Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-09 Thread Ben


Nick Hayer  wrote:

>Hi David,
>
>David E. Smith wrote:
>> I suppose I could start filtering all my network's outgoing mail - my 
>> Imail server, and a few other ones, all smarthost/gateway their email 
>> through one central server here, basically for ease of logging. I 
>> could make that server start spam-scanning too, if I had to. I'd 
>> rather prevent the spam from getting into my network in the first 
>> place, but this is probably an acceptable alternative.
>Not a solution ala  probably just an annoying question  :) If these 
>are all hacked accounts -  can you not just change passwords - and to 
>ones that are more difficult to guess?
>
>-Nick
>
>
>>
>> David Smith
>> MVN.net
>>
>>
>> To Unsubscribe: http://imailserver.com/support/discussion_list/
>> List Archive: 
>> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>> Knowledge Base/FAQ: http://imailserver.com/support/kb.html
>>
>>
>
>To Unsubscribe: http://imailserver.com/support/discussion_list/
>List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>Knowledge Base/FAQ: http://imailserver.com/support/kb.html
>


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-08 Thread David E. Smith

Matti Haack wrote:

So I think there is some glith in your IIS setup or in Imail, which
allows to get to the webmail wihtout authorization.
  
If there were such a glitch, it would affect all Imail users, not just 
me. I think it's just that my number finally came up on the spam lottery.


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-07 Thread Steve Guluk


On Jan 7, 2009, at 11:13 AM, David E. Smith wrote:

Someone here recommended Tometa GeoSniper, which looks like it'll  
probably do what I need (I haven't yet installed it on my test  
system, but it's promising). Thanks!




Hello,
Take a look at eWall as it really is a nice little program that does  
more than just geo sniping. $99 and it integrates with Message Sniffer  
very nicely.


Regards,


Steve Guluk
SGDesign
(949) 661-9333






Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-07 Thread David E. Smith

Dave Doherty wrote:
What is your connection between IIS and IMail?  Are you using a 
version of IMail that uses IIS (ie:2006 or later)?  And what does IIS 
have to do with the IMail logins? Are you running a form that requires 
logins and sends the mail to your IMail server?
Nope, it's purely legitimate logins that coincidentally come from 
Nigerian IP space. Basically they're cut-and-pasting spam into the Imail 
Web interface.


(Once, they got really smart, and put the spam into the signature, so 
they only had to cut-and-paste recipients' email addresses. I'm glad the 
spammers often aren't that clever; that incident yielded a lot more spam 
than any other.)


Someone here recommended Tometa GeoSniper, which looks like it'll 
probably do what I need (I haven't yet installed it on my test system, 
but it's promising). Thanks!


David Smith
MVN.net

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-06 Thread Dave Doherty

Hi David -

What is your connection between IIS and IMail?  Are you using a version of 
IMail that uses IIS (ie:2006 or later)?  And what does IIS have to do with 
the IMail logins? Are you running a form that requires logins and sends the 
mail to your IMail server?


We have been using Declude Hijack for many years with IMail to detect and 
stop these kinds of attacks. It has the weakness that it is IP based, so (a) 
if a well-distributed attack were to occur, it would not detect it; and (b) 
if a lot of legit mail comes from an individual server, you have to set the 
detection limits very high for the server's IP. But on the whole, it has 
been extremely effective for us.


-Dave Doherty
Skywaves Consulting LLC



- Original Message - 
From: "David E. Smith" 

To: 
Sent: Monday, January 05, 2009 9:24 AM
Subject: [IMail Forum] (OT?) Using DNS blacklists with IIS




Lately, I've had a rash of attackers from Nigeria, who have acquired 
(through whatever means) legitimate logins and passwords for my Imail 
users. They log in, send out a couple thousand emails, and log out. There 
are no failed logins, so even an over-zealous account lockout policy 
wouldn't work in this instance.


They only send to five or ten recipients at a time, so they avoid most of 
the rate-limiting features. But through the magic of cut-and-paste, 
they're able to get a few thousand messages an hour sent out.


All the attackers come from IP space listed on ng.blackholes.us, and I'm 
willing to annoy any legitimate users of mine that might be vacationing in 
Lagos.


Anyone know of a way to apply DNS blacklists to a Web site in IIS, 
comparable to mod_dnsbl for Apache?


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html




To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread David E. Smith

John Doyle wrote:

Why not go in and block the address range at the firewall and leave it at
that. I've had some pretty nasty people do the same thing you're seeing and
ended up at this. I had some luck with declude and message sniffer, but
these sort of folks are pretty agile and hard to stop. Mine were from China.
  
I do firewall off address ranges, but that's not a long-term solution. 
In the last six weeks, these have come from five different, 
wholly-unrelated address blocks. And I don't wish to block Nigerian 
users from viewing my customers' Web sites, for example, or my users 
from viewing any content hosted there.  My goal is to create the 
least-intrusive solution possible. Thus, blocking the IP space by, say, 
adding a couple hundred new rules to iptables and blocking the whole 
country from my whole network, would be inappropriate.


I can't readily think of a more appropriate place to perform these 
checks, except maybe by modifying the Imail Web interface itself to use 
a geolocation database, but I'm not sure if that's even possible.


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread David E. Smith

maill...@actmail.com wrote:

Are you sure that it is a number of hacked accounts and not a hacked
machine?
  
Yup. So far, every one of these end-users has brought their desktop by 
the office, and we've found keyloggers and spyware on every one of 'em. 
I've also conducted the usual checks on the host mail server (booting 
from a clean CD in offline mode and running the usual spyware and virus 
checks, which was a lot of fun at 2 in the morning), and I believe the 
server to be clean.


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread maill...@actmail.com
I think you are trying to put a band aid on a bigger problem.

Are you sure that it is a number of hacked accounts and not a hacked
machine?
Are you sure your mail server has not been turned into a spambot?

If they know the passwords they learned them one of three ways, with a
sniffer, which means something on your network is compromised, directly
from the server, which means the server is compromised or if you keep a
lists of passwords locally that access to the list is compromised.

You need to find the hole and change all passwords, if it is really a
password leak.

Roger


David E. Smith wrote:
> Lately, I've had a rash of attackers from Nigeria, who have acquired (through 
> whatever means) legitimate logins and passwords for my Imail users. They log 
> in, send out a couple thousand emails, and log out. There are no failed 
> logins, so even an over-zealous account lockout policy wouldn't work in this 
> instance. 
>
> They only send to five or ten recipients at a time, so they avoid most of the 
> rate-limiting features. But through the magic of cut-and-paste, they're able 
> to get a few thousand messages an hour sent out.
>
> All the attackers come from IP space listed on ng.blackholes.us, and I'm 
> willing to annoy any legitimate users of mine that might be vacationing in 
> Lagos.
>
> Anyone know of a way to apply DNS blacklists to a Web site in IIS, comparable 
> to mod_dnsbl for Apache?
>
> David Smith
> MVN.net
>
>
> To Unsubscribe: http://imailserver.com/support/discussion_list/
> List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> Knowledge Base/FAQ: http://imailserver.com/support/kb.html
>
>   



To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread Steve Guluk


On Jan 5, 2009, at 7:42 AM, David E. Smith wrote:

I don't see how this would work - the mails are coming from  
authenticated Web users, being sent to random US-based Yahoo and  
Hotmail addresses mainly. Since there's nothing indicating "Nigeria"  
in the SMTP layer (boy oh boy I wish Imail would add sender-IP to  
mail from the Web interface), this probably won't help.




eWall gets the senders IP address from iMail and "knows"  from which  
country it is coming from regardless of if iMail allows the secure  
connection (it uses a DB of IPs as related to their issued country - http://www.maxmind.com/app/geolitecountry) 
. You can then erase the email before it leaves your server as well as  
use the IP in a blacklist.


He's a log entry that shows how the sender (an authorized iMail user)  
is identified as one form the USA:


1/5/2009 8:16:09 AM	22019	0	-- Requested connection from United  
States 12.183.245.146
1/5/2009 8:16:09 AM	22019	109	Checking condition 'sender IP in black  
list'
1/5/2009 8:16:09 AM	22019	109	Checking condition 'sender IP is not  
local'
1/5/2009 8:16:09 AM	22019	109	Checking condition 'sender IP is not on  
LAN'
1/5/2009 8:16:09 AM	22019	109	Checking condition 'sender IP not in  
white list'
1/5/2009 8:16:09 AM	22019	109	Checking condition 'sender country is  
not 'Canada' or 'Finland' or 'India' or 'Ireland' or 'Mexico' or  
'Ukraine'...'
1/5/2009 8:16:09 AM	22019	296	< 220 mail.sgdesign.com (IMail 9.23  
3668-1) NT-ESMTP Server X1

1/5/2009 8:16:09 AM 22019   390 > EHLO rodney
1/5/2009 8:16:09 AM 22019   484 < 250-mail.sgdesign.com says hello
1/5/2009 8:16:09 AM 22019   484 < 250-SIZE 0
1/5/2009 8:16:09 AM 22019   484 < 250-8BITMIME
1/5/2009 8:16:09 AM 22019   484 < 250-AUTH LOGIN CRAM-MD5
1/5/2009 8:16:09 AM 22019   484 < 250-AUTH LOGIN
1/5/2009 8:16:09 AM 22019   484 < 250-AUTH=LOGIN
1/5/2009 8:16:09 AM 22019   484 < 250-EXPN
1/5/2009 8:16:09 AM 22019   484 < 250 OK
1/5/2009 8:16:09 AM 22019   578 > AUTH LOGIN
1/5/2009 8:16:10 AM 22019   671 < 334 VXNlcm5hbWU6
1/5/2009 8:16:10 AM 22019   765 > cm9kbmV5QHBhY2lmaWNob21lc2FsZXMuY29t
1/5/2009 8:16:10 AM 22019   859 < 334 UGFzc3dvcmQ6
1/5/2009 8:16:10 AM 22019   953 > NjI1Zmd3
1/5/2009 8:16:10 AM 22019   1046< 235 authenticated
1/5/2009 8:16:10 AM 22019   1156> MAIL FROM: 
1/5/2009 8:16:10 AM 22019   1234< 250 ok
1/5/2009 8:16:10 AM	22019	1234	Checking condition 'sender address  
contains 'Metso.com''

1/5/2009 8:16:10 AM 22019   1296> RCPT TO: 
1/5/2009 8:16:10 AM	22019	1421	< 250 ok its for >

1/5/2009 8:16:10 AM 22019   1484> DATA
1/5/2009 8:16:10 AM 22019   1484< 354 Ready
1/5/2009 8:16:11 AM	22019	1656	Message ID:  
<001601c96f50$ec173320$64000...@rodney>

1/5/2009 8:16:11 AM 22019   1656Subject: El Cajon #155
1/5/2009 8:16:11 AM 22019   1656Message size: 1.42 KB
1/5/2009 8:16:11 AM	22019	1656	Checking condition 'sender is not  
authenticated'

1/5/2009 8:16:11 AM 22019   1671< 250 Message queued
1/5/2009 8:16:11 AM 22019   2000> QUIT
1/5/2009 8:16:11 AM 22019   2031< 221 Goodbye
1/5/2009 8:16:11 AM 22019   2031Disconnect




Regards,


Steve Guluk
SGDesign
(949) 661-9333






RE: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread John Doyle
David
I'm guessing you are behind a firewall, I hope so.
Why not go in and block the address range at the firewall and leave it at
that. I've had some pretty nasty people do the same thing you're seeing and
ended up at this. I had some luck with declude and message sniffer, but
these sort of folks are pretty agile and hard to stop. Mine were from China.
John


-Original Message-
From: imail_forum-ow...@list.ipswitch.com
[mailto:imail_forum-ow...@list.ipswitch.com] On Behalf Of David E. Smith
Sent: Monday, January 05, 2009 6:24 AM
To: Imail_Forum@list.ipswitch.com
Subject: [IMail Forum] (OT?) Using DNS blacklists with IIS

Lately, I've had a rash of attackers from Nigeria, who have acquired
(through whatever means) legitimate logins and passwords for my Imail users.
They log in, send out a couple thousand emails, and log out. There are no
failed logins, so even an over-zealous account lockout policy wouldn't work
in this instance. 

They only send to five or ten recipients at a time, so they avoid most of
the rate-limiting features. But through the magic of cut-and-paste, they're
able to get a few thousand messages an hour sent out.

All the attackers come from IP space listed on ng.blackholes.us, and I'm
willing to annoy any legitimate users of mine that might be vacationing in
Lagos.

Anyone know of a way to apply DNS blacklists to a Web site in IIS,
comparable to mod_dnsbl for Apache?

David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread David E. Smith

Nick Hayer wrote:
I suppose I could start filtering all my network's outgoing mail - my 
Imail server, and a few other ones, all smarthost/gateway their email 
through one central server here, basically for ease of logging. I 
could make that server start spam-scanning too, if I had to. I'd 
rather prevent the spam from getting into my network in the first 
place, but this is probably an acceptable alternative.
Not a solution ala  probably just an annoying question  :) If 
these are all hacked accounts -  can you not just change passwords - 
and to ones that are more difficult to guess? 
I'm doing that. Since I'm getting one or two of these a week, though, 
and I don't know about them until after they've sent out a few thousand 
emails, by the time I can fix that, the damage already is done. I'd 
rather be pro-active more than reactive in this case.


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread David E. Smith

Steve Guluk wrote:
Hello, 
I have a lite gateway client that uses a database of IPs locations to 
screen out any countries before they get to iMail. Really cut down on 
the CPU load and still works well with Message Sniffer.
I don't see how this would work - the mails are coming from 
authenticated Web users, being sent to random US-based Yahoo and Hotmail 
addresses mainly. Since there's nothing indicating "Nigeria" in the SMTP 
layer (boy oh boy I wish Imail would add sender-IP to mail from the Web 
interface), this probably won't help.


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread Nick Hayer

Hi David,

David E. Smith wrote:
I suppose I could start filtering all my network's outgoing mail - my 
Imail server, and a few other ones, all smarthost/gateway their email 
through one central server here, basically for ease of logging. I 
could make that server start spam-scanning too, if I had to. I'd 
rather prevent the spam from getting into my network in the first 
place, but this is probably an acceptable alternative.
Not a solution ala  probably just an annoying question  :) If these 
are all hacked accounts -  can you not just change passwords - and to 
ones that are more difficult to guess?


-Nick




David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Knowledge Base/FAQ: http://imailserver.com/support/kb.html




To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread David E. Smith

Nick Hayer wrote:
I do not know of a way to do it dynamically, but you could  blacklist 
the ip space of ng.blackholes.us?  Another kludge is if you have 
samples of the spam they send and can pattern it then you can delete 
it before it is sent.

That's an awful lot of address space, probably a couple hundred CIDRs.

The content analysis would be pretty iffy at best, because I've had this 
happen a half-dozen times in the last six weeks and it's been different 
stuff every time. (They're all forward-fee scams, but the text is 
different enough that it would be hard to match.)


I suppose I could start filtering all my network's outgoing mail - my 
Imail server, and a few other ones, all smarthost/gateway their email 
through one central server here, basically for ease of logging. I could 
make that server start spam-scanning too, if I had to. I'd rather 
prevent the spam from getting into my network in the first place, but 
this is probably an acceptable alternative.


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread Steve Guluk

Hello,
I have a lite gateway client that uses a database of IPs locations to  
screen out any countries before they get to iMail. Really cut down on  
the CPU load and still works well with Message Sniffer.

http://sssolutions.net/ew/

The process might be used to screen any activity from Nigeria since  
the IP address is a factor in both sending and receiving.



On Jan 5, 2009, at 6:24 AM, David E. Smith wrote:

Lately, I've had a rash of attackers from Nigeria, who have acquired  
(through whatever means) legitimate logins and passwords for my  
Imail users. They log in, send out a couple thousand emails, and log  
out. There are no failed logins, so even an over-zealous account  
lockout policy wouldn't work in this instance.


They only send to five or ten recipients at a time, so they avoid  
most of the rate-limiting features. But through the magic of cut-and- 
paste, they're able to get a few thousand messages an hour sent out.


All the attackers come from IP space listed on ng.blackholes.us, and  
I'm willing to annoy any legitimate users of mine that might be  
vacationing in Lagos.


Anyone know of a way to apply DNS blacklists to a Web site in IIS,  
comparable to mod_dnsbl for Apache?


David Smith
MVN.net


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html



Regards,


Steve Guluk
SGDesign
(949) 661-9333






Re: [IMail Forum] (OT?) Using DNS blacklists with IIS

2009-01-05 Thread Nick Hayer

David E. Smith wrote:

Anyone know of a way to apply DNS blacklists to a Web site in IIS
I do not know of a way to do it dynamically, but you could  blacklist 
the ip space of ng.blackholes.us?  Another kludge is if you have samples 
of the spam they send and can pattern it then you can delete it before 
it is sent.


-Nick

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html