Dovecot somehow creating new local e-mails from a compromised account
Hello all, long-time listener, first-time caller ...
I returned from an Eclipse trip to find a couple of sp*m e-mails in an account. I checked the logs and there was no Postfix activity during the delivery times. The 2 spams have basically no headers in them.
I went back to the logs and instead found Dovecot IMAP server activity during those times. Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.
Obviously I've changed the account password but I would really like to know how they were able to create e-mails on my system when ostensibly I would have assumed they could only read the account's e-mails via IMAP.
If it matters it's an older version of Dovecot on Fedora with a fairly heavily customized set of .conf files. I ran "doveconf -a" but didn't see anything obvious in the output. I may enable rawlogs in case they come knocking again, even though the password has been changed.
Thanks.
I went back to the logs and instead found Dovecot IMAP server activity during those times. Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.
Putting an email in a imap folder is not to difficult or have you done something special that everyhing is read only? I have even een sieve script that puts log output in a mail item.
google IMAP APPEND
On Thursday, 11/04/2024 at 13:32 Greg Earle via dovecot wrote:
Hello all, long-time listener, first-time caller ...
I returned from an Eclipse trip to find a couple of sp*m e-mails in an
account. I checked the logs and there was no Postfix activity during the delivery times. The 2 spams have basically no headers in them.
I went back to the logs and instead found Dovecot IMAP server activity
during those times. Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.
Obviously I've changed the account password but I would really like to
know how they were able to create e-mails on my system when ostensibly I would have assumed they could only read the account's e-mails via IMAP.
If it matters it's an older version of Dovecot on Fedora with a fairly
heavily customized set of .conf files. I ran "doveconf -a" but didn't see anything obvious in the output. I may enable rawlogs in case they come knocking again, even though the password has been changed.
Thanks.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
google IMAP APPEND
On Thursday, 11/04/2024 at 13:32 Greg Earle via dovecot wrote: Hello all, long-time listener, first-time caller ...
I returned from an Eclipse trip to find a couple of sp*m e-mails in
an
account. I checked the logs and there was no Postfix activity during
the delivery times. The 2 spams have basically no headers in them.
I went back to the logs and instead found Dovecot IMAP server
activity
during those times. Apparently Russian hax0rs (hostnames
stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an
account and logged into it via IMAP, and somehow were able to create
these two sp*m e-mails on my system.
Obviously I've changed the account password but I would really like
to
know how they were able to create e-mails on my system when
ostensibly I
would have assumed they could only read the account's e-mails via
IMAP.
If it matters it's an older version of Dovecot on Fedora with a
fairly
heavily customized set of .conf files. I ran "doveconf -a" but
didn't
see anything obvious in the output. I may enable rawlogs in case
they
come knocking again, even though the password has been changed.
Thanks.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.orgFor the record, we are seeing a continued increase in hackers inserting/modifying email directly in IMAP.
The same RBL's that you use to protect SMTP can help on all ports/services, especially things like RATS-AUTH, or SpamHaus or SpamRats DROP lists..
And while country AUTH blocking is not the be all end all, and can be bypassed with proxies and VPN's it can reduce the attack surface.
And REALLY consider the large cloud providers.. do servers normally need to connect to your IMAP services? Most email providers could safely block IMAP access from all EC2, Azure, And GoogleCloud, Tencent IP space, and manually make exceptions for the odd IP that needs access..
(It's what we do by default in most of our products now)
And, if you haven't already.. STOP allowing POP/IMAP without SSL/TLS.. passwords can and will be sniffed.. and once TLS is used, you have fingerprinting as an extra tool to prevent bad actors.
On 2024-04-11 10:32, Greg Earle via dovecot wrote:
Hello all, long-time listener, first-time caller ...
I returned from an Eclipse trip to find a couple of sp*m e-mails in an account. I checked the logs and there was no Postfix activity during the delivery times. The 2 spams have basically no headers in them.
I went back to the logs and instead found Dovecot IMAP server activity during those times. Apparently Russian hax0rs (hostnames stat_list.ip-ptr.tech and service_stat.ip-ptr.tech) compromised an account and logged into it via IMAP, and somehow were able to create these two sp*m e-mails on my system.
Obviously I've changed the account password but I would really like to know how they were able to create e-mails on my system when ostensibly I would have assumed they could only read the account's e-mails via IMAP.
If it matters it's an older version of Dovecot on Fedora with a fairly heavily customized set of .conf files. I ran "doveconf -a" but didn't see anything obvious in the output. I may enable rawlogs in case they come knocking again, even though the password has been changed.
Thanks.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
participants (4)
-
Greg Earle
-
Marc
-
Michael Peddemors
-
Scott Q.