This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
- Previous message (by thread): [anti-abuse-wg] Call For Co-Chair Nominations & Updated Agenda: RIPE 83 AA-WG Session
- Next message (by thread): [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hans-Martin Mosner
hmm at heeg.de
Wed Nov 17 09:12:13 CET 2021
Hi folks, I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers. So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google). Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. o Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. * Malware on client machines where passwords are either stored in a password vault, or entered manually. My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south american government agency users, and many accounts at educational institutions. The latter are often hosted using Microsoft O365 services, and I highly suspect that weak passwords for all the freshly created student accounts may be a major cause, although exfiltrated password data may be a possibility, too. So does anyone have pointers to studies analyzing these (and probably more) causes of exploited mail accounts? Cheers, Hans-Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/anti-abuse-wg/attachments/20211117/f7385e04/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Call For Co-Chair Nominations & Updated Agenda: RIPE 83 AA-WG Session
- Next message (by thread): [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]