Has My Domain Email Been Hacked

[webgyrl]

edited

[webgyrl]

edited

[webgyrl]

edited

[leezard]

Heres some info i got from cert.com about e-mail spoofing (cloning) It has a few tips on preventing it.

 

http://www.cert.org/tech_tips/email_spoofi...fing.html#III.B

 

I. Description

Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

 

Examples of spoofed email that could affect the security of your site include:

 

* email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this

* email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

 

If, after investigating the activity, you find that there is more to the incident than spoofed email (such as a compromise at your site or another site), please refer to Section IV below.

II. Technical Issues

 

* If you provide email services to your user community, your users are vulnerable to spoofed or forged email.

* It is easy to spoof email because SMTP (Simple Mail Transfer Protocol) lacks authentication. If a site has configured the mail server to allow connections to the SMTP port, anyone can connect to the SMTP port of a site and (in accordance with that protocol) issue commands that will send email that appears to be from the address of the individual's choice; this can be a valid email address or a fictitious address that is correctly formatted.

* In addition to connecting to the SMTP port of a site, a user can send spoofed email via other protocols (for instance, by modifying their web browser interface).

 

III. What You Can Do

 

1. Reaction

1. You may be alerted to spoofed email attempts by reports from your users or by investigating bounced email error messages.

2. Following relevant policies and procedures of your organization, review all information (such as mail headers and system log files) related to the spoofed email.

 

Examine tcp_wrapper, ident, and sendmail logs to obtain information on the origin of the spoofed email.

 

The header of the email message often contains a complete history of the "hops" the message has taken to reach its destination. Information in the headers (such as the "Received:" and "Message-ID" information), in conjunction with your mail delivery logs, should help you to determine how the email reached your system.

 

If your mail reader does not allow you to review these headers, check the ASCII file that contains the original message.

 

NOTE: Some of the header information may be spoofed; and if the abuser connected directly to the SMTP port on your system, it may not be possible for you to identify the source of the activity.

3. Follow up with other sites involved in this activity, if you can identify the sites. Contact them to alert them to the activity and help them determine the source of the original email.

 

We would appreciate a cc to "cert@cert.org" on your messages; this facilitates our work on incidents and helps us relate ongoing intruder activities.

 

If you have a CERT# reference for this incident, please include it in the subject line of all messages related to this incident. (NOTE: This reference number will be assigned by the CERT/CC, so if you do not have a reference number, one will be assigned once we receive the incident report.)

 

To find site contact information, please refer to

 

http://www.cert.org/tech_tips/finding_site...e_contacts.html

 

You may also want to contact the postmaster at sites that may be involved. Send email to

 

postmaster@[host.]site.domain (for example, postmaster@cert.org)

 

Please include a copy of this document in your message to sites.

4. To provide as much information as possible to help trace this type of activity, you can increase the level of logging for your mailer delivery daemon.

5. Realize that in some cases, you may not be able to identify the origin of the spoofed email.

2. Prevention (Deterrence)

1. Use cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.

2. Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.

3. Ensure that your mail delivery daemon allows logging and is configured to provide sufficient logging to assist you in tracking the origin of spoofed email.

4. Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.

5. Educate your users about your site's policies and procedures in order to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible. See also CERT advisory CA-1991-04, available from

 

http://www.cert.org/advisories/CA-1991-04....ngineering.html

[webgyrl]

edited

[leezard]

forwarding mail from one account to another doesnt remove the mail from the original account mail was sent to (if that makes sense)

 

I forward all of my mail sent to news@x-trememodz.com to a staff member so that they can post any news that i might miss or just not have time to get to, but I still recieve a copy of the e-mail at the original address it was sent to.

[webgyrl]

edited

[leezard]

one of the network admins would be the ones that would probably need to look into it. Head_Guru will see this post i'm sure and take whatever action is needed.

[webgyrl]

forwarding mail from one account to another doesnt remove the mail from the original account mail was sent to (if that makes sense)

 

I forward all of my mail sent to news@x-trememodz.com to a staff member so that they can post any news that i might miss or just not have time to get to, but I still recieve a copy of the e-mail at the original address it was sent to.

Ok so that means that I have to manually delete all mail in webmail in order for the box not to fill up?

 

I didn't know that! Doh!!! I better check all the domains in that case!

 

Thanks Leezard!

[leezard]

if you forward maile sent to addressa@****** to addressb@yourdomnain.com there is still a copy of the forwarded mail left on the addressa account. So, unless you log into addressa and download all the messages, or delete them they stay on the server.

 

Is the account that is full one that is checked daily and messages are downloaded?

[webgyrl]

one of the network admins would be the ones that would probably need to look into it. Head_Guru will see this post i'm sure and take whatever action is needed.

Ok good. This really sucks!! Why do people do these stupid things like spoofing and cloning IP's... it's so dissruptive! Grrr!

 

Thanks for the help!

 

Nat

[webgyrl]

edited

[Lianna]

Here's the scoop: If you create a mail account and forward that mail to another, both accounts receive the mail. However, if you only create a forward and not the account, then only the forward recipient gets the mail.

 

Example:I want all mail addressed to me@mydomain to also go to Lianna@mydomain.

I create email account: me@mydomain, set forward to Lianna@mydomain

 

Example2: All mail sent to webmaster@mydomain, I want just sent to Lianna@mydomain.

I create a forward for webmaster@mydomain to Lianna@mydomain.

 

Does that help?

[webgyrl]

edited

[webgyrl]

edited

[webgyrl]

Just out of curiosity, why are there three types of webmail? Can we just use the one we want to, is there a difference?

 

I'm going through all the domains I have and checking the mail via webmail to see if thereare boxes of messages that need to be cleared.

 

Thanks,

Nat

[webgyrl]

edited

[leezard]

it doesnt matter which webmail you use, they all log into the same server (if you delete mail in horde, you wont be able to access it if you use squirelmail etc)

[webgyrl]

The "Inbox" i seem to be getting to in SquirrelMail is a "catchall" box. If someone wanted to just check thier unique email address using webmail how would they do that?

 

I'm worried that each email account that was set up on all the domains may have spam in the boxes. I know I set up individual accounts with passwords when I initially set up the email accounts, but how does one access those individual email addresses, or are they indeed all put into one "inbox"?

[webgyrl]

it doesnt matter which webmail you use, they all log into the same server (if you delete mail in horde, you wont be able to access it if you use squirelmail etc)

Ok that's great!

 

They are all great webmail programs BTW!

 

I'm diggin SquirrelMail!

[Head Guru]

Those emails are all formail.pl exploit attempts. A while back there was a huge hole in cPanels formail scripts. The spammers got ahold of it and abused it. The hole has been patched and the formail scripts appear to be secure now.

 

What your seeing is attempts. These are common.

 

Simply delete the emails.

 

You will notice they are actual bounces. The mail never left the server.

[webgyrl]

Bill,

 

Thanks! I had read about the cgi form mail spam issue when I first joined TCH and that is why I went with the PHP script that everyone here was so helpful with.

 

As long as all that stuff is just an attempt, then I feel safe. Thanks for clarifying all that.

 

It blows my mind that people do this kind of stupid stuff, glad to know that there are ways around it using PHP.

 

Thanks everyone for your friendly and super fast help. I was a little worried as I know that people do try to do malicious things and the last thing I need right now is another headache!!!!

 

Thanks

Nat

[surefire]

And I'm glad that script is working well for you.

[webgyrl]

And I'm glad that script is working well for you.

Jack!

 

That script is one of the best "tools" I've ever found on the web! It simply RAWKS!

 

Thanks so much

 

Nat

[surefire]

Aw, shucks.

 

[BanditWS6]

Aha, just this morning I had the same thing happen to me. I received four unrouted e-mails at my main account address and wondered what it was about. Noticed the existence of /cgi-sys/formmail.pl and was worried that it was being compromised, but I've just now found this thread wherein Bill says that the attempts to send mail never actually succeed, and the mail never leaves the server. Whew!

 

Knowing I'm not the only one with this problem and that it can no longer be successfully exploited with the latest cPanel patches, I'll go close that help desk ticket I opened about it.

 

Thanks for all the information!

[Lianna]

The "Inbox" i seem to be getting to in SquirrelMail is a "catchall" box. If someone wanted to just check thier unique email address using webmail how would they do that?

 

I'm worried that each email account that was set up on all the domains may have spam in the boxes. I know I set up individual accounts with passwords when I initially set up the email accounts, but how does one access those individual email addresses, or are they indeed all put into one "inbox"?

Log in to webmail using their address and password.

 

For example, if I have created an email account like johnny@****, then I should be able to login to Squirrellmail or Horde or neo using that as the username (note that you need to use the FULL email address as the username).

 

Hope that helps.

[webgyrl]

edited

[webgyrl]

Just had to make it known that it was my naivety in setting up Email via cPanel that caused my email issues.

 

I had thought that oyu had to set up the main accounts first then add forwarders, which is not the case.

 

I was recieveing duplicates of all emails on the domian as I had set up webmail accounts when I didn't really need them.

 

My bad!

 

Hi-5 to Andy B. for helpin a sista out!

 

Nat

[TCH-Andy]

Nat,

 

My pleasure

 

Andy