Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Nick Hayer n...@sec.state.vt.us wrote: Hi David, David E. Smith wrote: I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. Not a solution ala probably just an annoying question :) If these are all hacked accounts - can you not just change passwords - and to ones that are more difficult to guess? -Nick David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Matti Haack wrote: So I think there is some glith in your IIS setup or in Imail, which allows to get to the webmail wihtout authorization. If there were such a glitch, it would affect all Imail users, not just me. I think it's just that my number finally came up on the spam lottery. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Dave Doherty wrote: What is your connection between IIS and IMail? Are you using a version of IMail that uses IIS (ie:2006 or later)? And what does IIS have to do with the IMail logins? Are you running a form that requires logins and sends the mail to your IMail server? Nope, it's purely legitimate logins that coincidentally come from Nigerian IP space. Basically they're cut-and-pasting spam into the Imail Web interface. (Once, they got really smart, and put the spam into the signature, so they only had to cut-and-paste recipients' email addresses. I'm glad the spammers often aren't that clever; that incident yielded a lot more spam than any other.) Someone here recommended Tometa GeoSniper, which looks like it'll probably do what I need (I haven't yet installed it on my test system, but it's promising). Thanks! David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
On Jan 7, 2009, at 11:13 AM, David E. Smith wrote: Someone here recommended Tometa GeoSniper, which looks like it'll probably do what I need (I haven't yet installed it on my test system, but it's promising). Thanks! Hello, Take a look at eWall as it really is a nice little program that does more than just geo sniping. $99 and it integrates with Message Sniffer very nicely. Regards, Steve Guluk SGDesign (949) 661-9333
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Hi David - What is your connection between IIS and IMail? Are you using a version of IMail that uses IIS (ie:2006 or later)? And what does IIS have to do with the IMail logins? Are you running a form that requires logins and sends the mail to your IMail server? We have been using Declude Hijack for many years with IMail to detect and stop these kinds of attacks. It has the weakness that it is IP based, so (a) if a well-distributed attack were to occur, it would not detect it; and (b) if a lot of legit mail comes from an individual server, you have to set the detection limits very high for the server's IP. But on the whole, it has been extremely effective for us. -Dave Doherty Skywaves Consulting LLC - Original Message - From: David E. Smith d...@mvn.net To: Imail_Forum@list.ipswitch.com Sent: Monday, January 05, 2009 9:24 AM Subject: [IMail Forum] (OT?) Using DNS blacklists with IIS Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and-paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
I think you are trying to put a band aid on a bigger problem. Are you sure that it is a number of hacked accounts and not a hacked machine? Are you sure your mail server has not been turned into a spambot? If they know the passwords they learned them one of three ways, with a sniffer, which means something on your network is compromised, directly from the server, which means the server is compromised or if you keep a lists of passwords locally that access to the list is compromised. You need to find the hole and change all passwords, if it is really a password leak. Roger David E. Smith wrote: Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and-paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Hello, I have a lite gateway client that uses a database of IPs locations to screen out any countries before they get to iMail. Really cut down on the CPU load and still works well with Message Sniffer. http://sssolutions.net/ew/ The process might be used to screen any activity from Nigeria since the IP address is a factor in both sending and receiving. On Jan 5, 2009, at 6:24 AM, David E. Smith wrote: Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and- paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html Regards, Steve Guluk SGDesign (949) 661-9333
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
David E. Smith wrote: Anyone know of a way to apply DNS blacklists to a Web site in IIS I do not know of a way to do it dynamically, but you could blacklist the ip space of ng.blackholes.us? Another kludge is if you have samples of the spam they send and can pattern it then you can delete it before it is sent. -Nick To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Nick Hayer wrote: I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. Not a solution ala probably just an annoying question :) If these are all hacked accounts - can you not just change passwords - and to ones that are more difficult to guess? I'm doing that. Since I'm getting one or two of these a week, though, and I don't know about them until after they've sent out a few thousand emails, by the time I can fix that, the damage already is done. I'd rather be pro-active more than reactive in this case. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
RE: [IMail Forum] (OT?) Using DNS blacklists with IIS
David I'm guessing you are behind a firewall, I hope so. Why not go in and block the address range at the firewall and leave it at that. I've had some pretty nasty people do the same thing you're seeing and ended up at this. I had some luck with declude and message sniffer, but these sort of folks are pretty agile and hard to stop. Mine were from China. John -Original Message- From: imail_forum-ow...@list.ipswitch.com [mailto:imail_forum-ow...@list.ipswitch.com] On Behalf Of David E. Smith Sent: Monday, January 05, 2009 6:24 AM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] (OT?) Using DNS blacklists with IIS Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and-paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Nick Hayer wrote: I do not know of a way to do it dynamically, but you could blacklist the ip space of ng.blackholes.us? Another kludge is if you have samples of the spam they send and can pattern it then you can delete it before it is sent. That's an awful lot of address space, probably a couple hundred CIDRs. The content analysis would be pretty iffy at best, because I've had this happen a half-dozen times in the last six weeks and it's been different stuff every time. (They're all forward-fee scams, but the text is different enough that it would be hard to match.) I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Steve Guluk wrote: Hello, I have a lite gateway client that uses a database of IPs locations to screen out any countries before they get to iMail. Really cut down on the CPU load and still works well with Message Sniffer. I don't see how this would work - the mails are coming from authenticated Web users, being sent to random US-based Yahoo and Hotmail addresses mainly. Since there's nothing indicating Nigeria in the SMTP layer (boy oh boy I wish Imail would add sender-IP to mail from the Web interface), this probably won't help. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
John Doyle wrote: Why not go in and block the address range at the firewall and leave it at that. I've had some pretty nasty people do the same thing you're seeing and ended up at this. I had some luck with declude and message sniffer, but these sort of folks are pretty agile and hard to stop. Mine were from China. I do firewall off address ranges, but that's not a long-term solution. In the last six weeks, these have come from five different, wholly-unrelated address blocks. And I don't wish to block Nigerian users from viewing my customers' Web sites, for example, or my users from viewing any content hosted there. My goal is to create the least-intrusive solution possible. Thus, blocking the IP space by, say, adding a couple hundred new rules to iptables and blocking the whole country from my whole network, would be inappropriate. I can't readily think of a more appropriate place to perform these checks, except maybe by modifying the Imail Web interface itself to use a geolocation database, but I'm not sure if that's even possible. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Hi David, David E. Smith wrote: I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. Not a solution ala probably just an annoying question :) If these are all hacked accounts - can you not just change passwords - and to ones that are more difficult to guess? -Nick David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
maill...@actmail.com wrote: Are you sure that it is a number of hacked accounts and not a hacked machine? Yup. So far, every one of these end-users has brought their desktop by the office, and we've found keyloggers and spyware on every one of 'em. I've also conducted the usual checks on the host mail server (booting from a clean CD in offline mode and running the usual spyware and virus checks, which was a lot of fun at 2 in the morning), and I believe the server to be clean. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html