Re: [mailop] Abusix Potentially Compromised Account Report

[Rob McEwen via mailop]

On 3/22/2020 4:41 PM, Chris via mailop wrote:

It's been my experience that MOST of them are going to be red-herrings



+1

2 days ago, I got one of these for a domain for which I host email. I 
checked the SHA-1 hash against the current password's SHA-1 hash, and it 
didn't match. So it seemed like a complete waste of my time. I suspect 
that the vast majority of such intercepts... are going to be situations 
just like that - old passwords that were already changed years ago. I 
vaguely recall this users' account getting hacked several years ago, and 
the problem being fixed way back then. I don't like my time wasted 
trying to fix already-fixed problems.


--
Rob McEwen



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Nova.org Admin/Postmaster

[Dickie LaFlamme via mailop]

Does anyone have a contact to the admin/postmaster of Nova.org? if so, could 
you private message me as soon as you can? Thanks in advance!

Thanks,

Dickie LaFlamme
Senior Deliverability Specialist
dickie.lafla...@oracle.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Chris via mailop]

On 2020-03-22 16:20, Nick Stallman via mailop wrote:
I got one of these the other day and I'm scratching my head about it as 
what's in the report cannot possibly be correct.


The report was for a domain we host the website for, but the domain has 
no email at all.
The account referenced is also not a valid website login or anything 
else I can think of.


It's not terribly useful if I'm going to be getting red herrings like that.


It's been my experience that MOST of them are going to be red-herrings. 
 I've seen a whole pile of such forged addresses with userids/passwords 
that I knew were completely impossible.


Imagine how useful it's going to be if you have a lot of spamtraps.  I 
mean, a *LOT* of spamtraps.


There's a reason why we're not doing the same thing.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Nick Stallman via mailop]

I got one of these the other day and I'm scratching my head about it as 
what's in the report cannot possibly be correct.


The report was for a domain we host the website for, but the domain has 
no email at all.
The account referenced is also not a valid website login or anything 
else I can think of.


It's not terribly useful if I'm going to be getting red herrings like that.

On 22/3/20 3:34 pm, Udeme Ukutt via mailop wrote:

I pinged someone there to take a look.

Udeme


On Sat, Mar 21, 2020 at 9:17 PM Ted Cooper via mailop 
mailto:mailop@mailop.org>> wrote:


Has anyone run into "Abusix" /potentially/ compromised account
notification emails before?

Their website "abusix.ai " looks to be about a
week old based on the age
of all of the articles. I would have guessed they'd have been
around for
longer and their name does ring a bell. Blog announcement on
Abusix.com
would indicate they launched Mar 2019.

They've sent us a report from "nore...@abusix.org
" to postmaster@ here
in some kind of misguided attempt to help us because "Over the last 24
hour period our traps have detected 1 potentially compromised accounts
on your domain."

In the CSV they attached, apparently the IP address 185.234.219.89
(Poland) attempted to send an email at 2020-03-19T17:59:03.000Z using
smtp auth credentials apparently from a domain hosted here. That IP
address is not at all related to any networks or servers for the
domain.

They do provide the first 5 characters of the sha1 of the password
that
IP address used. I know it used the wrong password because the account
in question does not have a password - it's an alias and not an
account.

Given the number of fraudulent auth attempts we all get every day with
wild and whacky unrelated usernames (I get hotmail & others
provided as
username), why would anyone think it was a good idea to send out
spam to
stop spam when it was clearly a fraudulent email that didn't even go
anywhere? If everyone sent out a spam notification when someone
abused a
domain we'd all be getting 10x fold increase in spam, all trying to be
"helpful".

They do ever so helpfully provide an "opt out" link. I am
scratching my
head as to think when I opted into such a service. /sarcasm.

My initial thought was to route their domains and IPs to /dev/null,
happy in the thought that I now get one less domain's spam.


___
mailop mailing list
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

--
Nick Stallman
Technical Director
Email   n...@agentpoint.com 
Phone   02 8039 6820 
Website www.agentpoint.com.au 


Agentpoint 
Netpoint 

67 Renwick St, Redfern NSW 2009 	Facebook 
 Twitter 
 Instagram 
 Linkedin 



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Bill Cole via mailop]

On 22 Mar 2020, at 10:28, Steve Freegard via mailop wrote:


Abuse reports shouldn't have to be opt-in.


True, but these are not abuse reports to an empowered party, but rather 
to possible victims.


It's akin to the FUSSPs that use mail-based challenge/response models or 
to SMTP callback verification.




I didn't design this to annoy people,


As designed, it will intrinsically annoy people who in no way deserve 
the annoyance or can benefit from it.



I did it because it's useful for the internet in general


It is not. It is a response to an Internet-wide problem, but it is not 
broadly useful.



because compromised accounts are a huge issue,


Yes, they are. This particular response does not generally improve mail 
system operators' capacity to mitigate that issue. The core reason that 
compromised accounts have increased as a problem is that users have 
gotten used to using the same email address and password everywhere  for 
authentication. This response does not address that in any way or help 
anyone receiving reports address it.


and one that causes issues for blacklist providers like us (e.g. if 
the compromised accounts are on unblockable IPs, then we have less 
ability to stop them), so this was more about providing data that 
previously wasn't available *for free* to help the community in 
general.


My mail logs and sometimes mailboxes are filled with essentially the 
same data for free in the form of backscatter. I can get a pretty good 
list of what email addresses in my domains are being shopped around at 
HIBP. I've mostly eliminated even logging of credential-stuffers by 
dropping their crap at the border, a thing that many small mail system 
operators can do. Even the data on such activity I can look at is mostly 
useless to me because it is overwhelmingly for single-purpose addresses, 
role accounts, or other sorts of non-authenticating aliases.


I really don't need or want more unrequested "free information 
customized for your needs" by people who clearly do not understand my 
needs and whom I am reluctant to generally shun. This should be like a 
FBL: a great idea for people who can actually use it, but not something 
you want to impose on everyone who might be able to use it.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Atro Tossavainen via mailop]

Steve,

> >I am not impressed.
> 
> Sorry about that Atro.

Having witnessed what I have today, I have to say I think your concept
is inherently flawed.

Also, my handful-of-dozen spams of this type are apparently a drop in
the ocean when compared to some of the more serious spamtrappers who
claim to have received thousands of the same.

> Obviously trap domains, due to the very nature of them are more
> likely to be abused in this way and I will do what I can next week
> to address this and exclude them from reporting.

You'll have an interesting time trying to figure out what to exclude.

> I've already found that SORBS and Manitu don't treat Abuse and
> Postmaster role accounts differently.

I can't speak for either. Koli-Lõks OÜ spamtraps do not directly feed
a blocklist, as well.

Personally I think the possibility for misfiring is way too great for
this concept to continue existing at all. Especially if you also send
automated reports to the hosting provider of the domain, which I think
I read in the message.

Abusix have quite a bit of credibility in the field, so I am fully
expecting to have at least some of our spamtrap servers suspended by
the various providers we use because of "potential abuse" you have
flagged on domains that don't contain any credentials that could be
abused and therefore have nothing to worry about. I take it you will
not have a problem with us sending Abusix a bill for any time wasted
dealing with problems that don't exist should that happen.

My advice to you is to off the damn thing about 48 hours ago.


> Kind regards,
> Steve.
> 
> --
> Steve Freegard
> Senior Product Owner
> Abusix Intelligence
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Steve Freegard via mailop]

Hi Andrew,

On 22/03/2020 16:05, Andrew C Aitchison wrote:


On Sun, 22 Mar 2020, Steve Freegard via mailop wrote:
I didn't design this to annoy people, I did it because it's useful 
for the internet in general because compromised accounts are a huge 
issue, and one that causes issues for blacklist providers like us 
(e.g. if the compromised accounts are on unblockable IPs, then we 
have less ability to stop them), so this was more about providing 
data that previously wasn't available *for free* to help the 
community in general.


Is it possible, and/or useful, to reuse the DMARC reporting mechanism ?



I didn't do this because I figured that postmaster@ was the most 
appropriate place, and because many places will use service like 
DMARCian, Agari etc. for aggregate reports and it would mean that they'd 
be less likely to be seen if I sent them there.


I'm happy to discuss alternative methods, but please bear in mind that 
for this data alone we average around 80 connections/sec with peaks much 
higher than this, so adding in additional DNS lookups is costly.


The sheer amount of bounces from domains that don't have working 
postmaster@ accounts is a bit disheartening already.


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Andrew C Aitchison via mailop]

On Sun, 22 Mar 2020, Steve Freegard via mailop wrote:

This data is inherently noisy and I've gone to extreme lengths 
to remove as much noise as possible and provide Abuse 
Desks/Postmasters some visibility that they do not currently 
have.


Whilst this time it's reported an alias, next time it might 
catch an account that was successfully phished, stolen by a 
trojan/virus on the users computer or where another company 
had a data breach and the user had the same password on that 
service.



Abuse reports shouldn't have to be opt-in.

I didn't design this to annoy people, I did it because it's 
useful for the internet in general because compromised 
accounts are a huge issue, and one that causes issues for 
blacklist providers like us (e.g. if the compromised accounts 
are on unblockable IPs, then we have less ability to stop 
them), so this was more about providing data that previously 
wasn't available *for free* to help the community in general.


Is it possible, and/or useful, to reuse the DMARC reporting mechanism ?

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Steve Freegard via mailop]

Hi Atro,

On 22/03/2020 11:23, Atro Tossavainen via mailop wrote:

On Sun, Mar 22, 2020 at 02:11:45PM +1000, Ted Cooper via mailop wrote:

Has anyone run into "Abusix" /potentially/ compromised account
notification emails before?

Not before, but now that you say, yes.

I have a few dozen samples in spamtraps from Friday Mar 20, never before.
They're both in recycled traps as well as in typo ones. They are coming
from the IPs 88.99.195.122, 88.99.167.62, 85.10.192.252, all of which
have the same rDNS

$ host 88.99.167.62
62.167.99.88.in-addr.arpa domain name pointer globalreport.abusix.org.

which maps back to the addresses involved

$ host globalreport.abusix.org
globalreport.abusix.org has address 88.99.195.122
globalreport.abusix.org has address 88.99.167.62
globalreport.abusix.org has address 85.10.192.252

I am not impressed.


Sorry about that Atro.

Obviously trap domains, due to the very nature of them are more likely 
to be abused in this way and I will do what I can next week to address 
this and exclude them from reporting.


I've already found that SORBS and Manitu don't treat Abuse and 
Postmaster role accounts differently.


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Steve Freegard via mailop]

Hi Thomas,

On 22/03/2020 09:03, Thomas Walter via mailop wrote:


I got the same email with some of our local accounts and aliases.
Interestingly enough it included the same IP address 185.234.219.89.


That will happen, one IP usually goes absolutely crazy and sends most of 
the traffic, other times we'll see this distributed over a lot of 
different IPs.




Checking my logs I have multiple failed logins from the address
including the accounts they listed, but some more too.


We won't always report everything, we're only reporting accounts that we 
haven't seen before in the last 31 days (to avoid too much unnecessary 
noise).  So we might have already seen those accounts or they came in 
after that days report was generated.



I wonder what kind of "Spamtraps" they use and why the attacker uses our
local accounts to fall into those?




I'm sure you'll understand that I can't really say on a public forum how 
we do this.   Catch me at a M3AAWG or other event and I'll give you more 
details.


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Steve Freegard via mailop]

Hi Luis,

On 22/03/2020 04:59, Luis E. Muñoz via mailop wrote:


I got three in the last 48 hours at different sites. All referenced 
real user accounts – no clue about the password. The warning seemed 
legit so I passed the info to the potentially affected users, with the 
recommendation to change their passwords at any sites where they used 
said email accounts.




Thank you - that is *exactly* how I'd hoped this would be used.

I put the partial SHA-1 in so that it could be used with 
www.haveibeenpwned.com as they use the same format for good reasons, so 
it should work with any compatible tooling and automation.



My reading is that bad actors will find valid email addresses as part 
of successful exploits and then feed those into their automated attacks.




They'll get these via database dumps, compromised hosts and phishing.

Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Steve Freegard via mailop]

Hello Ted,

On 22/03/2020 04:11, Ted Cooper via mailop wrote:

Has anyone run into "Abusix" /potentially/ compromised account
notification emails before?

Their website "abusix.ai" looks to be about a week old based on the age
of all of the articles. I would have guessed they'd have been around for
longer and their name does ring a bell. Blog announcement on Abusix.com
would indicate they launched Mar 2019.


Abusix has been in existence since 2009, although Abusix Intelligence 
which I am the Product Owner/Architect has existed since I joined Abusix 
in January 2019.



They've sent us a report from "nore...@abusix.org" to postmaster@ here
in some kind of misguided attempt to help us because "Over the last 24
hour period our traps have detected 1 potentially compromised accounts
on your domain."

In the CSV they attached, apparently the IP address 185.234.219.89
(Poland) attempted to send an email at 2020-03-19T17:59:03.000Z using
smtp auth credentials apparently from a domain hosted here. That IP
address is not at all related to any networks or servers for the domain.


The IP reported here is the IP that authenticated to us and sent the 
credentials which were on your domain, so it's (hopefully!) never going 
to be related to you.



They do provide the first 5 characters of the sha1 of the password that
IP address used. I know it used the wrong password because the account
in question does not have a password - it's an alias and not an account.

Given the number of fraudulent auth attempts we all get every day with
wild and whacky unrelated usernames (I get hotmail & others provided as
username), why would anyone think it was a good idea to send out spam to
stop spam when it was clearly a fraudulent email that didn't even go
anywhere? If everyone sent out a spam notification when someone abused a
domain we'd all be getting 10x fold increase in spam, all trying to be
"helpful".


It's not about reporting every individual spam though is it, that's a 
completely different scenario entirely.


Like you say, you receive thousands of fraudulent authentication 
attempts per day and we've reported *one* to you in this report, I can 
guarantee you we saw the same thousands that you did and discarded them 
because we'd seen them before.   Likewise, this particular account will 
not be reported to you again until we stop seeing it for >31 days.


This data is inherently noisy and I've gone to extreme lengths to remove 
as much noise as possible and provide Abuse Desks/Postmasters some 
visibility that they do not currently have.


Whilst this time it's reported an alias, next time it might catch an 
account that was successfully phished, stolen by a trojan/virus on the 
users computer or where another company had a data breach and the user 
had the same password on that service.



They do ever so helpfully provide an "opt out" link. I am scratching my
head as to think when I opted into such a service. /sarcasm.

My initial thought was to route their domains and IPs to /dev/null,
happy in the thought that I now get one less domain's spam.



Abuse reports shouldn't have to be opt-in.

I didn't design this to annoy people, I did it because it's useful for 
the internet in general because compromised accounts are a huge issue, 
and one that causes issues for blacklist providers like us (e.g. if the 
compromised accounts are on unblockable IPs, then we have less ability 
to stop them), so this was more about providing data that previously 
wasn't available *for free* to help the community in general.


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Atro Tossavainen via mailop]

On Sun, Mar 22, 2020 at 02:11:45PM +1000, Ted Cooper via mailop wrote:
> Has anyone run into "Abusix" /potentially/ compromised account
> notification emails before?

Not before, but now that you say, yes.

I have a few dozen samples in spamtraps from Friday Mar 20, never before.
They're both in recycled traps as well as in typo ones. They are coming
from the IPs 88.99.195.122, 88.99.167.62, 85.10.192.252, all of which
have the same rDNS

$ host 88.99.167.62
62.167.99.88.in-addr.arpa domain name pointer globalreport.abusix.org.

which maps back to the addresses involved

$ host globalreport.abusix.org
globalreport.abusix.org has address 88.99.195.122
globalreport.abusix.org has address 88.99.167.62
globalreport.abusix.org has address 85.10.192.252

I am not impressed.

Full disclosure: If I'm really optimistic, I would call our little company
a competitor of theirs, even though their volume is probably a million
times that of ours. I also know Tobias Knecht personally, as do many of
you all on this list, of course. I did notice that Udeme had already
pinged someone, him I suppose, but I did the same now, with all of this
detail.

Mit freundlichen Grüssen
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Abusix Potentially Compromised Account Report

[Thomas Walter via mailop]

Hey everyone,

On 22.03.20 05:11, Ted Cooper via mailop wrote:
> Has anyone run into "Abusix" /potentially/ compromised account
> notification emails before?

I got the same email with some of our local accounts and aliases.
Interestingly enough it included the same IP address 185.234.219.89.

Checking my logs I have multiple failed logins from the address
including the accounts they listed, but some more too.

I wonder what kind of "Spamtraps" they use and why the attacker uses our
local accounts to fall into those?

Regards,
Thomas Walter

-- 
Thomas Walter
Datenverarbeitungszentrale

FH Münster
- University of Applied Sciences -
Corrensstr. 25, Raum B 112
48149 Münster

Tel: +49 251 83 64 908
Fax: +49 251 83 64 910
www.fh-muenster.de/dvz/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Spam from no-re...@sharepointonline.com via outbound.protection.outlook.com

[Suresh Ramasubramanian via mailop]

The solution is rather more complex but yes, what you describe might be a 
useful start.  Free accounts, hacked accounts, accounts bought using stolen 
cards .. so many vectors.  And then yet more vectors in just how you can abuse 
a service that can be coaxed into sending out mail with some customizations to 
various people.

Corporate job sites with “send this job posting to a friend, with a personal 
note”
Online calendars, documents, shared photos […]
Web forms

Not at all a new sort of abuse, Matt Wright’s formmail was pretty heavily 
abused even two decades ++ back.  But it has grown a lot more sophisticated and 
harder to lock down.

--srs

From: mailop 
Date: Sunday, 22 March 2020 at 2:16 PM
To: mailop@mailop.org 
Subject: Re: [mailop] Spam from no-re...@sharepointonline.com via 
outbound.protection.outlook.com
Am 22.03.20 um 08:37 schrieb Suresh Ramasubramanian via mailop:
This is abuse of free trial accounts of office 365, and the document sharing 
that sharepoint allows.   Create a document with porn spam text and share it, 
with a porn spam spiel, with a big list of spam recipients.

That is the reply-to and not the originator of the email, I am not sure where 
you got originator from.

--srs


Ah thanks, that helps to understand! I'm not a Microsoft user, so I'm not 
really up to date on what kinds of products and services they offer.

The From: header and envelope sender address 
"no-re...@sharepointonline.com" is just a 
mechanism to prevent automated replies and rejects from getting anywhere, so it 
can't be considered the originator.

I suspect that the Reply-To is somehow the "originator" because it's possibly 
the mail address associated with the account that is being used to spam, but 
that is just a guess as I don't know how Microsoft constructs the header 
contents for this kind of spam. If the assumption is true, one way Microsoft 
could suppress this kind of spam would be to refuse free trial registrations 
with such addresses or to restrict the sharepoint functionality for these 
accounts.

Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Spam from no-re...@sharepointonline.com via outbound.protection.outlook.com

[Hans-Martin Mosner via mailop]

Am 22.03.20 um 08:37 schrieb Suresh Ramasubramanian via mailop:
>
> This is abuse of free trial accounts of office 365, and the document sharing 
> that sharepoint allows.   Create a
> document with porn spam text and share it, with a porn spam spiel, with a big 
> list of spam recipients.
>
>  
>
> That is the reply-to and not the originator of the email, I am not sure where 
> you got originator from.
>
>  
>
> --srs
>
>  
>
Ah thanks, that helps to understand! I'm not a Microsoft user, so I'm not 
really up to date on what kinds of products
and services they offer.

The From: header and envelope sender address "no-re...@sharepointonline.com" is 
just a mechanism to prevent automated
replies and rejects from getting anywhere, so it can't be considered the 
originator.

I suspect that the Reply-To is somehow the "originator" because it's possibly 
the mail address associated with the
account that is being used to spam, but that is just a guess as I don't know 
how Microsoft constructs the header
contents for this kind of spam. If the assumption is true, one way Microsoft 
could suppress this kind of spam would be
to refuse free trial registrations with such addresses or to restrict the 
sharepoint functionality for these accounts.

Cheers,
Hans-Martin

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop