Compromised Account Detection with Abusix Mail Intelligence (and Postfix)

·

Compromised Account Detection with Abusix Mail Intelligence (and Postfix)

You get an alert from your monitoring systems: your entire mail cluster is experiencing issues sending to various common domains, and your customers’ mail is being deferred or rejected.

You’ve got multiple compromised accounts.

They are all being used to send spam significantly, affecting your mail cluster’s reputation in many places and causing several blocklists to list some of your IPs.

Detecting and handling compromised accounts is a daily pain for many security teams and postmasters. These are usually caused by weak or re-used passwords, phishing, or credential-stealing malware.

Once an account is compromised, it can send a large volume of messages, affecting your hosts’ IP reputation. This takes time to resolve, while other affected users complain to your support desk.

This type of compromise has become so popular because many SMTP servers don’t offer great solutions when trying to limit authenticated users and detect misuse.

As a result, many sites have had to resort to building complex internal systems to try and detect rogue accounts while using basic rate-limiting as a fallback to try and limit the damage should these detections fail.

Our current Abusix Mail Intelligence Solution

IP blocklists, like Abusix Mail Intelligence, are not usually suitable to be run on authenticated mail because they’re designed to block inbound mail and would cause significant false positives if used for authenticated mail. 

As such, most SMTP servers like Postfix usually skip DNSBL checks for authenticated mail by default.

Abusix Mail Intelligence provides a unique “authbl” list (Authentication Blocklist) designed explicitly for this purpose:

  1. It has short TTLs (Time to Live, e.g., the records expire much quicker) (12 hours) to prevent issues with dynamic IP addresses. 
  2. It only contains IPs we’ve seen using other compromised accounts or can be used for this purpose (e.g., they’re bot infected).

Presenting Our New List: authbl-rcpt

We’ve just introduced a companion list called “authbl-rcpt,” which contains the email addresses of all the email “dropboxes” we have seen used by brute-force SMTP credential attacks.

How it works:

Many compromised accounts are “tested” first by attempting to send an email that contains the account credentials used to authenticate within it. 

The recipient address of the message is a “dropbox” account controlled by the attacker and is solely used to collect all the working credentials as, if they didn’t work, the message wouldn’t be received in the first place.

If the connecting IP address isn’t detected, then the recipient email addresses can be checked against this new “authbl-rcpt” list. 

The account is compromised if a match is found, providing a secondary detection method.

The “authbl” can be used by many SMTP servers “out-of-the-box” with no particular configuration required, and it will prevent bad IPs from authenticating and sending mail. 

But, it won’t help you identify which account is compromised, nor would it prevent the account from being used by another bot using the same account where it uses an IP address that isn’t currently listed.

So, I will show you a solution using Abusix Mail Intelligence and Postfix to detect, report and prevent compromised accounts from doing any damage.

I picked Postfix for this as it is the most commonly used open-source SMTP server these days, shipping by default on most Linux distros. However, the same methods described here can be adapted for any SMTP server, provided that it allows some scripting and the necessary metadata.

How to use our new Policy Server

Postfix has a feature that allows it to delegate actions to a Policy server. This is just a simple server that Postfix connects to and sends connection and message metadata. The policy server then responds with an “action” that Postfix should take for that message.

I wrote the Policy server using Node.js (Javascript), and it does the following:

Policy Server Flow Chart
Image 1: Policy Server Flow Chart

I’ve released the code for this publicly (licensed GPLv3) to our Gitlab repositories which you can find here: https://gitlab.com/abusix-public/abusix_auth_ppd, along with installation and operating instructions.

Once it’s installed, you:

  1. Simply edit the configuration file
  2. Add your API Key from our user Portal
  3. Configure the action you’d like Postfix to take if a compromised account is detected. This can be one of the following:
rejectReject the message. This will typically cause an error in the email client.
hold

Accept the message, but place it in the Postfix “hold” queue. This allows the message to be reviewed using standard Postfix tools and either released or deleted.
logLog a warning to the system log and take no further action.

One of the best features of this new policy server is that it can be configured to run a script to detect a new compromised account and used to create:

  1. An issue in a ticketing system
  2. An alert to a monitoring system
  3. An API call or a webhook to call further automation

The options are limitless and just down to your imagination.

So, feel free to grab the code and install it, get a trial of Abusix Mail Intelligence, and see how effectively it is catching compromised accounts on your infrastructure.

I’d love your feedback!

Read More

·

As a Chief Information Security Officer (CISO), safeguarding your organization’s network against abuse is a critical responsibility. Network abuse can...

·

Cyberattacks are on the rise and data breaches are becoming more and more frequent. Even the most sophisticated companies struggle...

·

Are you an email security professional with a desk job? Learning from experience, don’t let your work routine compromise your...