Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Newbie Question: Mailserver security

  1. #11
    Junior Member
    Join Date
    Jul 2002
    Posts
    19
    Quote Originally Posted by lazy13
    Maybe you can tell him to send you mail with a photo from a webserver owned by you.
    Then you can add a script that will log all the ips who are downloading this photo and you ll see whether someone intercepts his mail.
    Then you can track the ip who viewed your photo and his mail

    its my 2nd post so be gentle
    Not a bad idear, for a second post We dont own the webserver...

    MrEsco
    Beware of weird people

  2. #12
    Junior Member
    Join Date
    Jul 2002
    Posts
    19
    Quote Originally Posted by xiphias360
    Well, on to your options. I think the most used technique to find a leak is by sending false information and seeing if your suspect picks up on it. This is used by even the most un-tech savvy of computer users. Putting something in an juicy or interesting in an email and then casually bringing it up later in a conversation and seeing if the suspect lets out more than you have told him.

    But if the person is using some cheap online email account you can add an IP/timestamp logger to your emails. Actually, depending on how you used it, it could probably work in the best of online email accounts. Anywho, here's the gist: you make a small perl script that does the following,

    open log file;
    store a line like "$ENV{REMOTE_ADDR} (ip of whoever opens the email) opened the email at $timestamp\n";
    close log file;

    open image file;
    get image file;
    print image file;
    close image file;

    This is something i used to use and it works. But today, sites like gmail automatically block images in emails, just like outlook, unless the user clicks a link to show the images. So if that's the case, you can create an email where the main focus is the data on some graph or other interesting image that would cause the user to download the image.

    I had a pretty nice program back in the day. I modified my .htaccess so that .gif extensions were associated with cgi scripts (just to add to the realness ) and i used sendmail to alert me whenever the image was triggered as well as logged everything to a file.
    Good stuff, but now some root cause analysis... what is the common used way to 'hijak' an emailadres?

    Thx for the input... i will razzle and dazzle them at the meeting of tommorow... for shizzl

    MrEsco
    Beware of weird people

  3. #13
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum. But as far as a common used way, there is none. It's not like you can just launch stealthisaccount.exe -a bob@thecompetition.com and instantly have an account. It's more like invading a country...

  4. #14
    [rant]
    he accuses his ISP of forwarding his email to the competition.
    :sigh: The problem is your client's an idiot. Why is it people who know nothing whatsoever about IT are always so unwaveringly convinced that they know the cause of the problem and who's at fault?

    [/rant]

    I seriously doubt you have a hacker on your hands. I'd bet you 95% that the problem is either:

    1) Someone internal leaking info, or
    2) User error.

    Either way, I'd lay money on a people problem, not a system problem.

    To echo the above poster, there is no "common way" to "hack" email. You're looking at a question with dozens of solutions.

  5. #15
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    xiphias360

    Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum.
    Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.

    If you have any concerns about what you might want to post, please feel free to PM me or any other Mod or Admin. We do believe in full disclosure, but it is "responsible" full disclosure.

    What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.

    Now, this may not even be a true "IT" issue. We could have a "mole" on the inside, his client's greed might have encouraged him (the client) to accept a "trojan horse" account (proper use of Trojan Horse there......... had to read that stuff for my ancient Greek exams )

    I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special"

    Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?

    Keep chipping away at the boulder folks

  6. #16
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.

    Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.

    So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? ) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.

    Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.

    But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.

    Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.

    There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.

  7. #17
    Junior Member
    Join Date
    Jul 2002
    Posts
    19
    Quote Originally Posted by xiphias360
    Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.

    Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.

    So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? ) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.

    Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.

    But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.

    Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.

    There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.
    Guys,

    The trojan/rootkit posibility has been explored, nothing has been found... we took the computers almost completly apart, sector by sector

    At this moment we're looking into human aspect of this so called 'hack' and it looks like the client is just paranoid. Am just getting my facts straight, i know that attacking an emailserver needs some skill and a lot of free time...

    It would mean that the attacker has an clear image of his target, is it possible to discover with a trace route wich server the sender is using?

    or is it a bit complicater then that?

    Kind regards,

    MrEsco
    Beware of weird people

  8. #18
    Junior Member
    Join Date
    Jul 2002
    Posts
    19
    Quote Originally Posted by nihil
    Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.
    Thx for the concern but am not intrested in de scribbiedidlydoo tools. Am more intrested in 'global' views so we can protect ourselfs against it.

    Quote Originally Posted by nihil
    What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.
    It looks like (if its true) an ilaberate and well organised effort but i doubt it... to many holes in the story of the client. We just need to cover all angles.

    Quote Originally Posted by nihil
    I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special".
    General email

    Quote Originally Posted by nihil
    Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?

    Keep chipping away at the boulder folks
    Beware of weird people

  9. #19
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hah!

    General email
    That, I feel, is the answer.

    Your client has a customer who is a spy, and he is sending his e-mails to that account as well as all his legitimate ones.

    Search for Occam's Razor or KISS

    MrEsco, your client does not come across as the sharpest tool in the shed, now does he?

    To put it very bluntly, how you tell him that he has **** for brains is down to you old chap

  10. #20
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    One possible idea would be to have your inbound/outbound mail routes through a secure hosted machine elsewhere (outside the ISP).

    Ensure that mail in and out only goes via that host, and is encrypted in both directions. That machine can then act as an "MX" record for the customer's domains.

    Some hosted email security services already provide such a system; I work for a company which does just this.

    If you're using this, even if the ISP's routers were compromised, your email is still safe.

    Slarty

Similar Threads

  1. Where Do I Start (Different Newbie Question)
    By Outer_Heaven in forum Newbie Security Questions
    Replies: 30
    Last Post: January 5th, 2005, 03:13 AM
  2. Asking smart questions
    By pwaring in forum Other Tutorials Forum
    Replies: 60
    Last Post: October 22nd, 2004, 09:15 PM
  3. Windows XP SP2 newbie question!
    By Owmen in forum Microsoft Security Discussions
    Replies: 14
    Last Post: September 26th, 2004, 05:53 PM
  4. Antipoints newbie question
    By TechieChick in forum AntiOnline's General Chit Chat
    Replies: 8
    Last Post: February 11th, 2002, 08:30 PM
  5. Newbie Firewall Question DLL
    By suzkaw in forum Newbie Security Questions
    Replies: 4
    Last Post: February 4th, 2002, 03:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •