Spammers Hijacking Email Accounts

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
Hmmm, so far I've tried all of these in custom_begin_smtp_helo, and we still get all email rejected for invalid HELO as a result:

deny condition = ${if match {$sender_helo_name}{mycomputer}}

drop condition = ${if eq{[mycomputer]}{$sender_helo_name}}

drop message = Spam HELO: $sender_helo_name is suspicious
log_message = Spam HELO: $sender_helo_name
condition = ${if match{$sender_helo_name}\
{mycomputer}}


Anyone have a clue as to how to make this work? TIA.
There seems to be an issue with any condition put into the ACL within WHM. I had the same issue with it dropping all mail instead of just mail from certain addresses. It should work. It's not being evaluated properly. If you run exim with the -v option it should tell you what it is doing.

I have a feeling one of the other settings you can enable achieves the same thing - the RFC compliant helo setting.
 

alinford

Well-Known Member
Nov 4, 2006
55
2
158
One thing that would help is if cPanel would add the option to force new password on next login for an email account, and also block all previously used passwords.
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
833
28
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
One thing that would help is if cPanel would add the option to force new password on next login for an email account, and also block all previously used passwords.
On next login...to what? How many of your clients' mail users access cPanel or webmail on a regular basis to where such an effort would make a difference?
 

alinford

Well-Known Member
Nov 4, 2006
55
2
158
On next login...to what? How many of your clients' mail users access cPanel or webmail on a regular basis to where such an effort would make a difference?
So, when we see an issue like this, we change the password to stop the exploit, and then contact the client. Problem is that the client may not be available when we contact them. Forcing a password update, and not allowing the use of previous passwords makes it so that the client does not go right back to using the same email password.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
Blocking people from their email when they need it seems like a good way of cheesing off clients to me.
Just changing them and leaving the rest of the system insecure is hopeless as you'll annoy people with password changes and they'll still have their email account compromised.

To me a two factor authentication method of some kind would be a better solution. When you login in from a new location or a new device, you may want different policies for pcs vs smartphones, it is blocked until you enter a particular passcode that is sent to their mobile. Then that means only that location can use it with that passcode. Anywhere else will prompt a passcode to be generated so you'd then know where someone is trying to hack it.

Forcing password changes and locking people out of their email when they could need it will just annoy people unnecessarily.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
I agree with that emotion, that is, with the two factor auth. It has been employed for the on-line billing system we use, and I believe that ultimately this is the way to go.

For now, we have applied the same exim log analysis scripts to "dovecot_plain" as we did for spotting "dovecot_login". This at least gives us some sort of a early warning system in this regard.

Also, as for our customers keeping their accounts secure, they generally do an okay job. When they don't, we change their email account password, and then send them a report with a bunch of advice. A key component of that advice is to install an anti-key logger tool, i.e. the one that can be downloaded for free from qfxsoftware.com. IMHO, everyone with a Windows machine should have this one installed.

As for forcing members to use SSL logins. Yeah, well, I'm not sure why but iPhones almost never work in my experience when using SSL/TLS.

Also, correct me if I'm wrong, but the only place SSL offers any protection at all is when using a public WiFi connection. In all other cases for mobile devices using carriers such as Verizon, AT&T, etc. the connections, and the entire transmission uses spread spectrum technology that truly encrypts everything from A to Z, that is, unless someone has escalated privileges within the interior one of Verizon's NOCs (of course.)

And even if you are using SSL/TLS with your iPad at the airport, and someone spoofs the connection point with their laptop for example, then, while they can't get your password, they can certainly sang the body copy and most of the rest of the header, right? My understanding is that SSL/TLS only encrypts a small part of the header that contains the log in credentials, and that's it. For complete end-to-end email encryption, both the sender and the receiver would need to use a PGP/GPG key pair. Right?

So, you help someone reset their account password, then send it to them via email. And they (somewhat stupidly) reply with a "thanks," leaving the credentials in the email body.... then bang-o! There goes the password, even if they are using SSL/TLS.
 
Last edited:

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
I use SSL with ios. It does work but needs a kick in the pants to make it work. There seems to be some issue with certain imap settings, imap server types. It dislikes courier. I could never make it work with that. Switched to dovecot and it behaved.

I'd have hoped man in the middle attacks would be prevented. It's depressing if email client and email server writers can't manage that. Those attacks are old as anything.

I don't know exactly which bits are encrypted. I should investigate. Complete pgp encryption sounds good. Would stop all kinds of snoopers as well as your normal hackers.

I wouldn't send new passwords out via email either for that very reason unless you can make the message self destruct ;)
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
PGP encryption requires that both parties, the sender and the receiver, have the same matched pair of encryption keys installed within each respective email client. This is of course highly impracticable for regular email use.
 

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
PGP encryption requires that both parties, the sender and the receiver, have the same matched pair of encryption keys installed within each respective email client. This is of course highly impracticable for regular email use.
Maybe not such a good idea then!
 

xml

Well-Known Member
Jan 15, 2004
88
2
158
After reading this post I was able to recover my SMTP and prevent spamers from using my email account by changing the account password


Right now I am getting huge attack on my server SMTP service Blocked by LFD (Login Failure Daemon) and getting lot of thease warning alerts:

Code:
Time:     Sat Mar  1 16:44:58 2014 +0300
IP:       182.160.38.21 (MN/Mongolia/-)
Failures: 1 (smtpauth)
Interval: 3600 seconds
Blocked:  Permanent Block

Log entries:

2014-03-01 16:44:56 dovecot_plain authenticator failed for (mn-284b7a0b8379) [182.160.38.21]:2486: 535 Incorrect authentication data ([email protected])
 

Bashed

Well-Known Member
Dec 18, 2013
124
4
18
cPanel Access Level
Root Administrator
Seeing this too on 3 different cPanel servers. It's quite alarming how many accounts have been compromised. Any ideas how they've done this?

This code will get a list of compromised addresses:

Code:
sed -n 's/^.*H=(mycomputer).*P=esmtpa A=courier_plain:\(.*\) S=.*$/\1/p' /var/log/exim_mainlog | sort | uniq
And this will get a list of IP addresses that you can append to csf.deny (e.g. by adding >> /etc/csf/csf.deny to the end of this command):

Code:
sed -n 's/^.*(mycomputer) \[\(.*\)\].*P=esmtpa.*$/\1 # do not delete/p' /var/log/exim_mainlog | sort | uniq
I tried all 3, blank results though?

Code:
[email protected] [~]# sed -n 's/^.*H=(mycomputer).*P=esmtpa A=courier_plain:\(.*\) S=.*$/\1/p' /var/log/exim_mainlog | sort | uniq
[email protected] [~]# sed -n 's/^.*(mycomputer) \[\(.*\)\].*P=esmtpa.*$/\1 # do not delete/p' /var/log/exim_mainlog | sort | uniq
[email protected] [~]# grep mycomputer /var/log/exim* | grep 'A=courier_' | awk -F'courier_' '{print $2}' | awk '{print $1 " " $3}' | awk -F':' '{print $2}'
Even this code is giving me blank results. The exim log is about 200MB in size, so there's content there for sure.


Code:
awk '$4 ~ /^cwd/{print $4}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr