> On 22 Sep 2021, at 21.44, Jarland Donnell via mailop <[email protected]> > wrote: > > This is true. While brute force attacks persist, we rarely see a connection > between that and compromised accounts these days. Most often the attacker > knew the password immediately. Now what would be cool, and has always been on > my list of "maybe one day" features, would be either using an API from > haveibeenpwned.com or merely keeping a copy of publicly released database > leaks, and then testing results internally. If an email in a database dump > matches one in your system, test the password leaked with it. If it works, > force password change. >
We use haveibeenpwned - but a bit differently than what you propose here. We have a local copy of haveibeenpwned running that compare the passwd hash with the hash in haveibeenpwned. Each hash in haveibeenpwned is associated with a count based on how many breaches it’s been found in. If we find a match on the hash we check the count towards a set threshold, and if the count is higher than the threshold the user will get a big red box in his or her webmail saying - “We really think it would be a good idea if you changed your password. Please do it now. Your password is insecure” Unfortunately we can only do this in our Webmail, we have no good way of sending this message to a user of a 3rd party mail client. If someone on this list has a good idea on how that can be accomplished with a good UX I am very eager to hear it :-) Kind Regards, Sidsel, Postmistress @ one.com > I think a lot more people will be doing things like this in the future, it's > hardly a fresh idea. But the amount of compromises it would prevent are > likely enough to justify the overhead of building it out. > > On 2021-09-22 01:38, Lena--- via mailop wrote: >>> From: Alessio Cecchi <[email protected]> >>> we are an email hosting provider, and as you know many users use weak >>> passwords, or have trojan on their PC that stolen their password that >>> are used to sent spam or doing some kinds of fraud. >>> We already have a "script" that checks, from log files, the country of >>> the IP address and "do something" to detect if is an unusual login. But >>> is not really sufficient. >> I suspect that stealing passwords with trojans is more successful >> than brute-forcing passwords via POP, IMAP or SMTP. >> Therefore, detecting logins for brute-forcing is not enough. >> You need to detect when stolen passwords are used to send spam >> via your server. One approach is to check rate of attempts to send >> to non-existent recipient email addresses, because spammers usually >> send to dirty lists of email addresses full of message-ids, >> truncated email addreses or prepended with garbage. >> I wrote an implementation for Exim: >> https://github.com/Exim/exim/wiki/BlockCracking >> It also detects some brute-forcing, but the main is automatic blocking >> of accounts used for spamming with trojan-stolen passwords. >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://list.mailop.org/listinfo/mailop > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
