Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam policy versus compromised account (How to use Spam policy to stop sending SAPM emails )
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Hi All,

My organization faced a problem of a compromised email account that lead to a spamming event that caused blocking our domain for 1 day and still blocked from sending to gmail destination for the 5th day now (already submitted a remove report)

We have Kerio connect 9.2.0 (2213) Operating system: Windows Server 2012, x86_64.

We have the following configuration:
1- SPF is enabled to stop spoofing.
2- Max number of messages allowed per hour is 30
3- I have an enforced 15 sec of delay as SMTP greeting.

Still when the password got compromised, the hacker was able to send more than 30 messages in one hour.

My questions are:
1- how is that possible?
2- how to stop any account from sending more than 30 emails per hour?
3- Will this stop any spam from our side (I mean if no one can send more than 30 message in an hour will this be enough to never consider our domain a spam source by any blacklist?)
4- Is it possible to use another real IP as an alternative mx record so that we can switch to it in case our domain was blacklisted until the blocking is removed? Does Kerio support this?

Many thanks,
Ferro


Thanks,
  •  
freakinvibe

Messages: 1540
Karma: 62
Send a private message to this user
Kerio Connect has nearly no means in place to prevent outgoing Spam. All the settings you mention are for incoming messages.

The mail community has already preached for a while that Mail Server products should also have means in place to limit outgoing Spam, but Kerio has not done much in that field. See for example the following Spamhaus post:

https://www.spamhaus.org/news/article/681/spam-through-compr omised-passwords-can-it-be-stopped

Especially read the chapter:

TOWARD A NEW PARADIGM: ACCEPTING COMPROMISED PASSWORDS AS A FACT OF LIFE




Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Ernesto (Kerio)

Messages: 90
Karma: 7
Send a private message to this user
If the attacker, using a valid Kerio Connect account, was able to send more than 30 separate emails within one hour (different Message-ID) even when the Kerio Connect server was configured not to permit it, this must be consider as a bug in Kerio Connect and reported as such to our Tech Support team.

On the other hand, maybe what the attacker did was sending a single email directed to more than 30 recipients. In that case I'm curios to know what setting you have configured under Configuration->SMTP Server->Security Options->Additional Options->Max. number of recipients in a message:

If you have not opened a support ticket with Kerio for this issue, I suggest you do it, submitting copies of your Kerio Connect configuration files.

Bottom line is, if an attacker is able to obtain a valid account (email address and password) in Kerio connect by any means, and establish TCP/IP connections to Kerio Connect from where ever she or he is, then there is nothing that Kerio Connect can use to differentiate this attacker from a genuine user. From Kerio Connect's perspective there will be no difference. The only protection left against an outgoing a spam attack generated by this type of attackers are the same restrictions the administrator has configured to limit the actual valid users.

So, the two available restrictions/limits mentioned in the first two paragraphs above should have been enough to mitigate this attack, but not to prevent it completely. The attacker could still have been able to send 30 separate spam emails to some number of recipients each.

In regards to your question #4, the ability to switch the public IP address that Kerio Connect uses in most cases is in the firewall or router in front of Kerio Connect, and yes, it can be changed. Changing the public IP address in use by Kerio connect may require to update the corresponding PTR record in DNS. All these changes are external to Kerio Connect, they may take time to implement, but are definitively "doable" and under your control.

Sales Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
@Ernesto Zavala
Thanks a lot for your reply.
I have one more question. What about preventing anyone form a non-local IP range to send emails except for a certain list.

In other words, most of our organization's employees work locally and those who travel are known in advance, If there is a feature in Kerio that can prevent any email to be sent from an out-of-range IPs and in the same time allow others who are:
1- Either using certain devices (by device id or MAC address)
2- or using a certain non-local IP
this can significantly reduce out-going SPAM threat.

Thanks,
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
Just putting this out there but ALT-N MDaemon has a neat feature to block compromised accounts and inform the postmaster. Couldn't Kerio implement something like this?
http:// www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Num ber=KBA-02433
  •  
freakinvibe

Messages: 1540
Karma: 62
Send a private message to this user
This feature looks nice, but it would not have defeated the Spam sending we recently encountered with one hijacked account:

A user recently called me and said that she got some backscatter emails. Her email address was used to send mails to non-existing external email accounts and she got error messages back.

I first thought that her address was just spoofed in the emails, but upon closer look I saw in the logs that her authenticated account was used to send Spam messages. The IP address used was one in Thailand. As we are not located there and the user was not there at the time I suspected that her password was either guessed or phished.

The logs did not show any guessing attempts for that user and the user also said that she had not got any phishing email where she had to put the password. So the only other option was password re-use. And indeed, her email address came up on the "Have I been pawned" web site. User name and password has been stolen from her Adobe account. She admitted to have used the same password there.

So the Spam bot has authenticated to Kerio via SMTP and has sent emails, but only about 20 per day. The bot has done this for 5 days until I found the problem and had asked the user to change her password. Due to the low volume of mails, we have not ended up on a Blacklist, but we also have not noticed this for 5 days.

The rate limiting for outgoing mails would not have caught this. Two things could have helped:


  1. The sent messages should show in "Sent Items".
  2. Spam Assissin scoring should be applicable to outgoing items as well


Regarding point 1 I was surprised to find that a message sent through the autenticated SMTP protocol does not appear in the users "Sent Items" folder. This only happens when you use Webmail, or a mail client that supports it. The user had looked in Sent Items, but didn't see anything suspicious, so she was not alerted and only informed me after 5 days.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
You might be able to lock things down by using User Access Policies to be very restrictive and ONLY allow local IP addresses to access your desired protocols/services. Anyone outside the office (traveling/home/mobile device) would need to VPN into the office firewall in order to get an IP address that's within the permitted "local" range.

I've not tested this and can't make any claims about side effects (such as mobile device access), added hassle, etc. but in theory this could help.

Ken Snyder
  •  
freakinvibe

Messages: 1540
Karma: 62
Send a private message to this user
I understand what you are saying but forcing the users to use VPN for each and every device is too complicated for them. Thanks anyway.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
vomsupport

Messages: 136
Karma: 2
Send a private message to this user
We finally setup a barracuda appliance and send all mail thru it..



  •  
talos4

Messages: 7
Karma: 0
Send a private message to this user
A few months ago a user password was compromised. We were fortunate to catch it but still found 14000 + in the queue although a few thousand of them were sent. We got on two blacklists. Not fun.

This is a serious limitation in Kerio security. Your techs know it. I've discussed it with various levels of Kerio admin.

Allow SMTP limits based on user. Doing so by IP is a joke.

It is as simple as that. Please fix this security flaw in Kerio.

Previous Topic: Is it possible to migrate Kerio Connect from OS.X to LINUX
Next Topic: Apple Mail missing emails
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 06:00:58 CEST 2017

Total time taken to generate the page: 0.00443 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.