How to protect against compromised email account password

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

How to protect against compromised email account password

Administrator Beckspaced.com
Dear Postfix Users,

just recently the computer of a client got infected with malware and the
email password was compromised.
The bad guys immediately started sending out spam emails via our mail
servers.

We got notified by our monitoring system a bit later ... and fixed things

But lots and lots of spam emails have been sent via out mail server.

How do you protect your mail system against a compromised password and
mass spam mail sending?

Thanks & greetings
Becki
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Daniel Armengod
Hi Becki,

At our site we have a log monitoring script (ad-hoc) which warns us
about "mass" authenticated smtp sessions, and also automatically
triggers a user disable on certain criteria, in this case:

- That sent emails exceed a threshold on a given time interval,
- *That there are numerous originating IP addressess*, and,
- That those IP addressess do not reverse-resolve to a hostname.

The 2nd rule is quite effective at catching botnets. *The last rule is
there because certain huge providers (e.g. gmail) send in parallel from
multiple IPs, and can register as a false positive by the 2nd rule.*

Automatically taking action based on geo-ip data + a connection number
threshold can also be an effective tool if you're mostly in a local
(national) environment. Anything coming from outside your country can
get extra attention if your userbase mostly communicates in-country. Of
course, if your operations are global in scope, this heuristic can
trigger many false positives and thus be worthless.

It's not a perfect solution (some hundred spam e-mails *do* get sent
until the auto-ban kicks in) and its short integrating interval (1 hour
by default) means that "trickle"-rate spam can get through.

All in all it is a somewhat effective mitigating strategy, and as they
say, perfect is the enemy of serviceable.

I'd love to hear how other site admins manage this problem :)

Kind regards,
Daniel

On 19/02/2019 11:56, Admin Beckspaced wrote:

> Dear Postfix Users,
>
> just recently the computer of a client got infected with malware and
> the email password was compromised.
> The bad guys immediately started sending out spam emails via our mail
> servers.
>
> We got notified by our monitoring system a bit later ... and fixed things
>
> But lots and lots of spam emails have been sent via out mail server.
>
> How do you protect your mail system against a compromised password and
> mass spam mail sending?
>
> Thanks & greetings
> Becki
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Christos Chatzaras
In reply to this post by Administrator Beckspaced.com
We wrote a shell script that runs hourly and notifies us for SASL authentications with IPs for at least 2 different countries in the previous hour. In the future we plan to automatically change the password if SASL authentications are from 3 different countries. This catches most of the hacked e-mail accounts.

Also we use Postfix relays with Rspamd checking the From header (we don't allow users to spoof From address) and doing rate limits (500 e-mails / hour). If someones tries to send more e-mails then the extra e-mails go to queue for later delivery. So we have some time to manually check.
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Benny Pedersen-2
Christos Chatzaras skrev den 2019-02-19 12:23:

> Also we use Postfix relays with Rspamd checking the From header (we
> don't allow users to spoof From address) and doing rate limits (500
> e-mails / hour). If someones tries to send more e-mails then the extra
> e-mails go to queue for later delivery. So we have some time to
> manually check.

you have users that can write 500 emails in one hour ?

cant rspamd solve this like it solves so much other things ? :/
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Administrator Beckspaced.com
In reply to this post by Daniel Armengod

Hi Daniel,

thanks a lot for your insights ;)
Still collecting thoughts and strategies how other admins solve the issue of a hacked email account.
Anyone?

Thanks & greetings
Becki

Am 19.02.2019 um 12:09 schrieb Daniel Armengod:
Hi Becki,

At our site we have a log monitoring script (ad-hoc) which warns us
about "mass" authenticated smtp sessions, and also automatically
triggers a user disable on certain criteria, in this case:

- That sent emails exceed a threshold on a given time interval,
- *That there are numerous originating IP addressess*, and,
- That those IP addressess do not reverse-resolve to a hostname.

The 2nd rule is quite effective at catching botnets. *The last rule is
there because certain huge providers (e.g. gmail) send in parallel from
multiple IPs, and can register as a false positive by the 2nd rule.*

Automatically taking action based on geo-ip data + a connection number
threshold can also be an effective tool if you're mostly in a local
(national) environment. Anything coming from outside your country can
get extra attention if your userbase mostly communicates in-country. Of
course, if your operations are global in scope, this heuristic can
trigger many false positives and thus be worthless.

It's not a perfect solution (some hundred spam e-mails *do* get sent
until the auto-ban kicks in) and its short integrating interval (1 hour
by default) means that "trickle"-rate spam can get through.

All in all it is a somewhat effective mitigating strategy, and as they
say, perfect is the enemy of serviceable.

I'd love to hear how other site admins manage this problem :)

Kind regards,
Daniel

On 19/02/2019 11:56, Admin Beckspaced wrote:
Dear Postfix Users,

just recently the computer of a client got infected with malware and
the email password was compromised.
The bad guys immediately started sending out spam emails via our mail
servers.

We got notified by our monitoring system a bit later ... and fixed things

But lots and lots of spam emails have been sent via out mail server.

How do you protect your mail system against a compromised password and
mass spam mail sending?

Thanks & greetings
Becki

Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Administrator Beckspaced.com
In reply to this post by Christos Chatzaras
Thanks Christos,

so I might want to look into rate limits.
Have not looked into rspamd as I'm running postfix with amavis-new and
spamassassin
Is rspamd compatible with amavis-new?

Thanks & greetings
Becki

Am 19.02.2019 um 12:23 schrieb Christos Chatzaras:
> We wrote a shell script that runs hourly and notifies us for SASL authentications with IPs for at least 2 different countries in the previous hour. In the future we plan to automatically change the password if SASL authentications are from 3 different countries. This catches most of the hacked e-mail accounts.
>
> Also we use Postfix relays with Rspamd checking the From header (we don't allow users to spoof From address) and doing rate limits (500 e-mails / hour). If someones tries to send more e-mails then the extra e-mails go to queue for later delivery. So we have some time to manually check.
>
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Christos Chatzaras


On 19 Feb 2019, at 16:20, Admin Beckspaced <[hidden email]> wrote:

Thanks Christos,

so I might want to look into rate limits.
Have not looked into rspamd as I'm running postfix with amavis-new and spamassassin
Is rspamd compatible with amavis-new?

Thanks & greetings
Becki

For virus scanning we use only Rspamd with ClamAV:


You can use Rspamd in a cheap VPS with 1GB RAM and if you also need ClamAV 2GB of RAM is enough.

You can add Rspamd support in your main.cf using something like this:

smtpd_milters = { inet:mailfilter.example.com:11332, connect_timeout=10s, default_action=accept }
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Bill Cole-3
In reply to this post by Administrator Beckspaced.com
On 19 Feb 2019, at 5:56, Admin Beckspaced wrote:

> Dear Postfix Users,
>
> just recently the computer of a client got infected with malware and
> the email password was compromised.
> The bad guys immediately started sending out spam emails via our mail
> servers.
>
> We got notified by our monitoring system a bit later ... and fixed
> things
>
> But lots and lots of spam emails have been sent via out mail server.
>
> How do you protect your mail system against a compromised password and
> mass spam mail sending?

Nothing is absolutely perfect but there are useful approaches, some
external to Postfix proper:

1. Rate limiting. Postfix has some of this (smtpd_client_*_limit
parameters) but you may be able to get more effective and subtle limits
via external tools (e.g. I have some custom code in MIMEDefang.)

2. Only offer SASL authentication on submission services (ports 587 and
465,) for port 587 only after STARTTLS, and require TLS (i.e.
smtpd_tls_security_level=encrypt on submission)

3. Apply the same spam filtering to your outbound mail as your inbound
mail. If you use something like SpamAssassin which treats your
locally-originated mail as special (e.g. a significant negative score
for ALL_TRUSTED and/or ALL_INTERNAL in SpamAssassin) you should reduce
or eliminate that special treatment.

4. Restrict access to your submission ports. This is best done outside
of Postfix, either in a host-resident packet filter or a discrete
firewall/router. It also requires that you know your users to some
degree, at least enough to know whether they travel widely or pass their
mail through cloud servers. Do you need to accept submissions from
China? From Vietnam? Random AWS, Azure, OVH, or Digital Ocean IPs? If
your users are world travelers who might need to come in via a Kazakh
mobile network, consider adding a separate submission service on a
non-standard port just for those users, so that your 587 service can be
tightly limited. Or just set up a webmail service for them and tell them
they just can't do direct submission from Tashkent.

5. Separate individual identities for authentication and email. This is
probably the least common trick but it is extremely effective against
both brute-force password guessing attacks AND most forms of "credential
stuffing" using compromised user+password pairs from other sites. For
example, the email address I'm using for this mailing list cannot be
used as a username for authentication anywhere: not on the mail server
where I submit mail for it, my inbound MX (which doesn't do AUTH
anyway,) or my IMAP server. Where I pick up and submit mail for this
address, I authenticate with a username that I use nowhere else and
which cannot be directly translated to an email address that accepts
mail from the world at large. This sort of approach demands some user
training but it essentially eliminates account cracking that isn't
grounded in the compromise of personal devices.

6. Enforce strong password rules & encourage users to use a password
manager so that they can follow those rules more easily.

7. Prohibit the use of Windows, Android, jailbroken iOS, or macOS with
SIP disbled on client devices. I'm only half kidding...


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

lists@lazygranch.com
Number 4 is immensely useful. When I had a hosted service, I got hacked from someone in Morocco via a Round Cube exploit that wasn't patched. (My PayPal account subsequently hacked, though I had the account suspended.)

I saw two problems. One, I only use mail clients. Browsers leak. Two, I don't even have a passport, so sending mail from foreign countries isn't something I need. My hosting provider was having none of my ideas of restricting access, so I got a cloud account and did my own hosting.

I use the firewall to block all email ports except 25 from foreign countries. In addition, I block datacenters except my own IPs. Ip2location can provide a country by county list of the IP space for free.

As a Digital Ocean customer, I know I'm am hanging out with a small but active number of lowlifes. That is the nature of a business model where you pay for a server and you can do whatever you want until you get caught.




  Original Message  
From: [hidden email]
Sent: February 19, 2019 6:39 PM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: How to protect against compromised email account password

On 19 Feb 2019, at 5:56, Admin Beckspaced wrote:

> Dear Postfix Users,
>
> just recently the computer of a client got infected with malware and
> the email password was compromised.
> The bad guys immediately started sending out spam emails via our mail
> servers.
>
> We got notified by our monitoring system a bit later ... and fixed
> things
>
> But lots and lots of spam emails have been sent via out mail server.
>
> How do you protect your mail system against a compromised password and
> mass spam mail sending?

Nothing is absolutely perfect but there are useful approaches, some
external to Postfix proper:

1. Rate limiting. Postfix has some of this (smtpd_client_*_limit
parameters) but you may be able to get more effective and subtle limits
via external tools (e.g. I have some custom code in MIMEDefang.)

2. Only offer SASL authentication on submission services (ports 587 and
465,) for port 587 only after STARTTLS, and require TLS (i.e.
smtpd_tls_security_level=encrypt on submission)

3. Apply the same spam filtering to your outbound mail as your inbound
mail. If you use something like SpamAssassin which treats your
locally-originated mail as special (e.g. a significant negative score
for ALL_TRUSTED and/or ALL_INTERNAL in SpamAssassin) you should reduce
or eliminate that special treatment.

4. Restrict access to your submission ports. This is best done outside
of Postfix, either in a host-resident packet filter or a discrete
firewall/router. It also requires that you know your users to some
degree, at least enough to know whether they travel widely or pass their
mail through cloud servers. Do you need to accept submissions from
China? From Vietnam? Random AWS, Azure, OVH, or Digital Ocean IPs? If
your users are world travelers who might need to come in via a Kazakh
mobile network, consider adding a separate submission service on a
non-standard port just for those users, so that your 587 service can be
tightly limited. Or just set up a webmail service for them and tell them
they just can't do direct submission from Tashkent.

5. Separate individual identities for authentication and email. This is
probably the least common trick but it is extremely effective against
both brute-force password guessing attacks AND most forms of "credential
stuffing" using compromised user+password pairs from other sites. For
example, the email address I'm using for this mailing list cannot be
used as a username for authentication anywhere: not on the mail server
where I submit mail for it, my inbound MX (which doesn't do AUTH
anyway,) or my IMAP server. Where I pick up and submit mail for this
address, I authenticate with a username that I use nowhere else and
which cannot be directly translated to an email address that accepts
mail from the world at large. This sort of approach demands some user
training but it essentially eliminates account cracking that isn't
grounded in the compromise of personal devices.

6. Enforce strong password rules & encourage users to use a password
manager so that they can follow those rules more easily.

7. Prohibit the use of Windows, Android, jailbroken iOS, or macOS with
SIP disbled on client devices. I'm only half kidding...


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Administrator Beckspaced.com
In reply to this post by Bill Cole-3

Am 20.02.2019 um 03:39 schrieb Bill Cole:

> On 19 Feb 2019, at 5:56, Admin Beckspaced wrote:
>
>> Dear Postfix Users,
>>
>> just recently the computer of a client got infected with malware and
>> the email password was compromised.
>> The bad guys immediately started sending out spam emails via our mail
>> servers.
>>
>> We got notified by our monitoring system a bit later ... and fixed
>> things
>>
>> But lots and lots of spam emails have been sent via out mail server.
>>
>> How do you protect your mail system against a compromised password
>> and mass spam mail sending?
>
> Nothing is absolutely perfect but there are useful approaches, some
> external to Postfix proper:
>
> 1. Rate limiting. Postfix has some of this (smtpd_client_*_limit
> parameters) but you may be able to get more effective and subtle
> limits via external tools (e.g. I have some custom code in MIMEDefang.)
>
> 2. Only offer SASL authentication on submission services (ports 587
> and 465,) for port 587 only after STARTTLS, and require TLS (i.e.
> smtpd_tls_security_level=encrypt on submission)
>
> 3. Apply the same spam filtering to your outbound mail as your inbound
> mail. If you use something like SpamAssassin which treats your
> locally-originated mail as special (e.g. a significant negative score
> for ALL_TRUSTED and/or ALL_INTERNAL in SpamAssassin) you should reduce
> or eliminate that special treatment.
>
> 4. Restrict access to your submission ports. This is best done outside
> of Postfix, either in a host-resident packet filter or a discrete
> firewall/router. It also requires that you know your users to some
> degree, at least enough to know whether they travel widely or pass
> their mail through cloud servers. Do you need to accept submissions
> from China? From Vietnam? Random AWS, Azure, OVH, or Digital Ocean
> IPs? If your users are world travelers who might need to come in via a
> Kazakh mobile network, consider adding a separate submission service
> on a non-standard port just for those users, so that your 587 service
> can be tightly limited. Or just set up a webmail service for them and
> tell them they just can't do direct submission from Tashkent.
>
> 5. Separate individual identities for authentication and email. This
> is probably the least common trick but it is extremely effective
> against both brute-force password guessing attacks AND most forms of
> "credential stuffing" using compromised user+password pairs from other
> sites. For example, the email address I'm using for this mailing list
> cannot be used as a username for authentication anywhere: not on the
> mail server where I submit mail for it, my inbound MX (which doesn't
> do AUTH anyway,) or my IMAP server. Where I pick up and submit mail
> for this address, I authenticate with a username that I use nowhere
> else and which cannot be directly translated to an email address that
> accepts mail from the world at large. This sort of approach demands
> some user training but it essentially eliminates account cracking that
> isn't grounded in the compromise of personal devices.
>
> 6. Enforce strong password rules & encourage users to use a password
> manager so that they can follow those rules more easily.
>
> 7. Prohibit the use of Windows, Android, jailbroken iOS, or macOS with
> SIP disbled on client devices. I'm only half kidding...
>
>
Hello Bill,

thanks for the extensive list.
now I got some food for thought and can think about proper strategies
and solutions.

greetings
Becki

Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Matus UHLAR - fantomas
In reply to this post by Benny Pedersen-2
>Christos Chatzaras skrev den 2019-02-19 12:23:
>>Also we use Postfix relays with Rspamd checking the From header (we
>>don't allow users to spoof From address) and doing rate limits (500
>>e-mails / hour). If someones tries to send more e-mails then the extra
>>e-mails go to queue for later delivery. So we have some time to
>>manually check.

On 19.02.19 14:02, Benny Pedersen wrote:
>you have users that can write 500 emails in one hour ?

yes, bigger companies that send newsletters or notifications to even their users.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Benny Pedersen-2
Matus UHLAR - fantomas skrev den 2019-02-20 10:59:

>> Christos Chatzaras skrev den 2019-02-19 12:23:
>>> Also we use Postfix relays with Rspamd checking the From header (we
>>> don't allow users to spoof From address) and doing rate limits (500
>>> e-mails / hour). If someones tries to send more e-mails then the
>>> extra
>>> e-mails go to queue for later delivery. So we have some time to
>>> manually check.
>
> On 19.02.19 14:02, Benny Pedersen wrote:
>> you have users that can write 500 emails in one hour ?
>
> yes, bigger companies that send newsletters or notifications to even
> their users.

wow, rspamd cant solve that ?

above says users, not newsletters with 500+ recipients
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Matus UHLAR - fantomas
>Matus UHLAR - fantomas skrev den 2019-02-20 10:59:
>>>Christos Chatzaras skrev den 2019-02-19 12:23:
>>>>Also we use Postfix relays with Rspamd checking the From header (we
>>>>don't allow users to spoof From address) and doing rate limits (500
>>>>e-mails / hour). If someones tries to send more e-mails then the
>>>>extra
>>>>e-mails go to queue for later delivery. So we have some time to
>>>>manually check.
>>
>>On 19.02.19 14:02, Benny Pedersen wrote:
>>>you have users that can write 500 emails in one hour ?
>>
>>yes, bigger companies that send newsletters or notifications to even
>>their users.

On 21.02.19 00:53, Benny Pedersen wrote:
>wow, rspamd cant solve that ?

why should I know, i don't use rspamd!

>above says users, not newsletters with 500+ recipients

and who sends those newsletters? The users, of course.
uneducated users who did that for years and implementing something else
takes much time and money.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Christos Chatzaras
In reply to this post by Benny Pedersen-2


> On 21 Feb 2019, at 01:53, Benny Pedersen <[hidden email]> wrote:
>
> Matus UHLAR - fantomas skrev den 2019-02-20 10:59:
>>> Christos Chatzaras skrev den 2019-02-19 12:23:
>>>> Also we use Postfix relays with Rspamd checking the From header (we
>>>> don't allow users to spoof From address) and doing rate limits (500
>>>> e-mails / hour). If someones tries to send more e-mails then the extra
>>>> e-mails go to queue for later delivery. So we have some time to
>>>> manually check.
>> On 19.02.19 14:02, Benny Pedersen wrote:
>>> you have users that can write 500 emails in one hour ?
>> yes, bigger companies that send newsletters or notifications to even
>> their users.
>
> wow, rspamd cant solve that ?
>
> above says users, not newsletters with 500+ recipients

We are a web-hosting provider. Some customers have forums (notifications about new replies, registrations, etc) or send some newsletters.

We use different IPs for transactional e-mails, different IPs for newsletters, and different IPs for e-mail forwarding.

For customers that want to send a lot of e-mails we recommend to use an external service.

If someone wants more information about our setup use google translate and visit this URL:

https://wiki.cretaforce.gr/mail-servers
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Matus UHLAR - fantomas
In reply to this post by Administrator Beckspaced.com
>Am 19.02.2019 um 12:23 schrieb Christos Chatzaras:
>>We wrote a shell script that runs hourly and notifies us for SASL
>> authentications with IPs for at least 2 different countries in the
>> previous hour.  In the future we plan to automatically change the
>> password if SASL authentications are from 3 different countries.  This
>> catches most of the hacked e-mail accounts.
>>
>>Also we use Postfix relays with Rspamd checking the From header (we don't
>> allow users to spoof From address) and doing rate limits (500 e-mails /
>> hour).  If someones tries to send more e-mails then the extra e-mails go
>> to queue for later delivery.  So we have some time to manually check.

On 19.02.19 15:20, Admin Beckspaced wrote:
>so I might want to look into rate limits.
>Have not looked into rspamd as I'm running postfix with amavis-new and
>spamassassin
>Is rspamd compatible with amavis-new?

They mostly do the same.
Looking at its docs, it has the same problem when scanning outgoing mail:
http://rspamd.com/doc/tutorials/scanning_outbound.html
- scanning outgoing mail is much harder than incoming, because most of it
lacks common spam signs (and that's why spammers do this)

However the rate limiting seems could help much, as long as other rate
limiting tricks and other techniques mentioned in this thread.

Unfortunately I have already encountered case where account was used dor
spreading spam, slowly to notice, where rate limiting wouldn't (i think it
didn't) help.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Leonardo Rodrigues Magalhães
In reply to this post by Bill Cole-3
Em 19/02/2019 23:39, Bill Cole escreveu:

>
> Nothing is absolutely perfect but there are useful approaches, some
> external to Postfix proper:
>
> 1. Rate limiting. Postfix has some of this (smtpd_client_*_limit
> parameters) but you may be able to get more effective and subtle
> limits via external tools (e.g. I have some custom code in MIMEDefang.)
>
> 2. Only offer SASL authentication on submission services (ports 587
> and 465,) for port 587 only after STARTTLS, and require TLS (i.e.
> smtpd_tls_security_level=encrypt on submission)

     I like using policyd (https://wiki.policyd.org/) for rate limiting,
with two different limites, one hourly and other daily. For both cases,
fail2ban is looking for policy infringments and, as soon as they happen,
IP is iptables-blocked for 2 hours for the hour limitation and 2 days
for the daily one. And also when i have the daily limit infringment,
Support Staff is notified to change that user password immediately.

     Not perfect, but have a great success rate on that solution.

--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        [hidden email]
        My SPAMTRAP, do not email it



Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

John Stoffel-2
In reply to this post by lists@lazygranch.com
>>>>> "Gary" == Gary  <[hidden email]> writes:

Gary> Number 4 is immensely useful. When I had a hosted service, I got hacked from someone in Morocco via a Round Cube exploit that wasn't patched. (My PayPal account subsequently hacked, though I had the account suspended.)
Gary> I saw two problems. One, I only use mail clients. Browsers leak. Two, I don't even have a passport, so sending mail from foreign countries isn't something I need. My hosting provider was having none of my ideas of restricting access, so I got a cloud account and did my own hosting.

Gary> I use the firewall to block all email ports except 25 from foreign countries. In addition, I block datacenters except my own IPs. Ip2location can provide a country by county list of the IP space for free.

Gary> As a Digital Ocean customer, I know I'm am hanging out with a
Gary> small but active number of lowlifes. That is the nature of a
Gary> business model where you pay for a server and you can do
Gary> whatever you want until you get caught.

Unfortunately, some big ISPs have now blocked all Digital Ocean IP
Blocks, and wont' accept email, even though my domain is locked down,
doesn't spam, etc.  They took the big hammer approach.  Which sucks
for me.

So the question becomes how do I setup a reasonably cost effective
personal email domain without it getting banned?  
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

lists@lazygranch.com
What ISP specifically bans Digital Ocean?

What you need is some other email account, say proton, to start the dialog with the ISP that bans your Digital Ocean account. Or you look for some online form or forum. I had this problem with SBC (AT&T) and eventually got whitelisted by IP address. I moved the droplet once and had to get whitelisted again.

I do email all the time with users on Comcast, Cox, and Google. I have SPF and DKIM, so I am very traceable. It is important not to look like a spammer.

I can say with 100% foot stomping fist pounding on the table certainty that using hosted services is far worse than a VPS. You share your IP with enough accounts that eventually one will get you on a banned list.

If you want to spend some money, Google can host email using your domain. If you don't have a lot of users, it isn't that expensive. Something like $5 per user. The service is poorly named. Something like Google Apps.

Fast Mail has some forwarding service, but you will fail SPF. I have to white users of their service.


  Original Message  
From: [hidden email]
Sent: February 21, 2019 6:08 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: How to protect against compromised email account password

>>>>> "Gary" == Gary  <[hidden email]> writes:

Gary> Number 4 is immensely useful. When I had a hosted service, I got hacked from someone in Morocco via a Round Cube exploit that wasn't patched. (My PayPal account subsequently hacked, though I had the account suspended.)
Gary> I saw two problems. One, I only use mail clients. Browsers leak. Two, I don't even have a passport, so sending mail from foreign countries isn't something I need. My hosting provider was having none of my ideas of restricting access, so I got a cloud account and did my own hosting.

Gary> I use the firewall to block all email ports except 25 from foreign countries. In addition, I block datacenters except my own IPs. Ip2location can provide a country by county list of the IP space for free.

Gary> As a Digital Ocean customer, I know I'm am hanging out with a
Gary> small but active number of lowlifes. That is the nature of a
Gary> business model where you pay for a server and you can do
Gary> whatever you want until you get caught.

Unfortunately, some big ISPs have now blocked all Digital Ocean IP
Blocks, and wont' accept email, even though my domain is locked down,
doesn't spam, etc.  They took the big hammer approach.  Which sucks
for me.

So the question becomes how do I setup a reasonably cost effective
personal email domain without it getting banned? 
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

John Stoffel-2

Gary> What ISP specifically bans Digital Ocean?

Charter/Spectrum.  

Gary> What you need is some other email account, say proton, to start
Gary> the dialog with the ISP that bans your Digital Ocean account. Or
Gary> you look for some online form or forum. I had this problem with
Gary> SBC (AT&T) and eventually got whitelisted by IP address. I moved
Gary> the droplet once and had to get whitelisted again.

They ban-hammered the entire DO IP block from what I've heard.  

Gary> I do email all the time with users on Comcast, Cox, and
Gary> Google. I have SPF and DKIM, so I am very traceable. It is
Gary> important not to look like a spammer.

Exactly!  I have SPF setup, but not DKIM yet.

Gary> I can say with 100% foot stomping fist pounding on the table
Gary> certainty that using hosted services is far worse than a
Gary> VPS. You share your IP with enough accounts that eventually one
Gary> will get you on a banned list.

I'm on a VPS with a dedicated IP address assigned to my domain
(stoffel.org).  

Gary> If you want to spend some money, Google can host email using
Gary> your domain. If you don't have a lot of users, it isn't that
Gary> expensive. Something like $5 per user. The service is poorly
Gary> named. Something like Google Apps.

That's an option, but not what I want to do since I like full control
of my email and domain.

Gary> Fast Mail has some forwarding service, but you will fail SPF. I
Gary> have to white users of their service.

I'm looking at Vultr VPS now as a test.  
Gary>   Original Message  
Gary> From: [hidden email]
Gary> Sent: February 21, 2019 6:08 AM
Gary> To: [hidden email]
Gary> Cc: [hidden email]
Gary> Subject: Re: How to protect against compromised email account password

>>>>> "Gary" == Gary  <[hidden email]> writes:

Gary> Number 4 is immensely useful. When I had a hosted service, I got hacked from someone in Morocco via a Round Cube exploit that wasn't patched. (My PayPal account subsequently hacked, though I had the account suspended.)
Gary> I saw two problems. One, I only use mail clients. Browsers leak. Two, I don't even have a passport, so sending mail from foreign countries isn't something I need. My hosting provider was having none of my ideas of restricting access, so I got a cloud account and did my own hosting.

Gary> I use the firewall to block all email ports except 25 from foreign countries. In addition, I block datacenters except my own IPs. Ip2location can provide a country by county list of the IP space for free.

Gary> As a Digital Ocean customer, I know I'm am hanging out with a
Gary> small but active number of lowlifes. That is the nature of a
Gary> business model where you pay for a server and you can do
Gary> whatever you want until you get caught.

Gary> Unfortunately, some big ISPs have now blocked all Digital Ocean IP
Gary> Blocks, and wont' accept email, even though my domain is locked down,
Gary> doesn't spam, etc.  They took the big hammer approach.  Which sucks
Gary> for me.

Gary> So the question becomes how do I setup a reasonably cost effective
Gary> personal email domain without it getting banned? 
Reply | Threaded
Open this post in threaded view
|

Re: How to protect against compromised email account password

Dominic Raferd
On Thu, 21 Feb 2019 at 15:23, John Stoffel <[hidden email]> wrote:
...
> Unfortunately, some big ISPs have now blocked all Digital Ocean IP
> Blocks, and wont' accept email, even though my domain is locked down,
> doesn't spam, etc.  They took the big hammer approach.  Which sucks
> for me.
>
> So the question becomes how do I setup a reasonably cost effective
> personal email domain without it getting banned?

I use OVH VPS SSD, it's inexpensive and I have not had any ongoing
blacklist problems (we use SPF, DKIM and DMARC). Some here think that
OVH is too cheap (no really), but my experience (2+ years) has been
good.
12