<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 17 Nov 2021, at 08:12, Hans-Martin Mosner <<a href="mailto:hmm@heeg.de" class="">hmm@heeg.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
<div class=""><p class="">Hi folks,</p><p class="">I'm trying to understand the root causes and vulnerabilities that
lead to hacked mailboxes. Currently, we can handle dynamic IP
ranges pretty well, and we have an extensive list of network
ranges whose owner are spammers or knowingly accept spammers as
customers.</p><p class="">So what mainly remains as spam sources are hacked
servers/websites, hacked mail accounts, and freemail accounts
registered with the purpose of spamming (I'm looking at you,
Google).</p><p class="">Here I want to focus on hacked mail accounts. I can think of two
major root causes but I have no idea about their relative
significance:</p>
<ul class="">
<li class="">Easily guessable passwords, with two subcauses for exploits:<br class="">
</li>
<ul class="">
<li class="">Brute force authentication attempts - I'm seeing them
regularly, and the most egregious networks (e.g.
5.188.206.0/24) are fully blocked at our mailserver, but some
mailops are less struct about blocking such abusers.</li>
<li class="">Hashed password data exfiltration and cracking (for example
using JtR) these lists - this would work better with weaker
password hashing, but with weak passwords and some CPU power
it is probably possible even for strong hash algorithms.</li>
</ul>
<li class="">Malware on client machines where passwords are either stored
in a password vault, or entered manually.</li></ul></div></div></blockquote><div><br class=""></div><div>Reused passwords is another. A fair number of websites seem to store user accounts with email addresses and plaintext passwords. When they inevitably get compromised there are bad actors who’ll grab those dumps and try those passwords against the email accounts.</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><ul class="">
</ul><p class="">My gut feeling is that some organizations are especially prone to
hacked mail accounts. We're seeing lots of south american
government agency users, and many accounts at educational
institutions. The latter are often hosted using Microsoft O365
services, and I highly suspect that weak passwords for all the
freshly created student accounts may be a major cause, although
exfiltrated password data may be a possibility, too.</p><p class="">So does anyone have pointers to studies analyzing these (and
probably more) causes of exploited mail accounts</p><div class=""><br class=""></div></div></div></blockquote><br class="">Cheers,</div><div> Steve</div><br class=""></body></html>