Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Hijacked User Account (Hijacked User Account Loaded Outgoing Queue with SPAM)
  •  
BobH

Messages: 122
Karma: 0
Send a private message to this user
A Spammer obtained the password for one of our user's account and generated tons of spam through our Kerio Connect Server. By the time I got in that morning there were 50,000+ emails in the outgoing queue and Kerio was effectively offline. I had to down Kerio, rename the \queue directory and then restart.

This has happened a couple of times over the last 5 years so it's not a frequent occurrence but when it happens it's a mess.

Is there something in Kerio Connect that would give me control over the allowed volume of outgoing email? How do other Kerio Connect users deal with this problem?
  •  
ComputerBudda

Messages: 104
Karma: 5
Send a private message to this user
Better user training. Better password design. Find out how password was compromised.
  •  
BobH

Messages: 122
Karma: 0
Send a private message to this user
Thank you for your suggestions.
  •  
freakinvibe

Messages: 1487
Karma: 57
Send a private message to this user
Could be phishing (one of your users tricked to a fake login page, effectively giving the credentials to the spammer).

Or the user password was that simple that it could be guessed (e.g. "password"). You should see that in the security log if somone tried to guess the password.

Nevertheless, also Kerio Connect could be improved: There should be a possibility to throttle outgoing mail (like one user should not be able to send more than 100 mails per hour).

There are recommendations from Spamhaus what Email Server vendors could do, but Kerio has unfortunately not done anything in this area.

See the below article which is very interesting to find out what you (as a mail admin) can do and what Kerio could do:

"Spam through compromised passwords: can it be stopped?"
https://www.spamhaus.org/news/article/681/spam-through-compr omised-passwords-can-it-be-stopped

[Updated on: Thu, 21 January 2016 16:26]


Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
Please read this KB article. http://kb.kerio.com/1239
It describes how to secure your Kerio Connect server and to protect from issues such as a compromised account. Most importantly, you should make sure to use password complexity. As a secondary measure, there are security options (including max messages per hour) in the SMTP server configuration. These options are described here http://kb.kerio.com/1833

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
BobH

Messages: 122
Karma: 0
Send a private message to this user
freakinvibe wrote on Thu, 21 January 2016 09:25
Could be phishing (one of your users tricked to a fake login page, effectively giving the credentials to the spammer).

...

See the below article which is very interesting to find out what you (as a mail admin) can do and what Kerio could do:

"Spam through compromised passwords: can it be stopped?"
https://www.spamhaus.org/news/article/681/spam-through-compr omised-passwords-can-it-be-stopped


Thanks for your response and the SpamHaus link.

I submitted a suggestion to Kerio that the SpamHaus link already suggested. I asked that Kerio add an option to user security that a limit of how many emails an individual email account can send per minute or per 5 minutes. If the limit were exceeded the email account would be disabled and an email alert sent to the administrator.
  •  
BobH

Messages: 122
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 09:37
Please read this KB article. http://kb.kerio.com/1239
It describes how to secure your Kerio Connect server and to protect from issues such as a compromised account. Most importantly, you should make sure to use password complexity. As a secondary measure, there are security options (including max messages per hour) in the SMTP server configuration. These options are described here http://kb.kerio.com/1833


Thanks for the links. I'll have to review our firewalls current settings.

I reviewed the recommended SMTP settings you referenced. I've attached our SMTP server's settings for comparison. We are setup pretty closely to the recommended settings. Even with these settings, we ended up with 50,000+ emails in our outgoing queue in a matter of maybe 10 hours. What setting would have prevented that?

  •  
freakinvibe

Messages: 1487
Karma: 57
Send a private message to this user
The problem is that all those settings are for incoming mails.

Kerio has nothing for outgoing throttling, that's why your enhancment request is good.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
You've excluded these settings for an IP address group. Perhaps the excessive delivery originated from a host within that group. The mail log would confirm the IP address of the offending host. It will also confirm the protocol used to deliver the message. Most likely it will be SMTP, and therefore these settings would apply.
More importantly to the SMTP security settings, make sure you are using password complexity, password guessing protection, and requiring secure connections. These are all described in the KB articles I previously referenced.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
BobH

Messages: 122
Karma: 0
Send a private message to this user
freakinvibe wrote on Thu, 21 January 2016 10:26
The problem is that all those settings are for incoming mails.

Kerio has nothing for outgoing throttling, that's why your enhancment request is good.

So when a spammer uses the Kerio Connect SMTP server they are inputting their spam directly into the output queue. There is no incoming email transaction?
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
If the message(s) was received via SMTP, it is incoming. It then gets processed through the queue. During queue processing, the message is either delivered to a local mailbox, or relayed to a remote recipient. If it's relayed, then it is an outgoing message.
You can learn more about the process here https://en.wikipedia.org/wiki/Message_transfer_agent

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
freakinvibe

Messages: 1487
Karma: 57
Send a private message to this user
If the Spammer uses authenticated Submission port, this is not throttled. Kerio might correct me if I am wrong.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
BobH

Messages: 122
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 10:42
You've excluded these settings for an IP address group. Perhaps the excessive delivery originated from a host within that group. The mail log would confirm the IP address of the offending host. It will also confirm the protocol used to deliver the message. Most likely it will be SMTP, and therefore these settings would apply.
More importantly to the SMTP security settings, make sure you are using password complexity, password guessing protection, and requiring secure connections. These are all described in the KB articles I previously referenced.

I performed a search of the mail.log file covering the period of the problem and found a handful of occurrences of their IP address so that would confirm it was an external spam source.

Anyone accessing our SMTP server remotely (users from home or on the road) has to use https to access the webmail client which we use exclusively.

The passwords we use are generated randomly and satisfy the Kerio complexity test so a guessing attack is unlikely. Users are also trained not to provide their password info with anyone but me. The most likely way I can think of is some keylogger malware gets past our antivirus or the user goes to a bad website or gets an email with a link they shouldn't have clicked on.
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
The mail log should identify which user account was compromised, and the protocol that was used. You will have to locate the log event that shows how the message(s) was first received by your server.

Here is an example:
[25/Jun/2014 10:39:19] Recv: Queue-ID: 53aaa6d7-000000f4, Service: Kerio Connect client, From: <user@domain>, To: <user<_at_>domain>, Size: 854, Sender-Host: 10.10.10.1, User: user@domain, SSL: yes, Subject: test, Msg-Id: <3533420989-24989@domain>

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
BobH

Messages: 122
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 12:10
The mail log should identify which user account was compromised, and the protocol that was used. You will have to locate the log event that shows how the message(s) was first received by your server.

Here is an example:
[25/Jun/2014 10:39:19] Recv: Queue-ID: 53aaa6d7-000000f4, Service: Kerio Connect client, From: <user<_at_>domain>, To: <user<_at_>domain>, Size: 854, Sender-Host: 10.10.10.1, User: user@domain, SSL: yes, Subject: test, Msg-Id: <3533420989-24989@domain>

There was no question regarding the compromised account. That user's email address was the sender of all 50,000+ spams in the queue.

The first thing I did after discovering this problem was to change this user's password. Then we renamed the bad queue and brought Kerio Connect back up, everything ran normally. No more spam.
Previous Topic: iSCSI 10GB or Fiber 8GB
Next Topic: Connection method audting
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Mar 23 17:23:50 CET 2017

Total time taken to generate the page: 0.01257 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.