that you may lose... You will end up spending more time (time = money) and money fixing the problem (and maintaining the service) than what it would cost to employ a dedicated external service. Been there, done that, best decision ever made. – Kinnectus – 2016-01-06T21:38:13.413

Answers

2

Do you require strong, complex passwords? Do you lock out users after a number of bad password tries? Both of these things can significantly increase the time to compromise an account. If there is a web interface for email, look at using fail2ban to block IPs that generate multiple failed login attempts.

However, it is possible there is a deeper compromise at play. If so, you may need a more experienced admin to assist in detecting it.

uSlackr

Posted 2014-08-01T16:18:50.450

Reputation: 8 755

1

Here is the document that I found helpful

https://lelutin.ca/posts/installing_postfix_-clamav-spamassassin-dovecot-_postfixadmin_on_debian_squeeze/

It is nearly 20 pages going into fine detail on exact settings and configs for the mail system. Although it was written for debian, I got it working for OpenSuse and others can work also.

Add fail2ban and require long complex passwords and see how that goes.

cybernard

Posted 2014-08-01T16:18:50.450

Reputation: 11 200

0

As @ramhound said, you pretty much can't prevent hacked emails from sending out spam in the general case.

One tool which has made a HUGE difference to me was to install "Cluebringer" (Policyd) - This integrates with Postfix and can be used to limit the number of emails sent out in a given timeframe from a given user. Getting this setting right and closely monitoring your mailq (which it sounds like you are doing anyway) will make a big difference - particularly as senderbase looks at volume of bad email sent.

You may also need to get users to use SMTP Auth so you can easily tie an account to a user for policy limiting purposes with cluebringer. (And, for my business, I found 200 emails / hour is a good threshhold)

davidgo

Posted 2014-08-01T16:18:50.450

Reputation: 49 152

Asked: 2014-08-01T16:18:50.450

Viewed: 1 320 times

Active: 2016-01-06T18:37:57.127