Educause Security Discussion
mailing list archives
Re: SMTP attacks, anyone ?
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Wed, 10 Oct 2012 22:42:49 +0000
Did changing their passwords stop the spam? If not, did the spammer change accounts or was he able to keep using the
ones you'd already identified?
Did you ask the users if they used the same password for any other accounts?
Did you double-check to make sure that the Postfix server is setup correctly and that it's not actually an open relay?
Steven Alexander Jr.
Online Education Systems Manager
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew
Sent: Wednesday, October 10, 2012 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SMTP attacks, anyone ?
In the last few months on two occasions we've had a user's email credentials compromised and used to send spam via SMTP.
We have a Postfix mail relay where users can authenticate via SASL to send mail from offsite, and this was what was
There was no obvious trace of a dictionary attack; it seems the attackers knew a password somehow and then proceeded to
use it from a couple of hundred different client addresses around the world (which themselves appear to be SMTP
servers, rather than home PCs).
Both the users in question deny "risky network behaviour" and are fairly clueful - would not fall for phishing, do not
frequent cybercafes etc.
Their passwords (now changed of course) were robust enough not to fall to a few hours of "John the Ripper" so I doubt
they were trivially guessed.
I wondered if anyone else had seen this kind of abuse.
Right now it's not a serious problem, but of course if we've got unexplained compromises I want to understand. I'll
probably write some kind of filter to flag/block excessive offsite logins, or impossibly short travel times like the
credit card companies do.
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
This email has been scanned by a Spam/Virus Firewall. If your email has been classified as Spam please contact the
HelpDesk at (209) 384-6180.