Yes, people do research these things..
(Which reminds me, I do have to finish that blog post on Best Practices
for ISP's and Telco's)
Fortunately, we not only provide email servers, but we have a threat
division as well, so we take a lot of time to look into these issues.
I will send you a draft off list, but for instance..
* Did you know? Turning off POP 110 will reduce email compromises by up
to 90%?
No matter how secure/tough your passwords are, if it is sent plain text,
it's not if but when it will be compromised. Too many network devices
and IoT's are compromised, and running sniffers..
Most compromises are because of 'sniffing', password reuse, phishing,
and malware which steals passwords on the devices. Very little real
brute force occurs, when there are easier ways. Of course you should
have at least a minimal password strength enforcement.
While any 8 character password hash can be broken in mere minutes, to
actually brute force that many combinations will quickly be detected,
and rate limiters pretty well rule that out.
Fix the simple things first.. hackers like the easy targets.
-- Michael --
On 2021-11-17 5:24 a.m., Francois Petillon via mailop wrote:
On 11/17/21 9:10 AM, Hans-Martin Mosner via mailop wrote:
Here I want to focus on hacked mail accounts. I can think of two major root
causes but I have no idea about their relative significance:
* Easily guessable passwords, with two subcauses for exploits:
o Brute force authentication attempts - I'm seeing them regularly,
Are you sure it is really *full brute* force attemps and not a *password reuse*
attack ?
Some of my users have dozens of passwords compromised and an attacker have
plenty of information about :
1/ what are the usual password used for an email
2/ what kind of transformations are applied by its user.
so that attackers might dramatically limit the volume of trials needed for that
kind of attack.
Just an example, one of my users have that kind of compromised passwords in
"public" lists (some letters have been changed and this account has been
disabled for a few years) :
- Yt6j8mxx
- 123ytm
- ytjm0
- Yt6j8M
- Yt7j6M
- yyt6j8M
- yt6j8mm
- 123yt6j8m
- yt6j8mz
- yt6j8mq
- yt6j8ma
- yt6j8m9
- yt6j8m8
- yt6j8m777
- yt6j8m7
- yt6j8m6
[...]
As an attacker, I would try to 1/check each of these passwords 2/ find the most
common roots of these passwords and brute force only using usual transformations
(in this example, there are case transformations, adding "123" at the beginning,
adding a single character at the end, adding several time the same character at
the end).
I usually see "slow and low" attacks (one password checked per account, per IP
and per day) and real brute force attacks are quite uncommon on the mail servers
I manage.
and the most egregious networks (e.g.
5.188.206.0/24) are fully blocked at our mailserver, but some mailops
are
less struct about blocking such abusers.
IMHO, the main issue is not really about blocking abusers but being able to
identify compromised accounts.
* Malware on client machines where passwords are either stored in a password
vault, or entered manually.
You are missing pĥishing attacks and probably compromised servers.
My gut feeling is that some organizations are especially prone to hacked mail
accounts. We're seeing lots of south american government agency users, and many
accounts at educational institutions.
I am afraid the issue is broader than that. Yes, there are many issues with
educational institutions (I have seen that kind of cases from all over the
world) but I also have seen compromised accounts used to spam from small
enterprises (real estates, plumbers, architects, etc.)
The latter are often hosted using Microsoft O365 services,
I would say O365 is probably a catalyst and probably not the cause.
What you sees usually are the spams. This means the spammer was able to know how
to identify compromised accounts *and* he was able to know how to send mails.
With any domain using O365, spammers already have all the needed information.
The (french banks) phishings I used to receive only from O365 are now also sent
directly from servers hosted at universities. I even have received a scam sent
from a compromised account at a french ministry.
and I highly suspect that weak passwords for all the
freshly created student accounts may be a major cause, although exfiltrated
password data may be a possibility, too.
Brute force on weak passwords seems to be unlikely to me as long as you are
using network services. I would think the main issue is passwords reuses.
François
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
