Mail Server Hacked
Annemie
Compliments of the day, I am Barrister Paul Allen, Financial Consultant / Legal Adviser, Royal Bank of Canada Investment Management (UK) Limited (British Isles). I have been advised to contact you regarding a deposit of $12.5 Million United States Dollars made by a dual citizen of United States and Britain, Mr. Wilcox Alex, with Bank Negara Malaysia, on the 4th of September 1998. Mr. Wilcox, Alex was a contractor resident in Malaysia and executed contracts for the Government of Malaysia.The money was deposited with Bank Negara Malaysia for onward transfer to his account with Royal Bank of Canada Investment Management (UK) Limited (British Isles).
Unfortunately, Mr. Wilcox Alex and his wife Wilcox Petra were involved in a Plane crash on Monday 7th September 1998 GMT 14:22 UK while they were flying from New York to Geneva.Please see following news caption for more information:
May their gentle souls rest in perfect Peace.
You are advised to forward a valid proof of your identification, telephone and fax numbers. Upon receipt of the particulars, I will send you copy of the Death Certificate of late Mr. Wilcox Alex to enable you contact the bank for the claim of the money. I have been instructed by the management of Royal Bank of Canada Investment Management (UK) Limited (British Isles) to ensure that the money is claimed by you as the rightful beneficiary.
If you decide to keep your server in-house, I strongly recommend using a third party cleansing service like Postini (Google) or MessageLabs (Symantec). Not only will they scan and deliver clean emails to you, they will allow you to block port 25 on your firewall and only permit the provider network to communicate with you over SMTP.
An SMTP attack is any exploitation of your SMTP server that enables attackers to gain unauthorized access to it. When an SMTP hack occurs, attackers can see the email addresses stored on your server and send messages to them while pretending to be you. The recipients, which can be clients or friends, will think that the email is from you since the hackers used your email address.
Aside from sending phishing and spam emails, an SMTP hack can also give way to denial-of-service (DoS) attacks. Hackers can use your SMTP server to send a massive number of emails to other servers, effectively drowning the targets until they crash.
Adding security layers to your SMTP server helps keep it safe from unauthorized access. Secure Sockets Layer (SSL) and Transport Layer Security (TLS), more commonly known as SSL/TLS, is a standard method of encrypting data sent through SMTP.
For utmost security, continuous education about phishing and malware should be advocated in organizations. Users should be aware of the current phishing methods that attackers employ. Bring Your Own Device (BYOD) policies must be implemented with caution and clear guidelines to avoid risks associated with lost or stolen devices.
I'm running a postfix/dovecot mail server. This morning, I discovered it was unresponsive. Turned out, /var/log was full. It appears one of the users has had their account hacked and it's being used to send spam.
I've temporarily turned off postfix and dovecot, which is fine for the moment as there are only 6 of us using it. But, what steps should I take beyond having the user's password reset? Might there be things in the outbound postfix queue from this user that I should delete (and how would I do that?)? Any other steps I should take?
Find a ID of one of the mails in the queue with mailq
Then check the headers to see how it was sent with postcat -q ID (where ID is the ID of the message). This way you can check wether the email is sent by a authenticated user or a rogue script.
Hi there,I come to you asking urgent help. We installed a new server with email and osticket.The server doesn't have anything else.The server, went down, when trying to send lots of emails.I'm triyng to backtrace to see if the problem was osticket.We have a cron job pooling the tickets via imap.the mysql user only has access to osticket database.the only file that has 777 is cron.php.Yesterday it was sending tons of emails from an account that isn't even in osticket.It exists only as a user account.We changed the email password and disabled osticket.It returned to normal.Using windiff i checked for injected code. Nothing.What could it be?? Could Osticket be the gateway??What can we do to stop this from happening??Please help us....
If the account that was sending the email isn't used in or for osTicket I'm not real sure why you would think that the two things are linked. With out logs, and/or forensically searching your server myself it would be improper for me to really speculate on what happened. I mean it's possible that there is an unknown security exploit for the version of osTicket that your running but it's also just as likely that another piece of installed software has an unpatched exploit in my opinion.
Thats what i thought, but i have to prove it. I think it was a hacked email account, hat generated the server flooding. The osticket now is separate in a different server and working by pooling, so now that should be easy to prove in case this happens again.Thank you...
I'm not trying to sell anything here, but if you are looking for somebody to host the application for me, let me know. I know that servers get literally hammered all day long, and it takes quite some efforts to make it secure. If you are interested, send me an email to "sup...@justcorebusiness.com", or look at our website www.justcorebusiness.com.
1)It is not being sent by us but the reply-to field is being set to our site, and therefore we receive the failure notification or 2) Our system has been compromised and it's being sent by us, hurting our reputation. Also - if this is the case, where do I look to fix the problem?!
Third, check that your router is only allowing outgoing activity on port 25 from just your mail server; workstations that are compromised can otherwise send email and it would appear from your outgoing IP.
Fourth would be to run a packet sniffer on the mail server if you want to verify that it isn't sending extra email, or insert a system that can run wireshark/tcpdump between the mail server and the router for a "clean catch" of network traffic, as compromised systems can hide what they're doing if rootkitted.
I would start by reviewing your mail server logs for this message. It was given a unique ID number but if your system sent it you should be able to easily at least find the message. If you do find the message there's a good chance your employees computer or device is infected with something. However, you would want to compare the IP address of the device sending the message to what you would expect it to be.
A threat actor has hacked Microsoft Exchange email servers across the world in order to gain access to their internal messaging capabilities and send malicious emails to company customers and employees in the hopes of infecting them with malware.
Once the attackers gained access to the server, Trend Micro said they used a Powershell feature to read and interact with the server email storage system, and they hijacked existing conversations by inserting and sending new replies to all participants.
According to researchers, the replies contained links to malicious Excel documents that contained malicious macro scripts that, when a user allowed to run, would install a version of the Squirrelwaffle malware.
First spotted in September 2021, this is a new malware operation that was built on the model of cybercrime services like Emotet, Dridex, and TrickBot, allowing the Squirrelwaffle gang to rent access to their botnet of infected systems to other gangs.
"The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected," the Trend Micro team explained.
Trend Micro also noted that delivering malicious spam using this technique to reach a company's own users, on the internal domain, also decreased the possibility of security tools detecting or stopping the attack, as email getaways would not be able to filter or quarantine any of the emails sent this way.
Patching Exchange servers is one way of keeping systems safe, but there are countless other Exchange bugs that could be abused as an entry point, so keeping Exchange servers up to date with security patches at all times is recommended.
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.
Human Intelligence and email attacks are on the rise, spear phishing and social engineering methods are used to steal email account user data, including login credentials. Microsoft on-site and cloud attacks are rising, Office 365 server hacks occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email that contains a URL to share a file via sharepoint. It is common that Microsoft office 365 accounts are targeted and such attacks are classified as Spear phishing that consist of email spoofing attacks, targeting a specific organisation or individual, seeking unauthorized access to sensitive information such as email accounts or file share.
Digitpol's Cyber and Fraud Team are certified examiners and can assist to all cases related to email server attacks, email scams and fraud. Digitpol can deploy computer forensic examiners to investigate the hack, determine how it took place and report the findings, Digitpol ensures that hackers are not active in your network and ensure your user accounts policies and rules are configured correctly to prevent further attacks. The following points are the first in each attack investigation.
If you encounter or believe that you have been the victim of online or internet fraud (i.e. phishing, fraudulent text messages etc.), please send an email to in...@digitpol.com Be sure to attach any supporting documentation such as copies of suspicious emails, text messages and questionable links/URLs.
c80f0f1006