No, we do not require SSL. However, it is unlikely that their passwords were sniffed. That would require that the "hacker" would have some access to that data flow. It is more likely that they acquired the password through more devious means or maybe even brute.
Had Imail a better method of tying IIS logs to mail logs so I could more easily track the flow of message composed in webmail, I could be slightly more certain about where the person was accessing the mail from. I'm assuming for now it was foreign, maybe Romania... since it was like all the other money scams. I don't believe there is a bullet proof fix for this since I need to maintain web access for customers anywhere. For now I'm just modifying my monitoring routine to include uncommon modifications to user settings. Perhaps if I could disable the ability to change the reply to address in webmail it would make my system look unappealing... if someone should attempt this again. Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Barker Sent: Friday, January 25, 2008 12:56 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages Are you requiring SSL for connection? If not, the userid/passwords flow in cleartext. Of course, the modern "keyboard sniffers" can learn credentials before they are encrypted by the stack, but at least the only exposures would be on the two end-points (your client machine and your server itself). Dan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, January 24, 2008 4:25 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages Yeah, that's looking a bit too tedious for me. Well, I looked at the webmail setting for my compromised user and found that their signature had been altered and in its place was a long letter resembling a Nigerian scam. The reply to: address had also been altered to the familiar addresses I found. I proceeded to check other users signatures and found two other accounts that had their signatures replaced by scam messages. So now I'm off to write a script to isolate any users that have altered reply to addresses so I can require them to change their passwords. I have no idea how to avoid this for the future. The users passwords met complexity standards so I guess I just need to keep a better eye on it. Thanks! Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz Sent: Thursday, January 24, 2008 4:03 PM To: '[email protected]' Subject: RE: [IMail Forum] Tracking Messages It's been a few years since I've used Imail's webmail. Prior to using IIS, web messaging logged to two w* files located in the spool directory. I tried logging into webmail as a user but see no authentication information in any Imail logs. I do see a "logout" in the IIS log but I suspect that won't appear if the user doesn't click the "logout" link. -Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, January 24, 2008 3:26 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages Yes, that must be it. When I send emails from webmail, they do appear like that. I'm not sure why I was expecting something different. So that's a simple answer, thanks! However, that means I have to rely on my web server logs to determine who was logged in as kyakg and sending those emails... unfortunately authentication is handled my the imail CGI app and wouldn't be included in that log. Any idea how I would track this back to a session and a user in web messaging? :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz Sent: Thursday, January 24, 2008 2:54 PM To: '[email protected]' Subject: RE: [IMail Forum] Tracking Messages Perhaps it was sent through the web mail interface? -Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, January 24, 2008 2:33 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages This is very strange. A few days ago our server was caught sending out scam emails. I narrowed it down to about 40 sessions that day that all started out with: 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] connect 199.176.228.5 port 2901 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] EHLO 199.176.228.5 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) Authenticated [EMAIL PROTECTED], session treated as local. 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] MAIL FROM:[EMAIL PROTECTED] The sending address seemed to rotate between about ten different addresses, the above mail from being one of them. According to this log it was initiated on the server itself. My first thought is that I'm compromised. However, if I was why would the connection bother authenticating? My server would not need to authenticate via SMTP. I've checked my server over and I can't find anything out of the ordinary. My virus scanner is running fine and overall the server is very clean. The only application it is responsible for is Imail so I don't have too many processes to sift through. I changed the password for kyakg, which all of the sessions used to authenticate. Since then I haven't seen any more spam. I haven't even seen an entry in the logs for kyakg trying to authenticate. Confused... Any recommendations on how to figure out what this means? Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Dorman Sent: Thursday, January 24, 2008 12:13 PM Cc: [email protected] Subject: Re: [IMail Forum] Tracking Messages On Thursday, January 24, 2008, 09:06:09, Will wrote: > Any idea where one would find the connecting IP for SMTPD in the logs? > 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] connect 199.176.228.5 port 2901 Some client at IP address 199.176.228.5 connected to your e-mail server at 199.176.228.5 Note that both client and server are on the same machine. > 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] EHLO 199.176.228.5 The client sent a broken EHLO command, the RFC's require an address literal to be enclosed by brackets. -- [EMAIL PROTECTED] "The avalanche has already started, it is too Rod Dorman late for the pebbles to vote." - Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
