[Dovecot] 64.31.19.48 attempt to break into my computer

Mike Cardwell dovecot at lists.grepular.com
Thu Sep 22 17:17:31 EEST 2011


On 22/09/11 15:08, Charles Marcus wrote:

> The only attack I haven't figured out how to eliminate is the
> social/phishing attack, where $DumbUser gives out their username
> password voluntarily... although I have been considering faking a
> phishing attack on my own users, and flagging the ones who fall for it
> for training.

The University I work at was suffering from this a *lot*. Phishers kept
contacting our users pretending to be from our IT helpdesk asking users
to reply with their login details so that their mailbox could be
refreshed or so their quota could be fixed and other such things.

So I developed an application that sits on our outgoing mail routers
looking for login credentials inside emails. If it finds any, it
blackholes the email and sends an autoresponse to the sender telling
them to never ever send login details via email under any circumstances.
It Cc's me in too, and it catches people emailing their logins around on
a *daily* basis.

Our usernames follow a very strict format, and we have a pretty strict
password policy so what my program does is pull out a list of all the
*possible* usernames and passwords and then attempts to authenticate
against our AD using them.

I built it into a framework so other people can use it:

http://kochi.lboro.ac.uk/kochi1.html

You need to know how to write Perl though in order to use it. It's not
plug and play.

We also added ratelimiting to our outgoing mail, and a system which
alerts us whenever anyone hits the limit. If it takes a phisher 2000
spams to get access to one account, but that one account only allows the
phisher to send 1000 spams, then it completely destroys the point of
what they're doing.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110922/7abb3a70/attachment.bin>


More information about the dovecot mailing list