postfix virtual domain walking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix virtual domain walking

James B. Byrne

We are currently subjected to a persistent penetration attempt that
apparently is directed against our smtp authentication.  The user
names employed at the present time are all local address portions of a
single user's virtual domain which have no means of authentication.
So the attack is futile in that sense.

However, the question arises as to how these local delivery addresses
are being harvested?  Some of these are used very infrequently and
some of them have not been active for years.  It seems remarkable that
addresses that are known to only be used for one purpose, say bugzilla
or readhat network, are found in these attacks.

Is there some way for remote unauthenticated users to query postfix in
such a fashion as to effectively walk the virtual domain list for
local delivery addresses?  If so then what is it and how can it be
prevented.  Or should it?

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

Wietse Venema
James B. Byrne:
> However, the question arises as to how these local delivery addresses
> are being harvested?  Some of these are used very infrequently and
> some of them have not been active for years.  It seems remarkable that
> addresses that are known to only be used for one purpose, say bugzilla
> or readhat network, are found in these attacks.

The names may have been harvested from a compromised user machine.

> Is there some way for remote unauthenticated users to query postfix in
> such a fashion as to effectively walk the virtual domain list for
> local delivery addresses?  If so then what is it and how can it be
> prevented.  Or should it?

As far as I know, there is no SMTP command to 'list' a local database.
That is, unless there is some kind of LDAP or SQL injection bug.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

James B. Byrne

On Mon, June 13, 2016 14:25, Wietse Venema wrote:

> James B. Byrne:
>> However, the question arises as to how these local delivery
>> addresses
>> are being harvested?  Some of these are used very infrequently and
>> some of them have not been active for years.  It seems remarkable
>> that
>> addresses that are known to only be used for one purpose, say
>> bugzilla
>> or readhat network, are found in these attacks.
>
> The names may have been harvested from a compromised user machine.
>
>> Is there some way for remote unauthenticated users to query postfix
>> in
>> such a fashion as to effectively walk the virtual domain list for
>> local delivery addresses?  If so then what is it and how can it be
>> prevented.  Or should it?
>
> As far as I know, there is no SMTP command to 'list' a local database.
> That is, unless there is some kind of LDAP or SQL injection bug.
>
> Wietse
>

These delivery names are only found in /etc/postfix/virtual. There is
no LDAP service or RDBMS involved whatsoever.  As far as I can tell
there would be no reason for any user machine to have them listed as
they exist solely to map incoming mail to specific imap subfolders.
It may very well be that these people attempting to break in have gone
to the internet hunting for every revealed variant address.  But that
in itself seems even more worrying.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

Wietse Venema
James B. Byrne:
> These delivery names are only found in /etc/postfix/virtual.

What about an email "address book" on a user machine?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

James B. Byrne

On Mon, June 13, 2016 16:42, Wietse Venema wrote:
> James B. Byrne:
>> These delivery names are only found in /etc/postfix/virtual.
>
> What about an email "address book" on a user machine?
>
> Wietse
>

It is certainly a possibility. However, my difficulty with that
explanation is that:

1. Our users employ webmail (squirrelmail) so their address books are
maintained on a sealed server. There are no user accounts on it.  And
we run aide on it.  And we have fail2ban running.  And ssh is blocked
at the firewall.

2. Some of these addresses like xxxx.bugzilla and xxxx.redhat are only
used for bug reporting.  They would be found on the respective sites
but it seems to me doubtful that they would end up in a user address
book.

3.  If there is nothing that involves Postfix then something like what
you propose must be the case.  Or someone has gone to some lengths to
scan for these addresses using our domain name as a search term.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

Kris Deugau
James B. Byrne wrote:
> 3.  If there is nothing that involves Postfix then something like what
> you propose must be the case.  Or someone has gone to some lengths to
> scan for these addresses using our domain name as a search term.

Every now and then I have seen indications in the mail logs of various
systems that some spammer is once again taking all of the username parts
they've ever seen and mix-and-matching them with domain names.

I have also seen, even less often, the next best thing to literally
trying all possible ASCII usernames, in order - or at least trying all
dictionary words from a modest dictionary mixed with that username list,
in ASCII order.

-kgd


Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

Phil Stracchino
On 06/14/16 09:59, Kris Deugau wrote:

> James B. Byrne wrote:
>> 3.  If there is nothing that involves Postfix then something like what
>> you propose must be the case.  Or someone has gone to some lengths to
>> scan for these addresses using our domain name as a search term.
>
> Every now and then I have seen indications in the mail logs of various
> systems that some spammer is once again taking all of the username parts
> they've ever seen and mix-and-matching them with domain names.
>
> I have also seen, even less often, the next best thing to literally
> trying all possible ASCII usernames, in order - or at least trying all
> dictionary words from a modest dictionary mixed with that username list,
> in ASCII order.


Dictionary attacks are cheap when you have a botnet and it's not *your*
CPU cycles or bandwidth that you're burning.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: 603.293.8485
Reply | Threaded
Open this post in threaded view
|

Re: postfix virtual domain walking

Bill Cole-3
In reply to this post by James B. Byrne
On 13 Jun 2016, at 17:18, James B. Byrne wrote:

> 3.  If there is nothing that involves Postfix then something like what
> you propose must be the case.  Or someone has gone to some lengths to
> scan for these addresses using our domain name as a search term.

Or more likely: crawled the web indiscriminately, harvesting anything
that matches the pattern of an email address. Don't take this
personally, but there's really nothing special about your domain.

I don't get the same barrage of auth attempts, probably because I don't
allow auth on port 25 and I have a fail2ban-like log monitor blocking
traffic quite aggressively for auth failures on port 587, PREGREET
violations in postscreen, and hits on my website that target various
known vulnerabilities. I hover around 2500 firewall entries but that's
less of a burden than letting all those bots talk nonsense to userspace
servers.

I DO get an unending stream of spammers targeting "addresses" in my
personal domain that are actually email and Usenet message-ids from a
15-year span during which my mail and news clients used date-based MIDs.
They also hit addresses embedded in HTML tags and comments on pages of
my website that get essentially no hits other than crawler bots, with
new addresses getting hit reliably within a few months. An address I
used only for reporting 2 FreeBSD bugs gets targeted. The address I use
for this list is my oldest functional address with any form of public
exposure that doesn't get spam aimed at it many times per month: almost
9 years old.

On the systems I run for paying customers the situation is less bad, but
only because so few of the users have any public exposure of their
addresses. Most of them never get any spam aimed at them. I can't use
the same degree of IP blocking on those systems as I do on my own and
the pattern is clear: the same set of users who get spam also get
targeted by password-guessing bots.