Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Nick Hayer wrote: >Hi David, > >David E. Smith wrote: >> I suppose I could start filtering all my network's outgoing mail - my >> Imail server, and a few other ones, all smarthost/gateway their email >> through one central server here, basically for ease of logging. I >> could make that server start spam-scanning too, if I had to. I'd >> rather prevent the spam from getting into my network in the first >> place, but this is probably an acceptable alternative. >Not a solution ala probably just an annoying question :) If these >are all hacked accounts - can you not just change passwords - and to >ones that are more difficult to guess? > >-Nick > > >> >> David Smith >> MVN.net >> >> >> To Unsubscribe: http://imailserver.com/support/discussion_list/ >> List Archive: >> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >> Knowledge Base/FAQ: http://imailserver.com/support/kb.html >> >> > >To Unsubscribe: http://imailserver.com/support/discussion_list/ >List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >Knowledge Base/FAQ: http://imailserver.com/support/kb.html >
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Matti Haack wrote: So I think there is some glith in your IIS setup or in Imail, which allows to get to the webmail wihtout authorization. If there were such a glitch, it would affect all Imail users, not just me. I think it's just that my number finally came up on the spam lottery. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
On Jan 7, 2009, at 11:13 AM, David E. Smith wrote: Someone here recommended Tometa GeoSniper, which looks like it'll probably do what I need (I haven't yet installed it on my test system, but it's promising). Thanks! Hello, Take a look at eWall as it really is a nice little program that does more than just geo sniping. $99 and it integrates with Message Sniffer very nicely. Regards, Steve Guluk SGDesign (949) 661-9333
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Dave Doherty wrote: What is your connection between IIS and IMail? Are you using a version of IMail that uses IIS (ie:2006 or later)? And what does IIS have to do with the IMail logins? Are you running a form that requires logins and sends the mail to your IMail server? Nope, it's purely legitimate logins that coincidentally come from Nigerian IP space. Basically they're cut-and-pasting spam into the Imail Web interface. (Once, they got really smart, and put the spam into the signature, so they only had to cut-and-paste recipients' email addresses. I'm glad the spammers often aren't that clever; that incident yielded a lot more spam than any other.) Someone here recommended Tometa GeoSniper, which looks like it'll probably do what I need (I haven't yet installed it on my test system, but it's promising). Thanks! David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Hi David - What is your connection between IIS and IMail? Are you using a version of IMail that uses IIS (ie:2006 or later)? And what does IIS have to do with the IMail logins? Are you running a form that requires logins and sends the mail to your IMail server? We have been using Declude Hijack for many years with IMail to detect and stop these kinds of attacks. It has the weakness that it is IP based, so (a) if a well-distributed attack were to occur, it would not detect it; and (b) if a lot of legit mail comes from an individual server, you have to set the detection limits very high for the server's IP. But on the whole, it has been extremely effective for us. -Dave Doherty Skywaves Consulting LLC - Original Message - From: "David E. Smith" To: Sent: Monday, January 05, 2009 9:24 AM Subject: [IMail Forum] (OT?) Using DNS blacklists with IIS Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and-paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
John Doyle wrote: Why not go in and block the address range at the firewall and leave it at that. I've had some pretty nasty people do the same thing you're seeing and ended up at this. I had some luck with declude and message sniffer, but these sort of folks are pretty agile and hard to stop. Mine were from China. I do firewall off address ranges, but that's not a long-term solution. In the last six weeks, these have come from five different, wholly-unrelated address blocks. And I don't wish to block Nigerian users from viewing my customers' Web sites, for example, or my users from viewing any content hosted there. My goal is to create the least-intrusive solution possible. Thus, blocking the IP space by, say, adding a couple hundred new rules to iptables and blocking the whole country from my whole network, would be inappropriate. I can't readily think of a more appropriate place to perform these checks, except maybe by modifying the Imail Web interface itself to use a geolocation database, but I'm not sure if that's even possible. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
maill...@actmail.com wrote: Are you sure that it is a number of hacked accounts and not a hacked machine? Yup. So far, every one of these end-users has brought their desktop by the office, and we've found keyloggers and spyware on every one of 'em. I've also conducted the usual checks on the host mail server (booting from a clean CD in offline mode and running the usual spyware and virus checks, which was a lot of fun at 2 in the morning), and I believe the server to be clean. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
I think you are trying to put a band aid on a bigger problem. Are you sure that it is a number of hacked accounts and not a hacked machine? Are you sure your mail server has not been turned into a spambot? If they know the passwords they learned them one of three ways, with a sniffer, which means something on your network is compromised, directly from the server, which means the server is compromised or if you keep a lists of passwords locally that access to the list is compromised. You need to find the hole and change all passwords, if it is really a password leak. Roger David E. Smith wrote: > Lately, I've had a rash of attackers from Nigeria, who have acquired (through > whatever means) legitimate logins and passwords for my Imail users. They log > in, send out a couple thousand emails, and log out. There are no failed > logins, so even an over-zealous account lockout policy wouldn't work in this > instance. > > They only send to five or ten recipients at a time, so they avoid most of the > rate-limiting features. But through the magic of cut-and-paste, they're able > to get a few thousand messages an hour sent out. > > All the attackers come from IP space listed on ng.blackholes.us, and I'm > willing to annoy any legitimate users of mine that might be vacationing in > Lagos. > > Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable > to mod_dnsbl for Apache? > > David Smith > MVN.net > > > To Unsubscribe: http://imailserver.com/support/discussion_list/ > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://imailserver.com/support/kb.html > > To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
On Jan 5, 2009, at 7:42 AM, David E. Smith wrote: I don't see how this would work - the mails are coming from authenticated Web users, being sent to random US-based Yahoo and Hotmail addresses mainly. Since there's nothing indicating "Nigeria" in the SMTP layer (boy oh boy I wish Imail would add sender-IP to mail from the Web interface), this probably won't help. eWall gets the senders IP address from iMail and "knows" from which country it is coming from regardless of if iMail allows the secure connection (it uses a DB of IPs as related to their issued country - http://www.maxmind.com/app/geolitecountry) . You can then erase the email before it leaves your server as well as use the IP in a blacklist. He's a log entry that shows how the sender (an authorized iMail user) is identified as one form the USA: 1/5/2009 8:16:09 AM 22019 0 -- Requested connection from United States 12.183.245.146 1/5/2009 8:16:09 AM 22019 109 Checking condition 'sender IP in black list' 1/5/2009 8:16:09 AM 22019 109 Checking condition 'sender IP is not local' 1/5/2009 8:16:09 AM 22019 109 Checking condition 'sender IP is not on LAN' 1/5/2009 8:16:09 AM 22019 109 Checking condition 'sender IP not in white list' 1/5/2009 8:16:09 AM 22019 109 Checking condition 'sender country is not 'Canada' or 'Finland' or 'India' or 'Ireland' or 'Mexico' or 'Ukraine'...' 1/5/2009 8:16:09 AM 22019 296 < 220 mail.sgdesign.com (IMail 9.23 3668-1) NT-ESMTP Server X1 1/5/2009 8:16:09 AM 22019 390 > EHLO rodney 1/5/2009 8:16:09 AM 22019 484 < 250-mail.sgdesign.com says hello 1/5/2009 8:16:09 AM 22019 484 < 250-SIZE 0 1/5/2009 8:16:09 AM 22019 484 < 250-8BITMIME 1/5/2009 8:16:09 AM 22019 484 < 250-AUTH LOGIN CRAM-MD5 1/5/2009 8:16:09 AM 22019 484 < 250-AUTH LOGIN 1/5/2009 8:16:09 AM 22019 484 < 250-AUTH=LOGIN 1/5/2009 8:16:09 AM 22019 484 < 250-EXPN 1/5/2009 8:16:09 AM 22019 484 < 250 OK 1/5/2009 8:16:09 AM 22019 578 > AUTH LOGIN 1/5/2009 8:16:10 AM 22019 671 < 334 VXNlcm5hbWU6 1/5/2009 8:16:10 AM 22019 765 > cm9kbmV5QHBhY2lmaWNob21lc2FsZXMuY29t 1/5/2009 8:16:10 AM 22019 859 < 334 UGFzc3dvcmQ6 1/5/2009 8:16:10 AM 22019 953 > NjI1Zmd3 1/5/2009 8:16:10 AM 22019 1046< 235 authenticated 1/5/2009 8:16:10 AM 22019 1156> MAIL FROM: 1/5/2009 8:16:10 AM 22019 1234< 250 ok 1/5/2009 8:16:10 AM 22019 1234 Checking condition 'sender address contains 'Metso.com'' 1/5/2009 8:16:10 AM 22019 1296> RCPT TO: 1/5/2009 8:16:10 AM 22019 1421 < 250 ok its for > 1/5/2009 8:16:10 AM 22019 1484> DATA 1/5/2009 8:16:10 AM 22019 1484< 354 Ready 1/5/2009 8:16:11 AM 22019 1656 Message ID: <001601c96f50$ec173320$64000...@rodney> 1/5/2009 8:16:11 AM 22019 1656Subject: El Cajon #155 1/5/2009 8:16:11 AM 22019 1656Message size: 1.42 KB 1/5/2009 8:16:11 AM 22019 1656 Checking condition 'sender is not authenticated' 1/5/2009 8:16:11 AM 22019 1671< 250 Message queued 1/5/2009 8:16:11 AM 22019 2000> QUIT 1/5/2009 8:16:11 AM 22019 2031< 221 Goodbye 1/5/2009 8:16:11 AM 22019 2031Disconnect Regards, Steve Guluk SGDesign (949) 661-9333
RE: [IMail Forum] (OT?) Using DNS blacklists with IIS
David I'm guessing you are behind a firewall, I hope so. Why not go in and block the address range at the firewall and leave it at that. I've had some pretty nasty people do the same thing you're seeing and ended up at this. I had some luck with declude and message sniffer, but these sort of folks are pretty agile and hard to stop. Mine were from China. John -Original Message- From: imail_forum-ow...@list.ipswitch.com [mailto:imail_forum-ow...@list.ipswitch.com] On Behalf Of David E. Smith Sent: Monday, January 05, 2009 6:24 AM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] (OT?) Using DNS blacklists with IIS Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and-paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Nick Hayer wrote: I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. Not a solution ala probably just an annoying question :) If these are all hacked accounts - can you not just change passwords - and to ones that are more difficult to guess? I'm doing that. Since I'm getting one or two of these a week, though, and I don't know about them until after they've sent out a few thousand emails, by the time I can fix that, the damage already is done. I'd rather be pro-active more than reactive in this case. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Steve Guluk wrote: Hello, I have a lite gateway client that uses a database of IPs locations to screen out any countries before they get to iMail. Really cut down on the CPU load and still works well with Message Sniffer. I don't see how this would work - the mails are coming from authenticated Web users, being sent to random US-based Yahoo and Hotmail addresses mainly. Since there's nothing indicating "Nigeria" in the SMTP layer (boy oh boy I wish Imail would add sender-IP to mail from the Web interface), this probably won't help. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Hi David, David E. Smith wrote: I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. Not a solution ala probably just an annoying question :) If these are all hacked accounts - can you not just change passwords - and to ones that are more difficult to guess? -Nick David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Nick Hayer wrote: I do not know of a way to do it dynamically, but you could blacklist the ip space of ng.blackholes.us? Another kludge is if you have samples of the spam they send and can pattern it then you can delete it before it is sent. That's an awful lot of address space, probably a couple hundred CIDRs. The content analysis would be pretty iffy at best, because I've had this happen a half-dozen times in the last six weeks and it's been different stuff every time. (They're all forward-fee scams, but the text is different enough that it would be hard to match.) I suppose I could start filtering all my network's outgoing mail - my Imail server, and a few other ones, all smarthost/gateway their email through one central server here, basically for ease of logging. I could make that server start spam-scanning too, if I had to. I'd rather prevent the spam from getting into my network in the first place, but this is probably an acceptable alternative. David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
Hello, I have a lite gateway client that uses a database of IPs locations to screen out any countries before they get to iMail. Really cut down on the CPU load and still works well with Message Sniffer. http://sssolutions.net/ew/ The process might be used to screen any activity from Nigeria since the IP address is a factor in both sending and receiving. On Jan 5, 2009, at 6:24 AM, David E. Smith wrote: Lately, I've had a rash of attackers from Nigeria, who have acquired (through whatever means) legitimate logins and passwords for my Imail users. They log in, send out a couple thousand emails, and log out. There are no failed logins, so even an over-zealous account lockout policy wouldn't work in this instance. They only send to five or ten recipients at a time, so they avoid most of the rate-limiting features. But through the magic of cut-and- paste, they're able to get a few thousand messages an hour sent out. All the attackers come from IP space listed on ng.blackholes.us, and I'm willing to annoy any legitimate users of mine that might be vacationing in Lagos. Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable to mod_dnsbl for Apache? David Smith MVN.net To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html Regards, Steve Guluk SGDesign (949) 661-9333
Re: [IMail Forum] (OT?) Using DNS blacklists with IIS
David E. Smith wrote: Anyone know of a way to apply DNS blacklists to a Web site in IIS I do not know of a way to do it dynamically, but you could blacklist the ip space of ng.blackholes.us? Another kludge is if you have samples of the spam they send and can pattern it then you can delete it before it is sent. -Nick To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html