Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Account got hacked. (spam hell)
  •  
giobbi

Messages: 90
Karma: 0
Send a private message to this user
Hi,

The hacked account was used to send milions of mails over the weekend, rendered our server useless for anything else. I have set restrictions in SMTP-server, se pict.

One option is missing in security option, in my opinion: MAx number of message per hour from account

The spammers in this case was sending from thousands of ip's witch made the first security option useless.

Or have i missed something?

p

  •  
forum69

Messages: 62
Karma: -1
Send a private message to this user
Hi,

Which version of kerioconnect do you use ?

Same thing for us this WE Mad

kerio version is 8.1.3 on redhat 5.10 (OS up to date)

Security options are :


50
30
5
Specified clients

--

block if sender's mail was not fond in dns : ON
block if clietn's ip adress has no reverse dns entry : OFF
600
3
14 MB
100

---

we are now dealing with the black lists Sad
Moreover, the user works on a Mac.

  •  
giobbi

Messages: 90
Karma: 0
Send a private message to this user
Hi,

Sad to read, i feel for you.

We user 8.2.2.

The problem, as i see it, is that there is no protection against this, in Kerio. If an account i hacked, and they use multiple ips your doomed.

And, its a pain in the butt that i cant check users password, this perticular user probably had four numbers only. New password policy dosen't apply on "old" passwords!!

Neither i can customize the policy..

  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Quote:
New password policy dosen't apply on "old" passwords!!


You could switch on the password policy on the domain and then set the "User must change password every" to 5 days or so. Users are then forced to change the password and meet complexity requirements.

Afterwards you can set it back to 60 days or switch it off completely.

But you are correct, Kerio has really no controls inplace when a user gets hacked. They should really do something about it. It is strongly suggested by Spamhaus here:

"Spam through compromised passwords: can it be stopped?"
http://www.spamhaus.org/news/article/681/spam-through-compro mised-passwords-can-it-be-stopped

Very interesting read!

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
forum69

Messages: 62
Karma: -1
Send a private message to this user
There are some points that could be checked, but is there already an existing simple solution (script or software) for :

1/ Reading at the Spamhaus links : Monitor the mail flow from each account! Mail flow should be monitored per-account, and anomalous emission peaks from a single account should generate an alarm to system administrators as soon as they occur.

How to perform this ?

2/ Supervising the message count (present on the administration GUI)

Is there a way to get this information in kerio to send an alert if the mail queue is above a fixed limit ?
  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
forum69 wrote on Wed, 26 March 2014 15:47

Is there a way to get this information in kerio to send an alert if the mail queue is above a fixed limit ?


Yes, there is a way: Administration API. It allows write your own manual or automatic scripts, tools, watchdogs, integrate it with other systems...

There are available some examples, message queue is here:
http://demo.kerio.com/kerio-api-php/examples/connect/showMes sageQueue.php

For more information about API, please visit http://www.kerio.com/developers/
  •  
giobbi

Messages: 90
Karma: 0
Send a private message to this user

There are available some examples, message queue is here:
http://demo.kerio.com/kerio-api-php/examples/connect/showMes sageQueue.php

Great example, how can i implement this one in my system?
  •  
giobbi

Messages: 90
Karma: 0
Send a private message to this user
...What are in these folder?

kerio/mailserver/store/queue-spam

I got tons of folder with tons of mails in them.

p
  •  
forum69

Messages: 62
Karma: -1
Send a private message to this user
If I have not misunderstood, messages in these folders (about 50 ) are messages queued.

There are 3 files for one message.
On my server, I've got about 15 queued messages. Thus about 45 files :

[root<_at_>xxxxxx queue]# ls -lRt */*.e*|wc
43 387 2967

We get tons on mails only when the account has been compromised.
With 300 users, queued messages do not exceed 100 in our case.

  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
Also consider using an outbound filter. That should help notify you that something is amiss.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
giobbi

Messages: 90
Karma: 0
Send a private message to this user
Great.

I have an outbund filter but it didn't look on the inside to out traffic.

I have about 100Gb of folders and files here, can i just delete them all?

thx
  •  
MacLab

Messages: 218
Karma: 15
Send a private message to this user
Agree more needs to be done to stop compromised passwords. One thing you can do is set a limit on recipients per message. Be aware that a client using webmail or EWS is not limited by this however.

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
Previous Topic: KOFF and iTunes trouble
Next Topic: Free Busy Interval
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Sep 24 06:55:37 CEST 2017

Total time taken to generate the page: 0.00561 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.