Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Fighting phished accounts

  1. #1
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Angry Fighting phished accounts

    We're getting hit hard with phishing scams and users are falling for it in droves. Worse is, some are actually then phishing within our users. So I'm looking for ideas on how to help slow this down a bit at least, besides user education.

    We deal the problem with dictionary attacks with fail2ban rules.

    What we notice is that these accounts are being used to phish using zimbra desktop client. It is something we don't support, so is there a way to disable users from using it?

    Next, we would I guess need a way to determine when a spam campaign starts and programatically lock these accounts. We can continue fighting robots with humans.

    TIA.

  2. #2
    Join Date
    May 2010
    Posts
    272
    Rep Power
    5

    Default

    First, strategies are sam as with spam mail and every day the situation is getting worse on the admin side.

    second - i bet 1000$ that they dont use the zimbra desktop client to pish - at least not automated
    really i dont see a real way todo this

    zdesktop is more or less a zimbra light server - embedded into a sandbox theres no way you can access zimbra desktop by api by a worm or so
    so at least not by convetional MAPI cuntionality or similar

    im not even shure if theres a api you can access zimbra desktop but even IF - the worm has to be written only for that api
    in difference to regular windows mailprograms and specially outlook where oyu can use windows and office api todo the job

    i really doubt that someone has written a worm for zdesktop


    also there is no way to disable zdesktop - it uses the http api the weginterface use it too so not really (in thery is possible to restrict certain directorys serverside onl acces by webui)
    but again - its not desktop whats your problem


    its more likly they
    a. just use your users mailadresses
    b. if the traffic is really outgoing YOUR OWN server then you have to lock those accounts and make em new passwords
    its very likly they just stolen their accounts then


    so it would be nice if we can see those logs to see what is really access and how -


    but honestly those things are more or less common security and mail strategys if you expect a certain solution you may wanna pay for support


    btw did you run dspam? it does a great job there if you let it (set scoring much higher)

  3. #3
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    Problem is increase in phishing scams (that pass thru) and users giving out credentials...

  4. #4
    Join Date
    May 2010
    Posts
    272
    Rep Power
    5

    Default

    Quote Originally Posted by su_A_ve View Post
    Problem is increase in phishing scams (that pass thru) and users giving out credentials...
    well then youre screwed pretty much - i mean if they use your system with the correct credentials ...

    well there are 2 things you can tdo depending on your field of users.

    if the yare all within the same company you could use a vpn solution so you get a second security ring

    another idea would be implement a geoip firewall which isnst so complicated but works of course only if your users are form the same aerea


    with a lot of scripting you could even extend it to give a group (domain) or single users a specificed range of ip adresses (geolocations)


    however - if they are infected by a worm which uses their credentials youre done



    i would not try to bother to much with the content -

    however use dspam for that configured proper its very powerful selflearning


    ...
    at the end get your users a proper virus scanner which can also determine pishing stuff,
    and educate your users
    charge your users for locking accounts - if its within your own company -then charge might not work but you could punch em a little xD

    really theres not so much you can do then beside tighen up overall security (vpns, outgoing https proxy and stuff) but only in one organisation - if youre service provider youre really screwed

    (still you can configure a script locking users accounts sending to much mails a minute)

  5. #5
    Join Date
    Jan 2009
    Location
    Fresno
    Posts
    31
    Rep Power
    6

    Default

    Quote Originally Posted by su_A_ve View Post
    We're getting hit hard with phishing scams and users are falling for it in droves. Worse is, some are actually then phishing within our users. So I'm looking for ideas on how to help slow this down a bit at least, besides user education.
    For the past month, we've been hit hard too. I would love to hear what others are doing.

    After a few attacks we were able to collect most of the ip's they are connecting with and built a perl script to keep tabs on /opt/zimbra/mailbox.log for suspicious activity - pretty simple stuff ... if ip == problem, then notify admins. We review the logs after-the-fact and lock down the accounts, changing passwords and expiring any active sessions. PM me for this code.

    A better solution would be to rate limit on a per user basis, with exceptions and whitelists. We have a multi-server installation and funnel all outbound zimbra email through one host. /var/log/maillog shows the number of recipients an individual is sending out, so if the phisher is active or an anomaly is detected, the algo should be able to identify and squash the active, user session(s), lock the account and notify the admins.

    An educated user base is priceless. We are looking at three options.

    PhishMe - Spear Phishing Awareness Training # cost $$
    Train Employees to Identify Malicious URLs | Wombat Security # cost $$
    SP Toolkit | Identify the Weakest Link # free, open source

    Something like the sptoolkit probably has the most flexibility and could be a better long term solution, but requires the most effort to implement. The other solutions would likely be faster to implement, but would still require time and resources to get in place.

  6. #6
    Join Date
    Apr 2010
    Posts
    57
    Rep Power
    5

    Default

    We detect Phished accounts fairly rapidly by monitoring users that send large volume of mail in short periods of time. Those accounts are locked automatically and 99 times out of 100 they were compromised accounts that got phished. Yes, it would be nice to prevent the compromise in the first place but that's not a solved problem for us yet.

  7. #7
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    Quote Originally Posted by speno View Post
    We detect Phished accounts fairly rapidly by monitoring users that send large volume of mail in short periods of time. Those accounts are locked automatically and 99 times out of 100 they were compromised accounts that got phished. Yes, it would be nice to prevent the compromise in the first place but that's not a solved problem for us yet.
    What do you use to detect and lock the accounts?

  8. #8
    Join Date
    Apr 2010
    Posts
    57
    Rep Power
    5

    Default

    Quote Originally Posted by blazeking View Post
    What do you use to detect and lock the accounts?
    A script that gets the last few minutes of both /opt/zimbra/log/mailbox.log and /path/to/syslogs/mail.log and counts how much mail is sent from ZWC. Any accounts that cross a threshold are considered to be compromised. This script runs every few minutes such that there is no missed periods.

    Locking the account is essentially 'zmprov accountname zimbraAccountStatus locked'

  9. #9
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    Quote Originally Posted by speno View Post
    A script that gets the last few minutes of both /opt/zimbra/log/mailbox.log and /path/to/syslogs/mail.log and counts how much mail is sent from ZWC. Any accounts that cross a threshold are considered to be compromised. This script runs every few minutes such that there is no missed periods.

    Locking the account is essentially 'zmprov accountname zimbraAccountStatus locked'
    Thanks! Care to share the script?

  10. #10
    Join Date
    Apr 2010
    Posts
    57
    Rep Power
    5

    Default

    I've put it on github here: https://github.com/JohnSpeno/zimbra-utilities

    Edit the MY_* variables for your use and I'd be happy to get pull request for new features and bugfixes for this. This version is slightly modified to make it more generic so I'm not even sure if it will work. :-)

Similar Threads

  1. Fighting Spam
    By gpearson in forum Administrators
    Replies: 0
    Last Post: 03-02-2012, 10:15 AM
  2. Replies: 0
    Last Post: 12-30-2009, 07:41 PM
  3. Still fighting with Split DNS
    By frankb in forum Installation
    Replies: 5
    Last Post: 11-20-2007, 09:52 AM
  4. Replies: 2
    Last Post: 03-20-2006, 09:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •