Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » [Critical] Spam mails were sent with authentication
  •  
netmax

Messages: 43
Karma: 1
Send a private message to this user
Hi all,

I've received some spam bounces 30 minutes ago, my first though was "another Joe job". But looking at the headers I saw that the source was my Kerio server, so I've immediately looked at the logs and started the debug for SMTP server.

What I found made me not very happy:

[27/Nov/2014 12:07:55][1840] {smtps} SMTP server session begin; client connected from 111-240-216-50.dynamic.hinet.net:62732
[27/Nov/2014 12:07:55][1840] {smtps} Looking up address 111.240.216.50 in DNS blacklist SpamHaus SBL-XBL...
[27/Nov/2014 12:07:55][1840] {smtps} Address 50.216.240.111.zen.spamhaus.org found in DNS blacklist SpamHaus SBL-XBL (127.0.0.4)
[27/Nov/2014 12:07:55][1840] {smtps} Sent SMTP greeting to 111-240-216-50.dynamic.hinet.net:62732
[27/Nov/2014 12:07:56][1840] {smtps} Command EHLO mail2.mydomain.com
[27/Nov/2014 12:07:56][1840] {smtps} Sent reply to EHLO: 250 mydomain.com ...
[27/Nov/2014 12:07:56][1840] {smtps} Command AUTH PLAIN AGNsYXVkaWDSWQFqYWsuZGUAc3VwZXJub3ZhNjY2
[27/Nov/2014 12:07:56][1840] {smtps} Started authentication method PLAIN
[27/Nov/2014 12:07:56][1840] {smtps} Sent reply to AUTH: 235 2.0.0 Authentication successful (user myemail<_at_>mydomain.com)


So, the spammers have performed a correct authentication on my Kerio!

I've immediately changed my password, 5 minutes later my wife called me and told me that she gets "strange bounces". Checking the logs again and it was the same with her account - the spammers just have switched over.

The source of the attacks is different IP addresses, but always have been correctly authenticated. At this point I am *very* concerned how they got the correct authentications! All our connections to the Kerio are HTTPS (ActiveSync and/or IMAPS) and directly knowing two account authentications is really strange.

Are there any known security holes in 8.4 RC1? Any attack points where someone can get passwords or authentication hashes out of Kerio?

Comments or experiences are highly appreciated.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Did you change all passwords after upgrading from Kerio Connect 8.2.x (as a precaution to Heartbleed)?
  •  
netmax

Messages: 43
Karma: 1
Send a private message to this user
Dear Pavel,

no ... they have not been changed.
  •  
netmax

Messages: 43
Karma: 1
Send a private message to this user
Hi Pavel,

just to have an explanation ... I've recalled the Heartbleed detailed description and know how this works. Assuming there has been a HB attack to my server months ago where somebody has read out some data from the memory and these guys have been waiting until today before using is, what can they theoretically have seen?

Means, is there only danger that they've seen the hashed passwords or an authentication with the MD5 auth string, or is there any chance that they really have seen the password itself. Means: does KC store the PW somewhere in clear?

I'm changing these PW's anywhere, but just to know how much afraid I need to be Wink
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Kerio Connect does not store the passwords in plaintext. But passwords (either decrypted or entered by the user) appear for a short period of time in a process memory.
Also spammer could get the passwords from other recently hacked online services. That is why it is very important to not use same password on multiple services.
Previous Topic: tmp folder
Next Topic: Error 550 - 5.3.0 Mailbox alias cannot be expanded
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Aug 18 05:11:22 CEST 2017

Total time taken to generate the page: 0.00406 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.