Solved

Need some informations about mail server attacks

Posted on 2013-06-16
10
971 Views
Last Modified: 2013-11-16
One of my customer mail server is actually under attack.  I don't have tons of knowledge about any kind of attack, but i've few questions:

1. All the log files show 'Invalid Username or Password', but the emails that they are trying to use to login are not fake email... they do really exist on our server. Is there a security problem or it's just too easy to get the email address from a server and it's not possible to prevent it?

2. What's the best way to prevent brute force attack on a mail server?


They are using an old version of MailEnable installed with Plesk.  I've seen no such option as "Ban IP after X Invalid username or password".
0
Comment
Question by:cdebel
10 Comments
 
LVL 15

Assisted Solution

by:Ian Meredith
Ian Meredith earned 50 total points
Comment Utility
1. It isn't too hard to get email addresses for this type of thing.  They can be 'farmed' from various sources.
A good chance the email addresses were obtained in other way than some sneak attack on your mail server.

2.  Get hosted email filtering, that way you can lock down your firewall to only accept incoming traffic on port 25 (SMTP) from the service providers ip range.  No more brute force attacks.

Cheers
0
 
LVL 10

Author Comment

by:cdebel
Comment Utility
Can you explain a bit more about #2?   Any service provider doing "Email Filtering"?

Do i have to setup all the mailbox on this kind of service?  Do i have to change the MX record to point to this service?  etc...
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 50 total points
Comment Utility
Also take a look at EMET security for your server. This a genuine Microsoft product designed for Servers and Workstation and the new Version 4 has Certificate Pinning added on. I have it running on my Windows 8 workstation successfully, but I have not yet put in on a Server (my clients have outsourced hosted email).

Go here and read up on it.

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

.... Thinkpads_User
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points
Comment Utility
Check this on reacting to the brute force on mail accounts - primarily using iptable to mitigate for the time being. But do also encourage complex password and effect account lockout (though it can be inconvenient to user). Also the next part is to harden the server and consider DKIM and SPam protection
http://serverkb.co.uk/wiki/Mail#Brute_force_on_mail_accounts

There are more security capability listed below but I do suspect you need upgrade
http://www.mailenable.com/features/anti-spam.asp

IP Address Whitelisting
Abuse protection from dictionary attacks
DKIM
Abuse Policy
Failed Auth Account Lockout

other ref - MailEnable Lockdown Utility
http://www.mailenable.com/security/lockdown.asp
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 10

Author Comment

by:cdebel
Comment Utility
Do you know if there's any method to use IP table files with a Windows Server 2008?  Because i've found some web sites listing every IP ranges from China, Roumania, Ukraine, Russia, etc...  but i've not found any method to import these rules.  I've found some method using netsh advfirewall for Windows Server 2008.  If i can't find any tool to do it, i'll script it.

I also thought about buying Mail Enable... at least to get the latest version with all the fixes.  There might be a ton of vulnerabilities in the version that my customer use.  We will probably do that.

Thanks a lot for your input breadtan

@Thinkpads_user: i'll also look at EMET.
0
 
LVL 61

Accepted Solution

by:
btan earned 400 total points
Comment Utility
There is one called WIPFW @ http://wipfw.sourceforge.net/ that run on Windows 2000, XP, 2003, Vista, Windows7, 2008,2008 R2. But it is is unable to change packets content, so it is impossible to redirect packets.

Actually if there is no physical FW fronting server at the perimeter then I will resort to the host based prevention s/w (HIPS) installed in the server for holistic protection controls. if the latter is also not available, i see more to leverage the inherent windows FW in the OS to do it.  HIPS can include symantec SEP or Mcafee endpoint protection etc.
But that would be quite a hassle for short term since you already seeing attacks, but long term it will be worth exploring into investing it.

Coming back to Windows FW, there is MMC snap-in as well and of course netsh advfirewall is also CLI equ. There are also other scripts in the below links

MMC Snap-in
http://technet.microsoft.com/en-us/library/ff428136.aspx
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html

Resource - Using Windows Firewall with Advanced Security
(include best practice, COMAPI, scription API and VB scripts sample)
http://msdn.microsoft.com/en-us/library/aa366418(v=vs.85).aspx
0
 
LVL 10

Author Comment

by:cdebel
Comment Utility
I've checked with the host (1&1) and there's an hardware firewall that i actually use, but there's a maximum of 25 rules that i can setup in it.  So i can't fill it up with the iptable content to ban these countries.

I'm not sure to understand for wipfw when you say it's impossible to redirect packets.   It block them, but doesn't forward them to a dummy server where the attacker that could let him think that he is actually hacking something?

WIPFW seems like something i'll like.  I'll install it locally to do some tests.

Is there any advandtage to use it instead of Windows FW?   The one i see are: It seems to be easier to script with WIPFW, and it's probably safer because the potential risk of an exploit found for Windows FW is higher than a 3rd party.

It still doesn't take 100% iptable file but it would be really easy to do it with just few lines of code.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
probably in the past Windows w/o advfirewall wipfw may surpass but actually I see it more of user being familiar with ipfw and wanted something close in Windows. It does has flexibility in rules and to extedn of having dynamic rules in the fly to allow packet through. Its config is also in a wipfw.conf (if I am not wrong) that consolidate all gist for the ipfw preference in sharing ease to other machine etc.

Understand the Windows FW prior to Vista is limiting and will not filter egress traffic and has poor logging. It would have changed but WIPFW is also in constant check and upgrade.

As for the redirection, I believe is it cannot change anything in the packet hence destination IP address probably cannot be re-routed esle - it is still a due diligence type drop and allow
0
 
LVL 10

Author Comment

by:cdebel
Comment Utility
Well, i think i have enough informations to help me to cover some security risk.

Buying mail enable standard, not the free edition
Doing some tests with WIPFW, and write a small program to add rules on the fly to avoid attacks from reaching the servers

Thanks a lot for the help you have provided!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now