Re: [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?

17 Nov 2021


      Hi,

On Wed 17/Nov/2021 09:12:13 +0100 Hans-Martin Mosner wrote:
...
Here I want to focus on hacked mail accounts. I can think of two major root 
causes but I have no idea about their relative significance:
I agree with Steve and Ángel that the main causes are reused passwords and phishing.
...
* Easily guessable passwords, with two subcauses for exploits:
      o Brute force authentication attempts - I'm seeing them regularly, and
        the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at
        our mailserver, but some mailops are less struct about blocking such
        abusers.
I used to look at what passwords they try.

About that network, I only collected

list records in IP range 5.188.206.0-5.188 min age 0 secs, max age 1637146807 IP  CREATED   PROB.  BLOCKED 5.188.206.98 Aug-2021  27.83% Oct-2021 5.188.206.99 Aug-2021  42.44% Oct-2021 5.188.206.100 Aug-2021  32.63% Oct-2021 5.188.206.101 Aug-2021  23.06% Oct-2021 5.188.206.102 Aug-2021  30.12% Oct-2021 5.188.206.146 Jul-2021   0.00% Jul-2021 5.188.206.147 May-2021   0.00% May-2021 5.188.206.154 Aug-2021  22.50% Oct-2021 5.188.206.155 Aug-2021  63.96% Oct-2021 5.188.206.156 Aug-2021  44.10% Oct-2021 5.188.206.157 Aug-2021  21.81% Oct-2021 5.188.206.158 Aug-2021  13.69% Oct-2021 5.188.206.162 Apr-2021   0.00% Apr-2021 5.188.206.163 Apr-2021   0.00% Apr-2021 5.188.206.164 Apr-2021   0.00% Apr-2021 5.188.206.165 Apr-2021   0.00% Apr-2021 5.188.206.166 Apr-2021   0.00% Apr-2021 5.188.206.171 May-2021   0.00% 5.188.206.172 May-2021   0.00% 5.188.206.174 May-2021   0.00% 5.188.206.182 May-2021   0.00% Jun-2021 5.188.206.194 Jul-2020  41.18%  52s ago 5.188.206.195 Jul-2020  78.44% 570s ago 5.188.206.196 Jul-2020  71.04%  54s ago 5.188.206.197 Aug-2020  86.35%  51s ago 5.188.206.198 Sep-2020  55.70% 572s ago 5.188.206.199 Oct-2020  99.24% 571s ago 5.188.206.200 Oct-2020  86.89%  45s ago 5.188.206.201 Oct-2020  59.52% 686s ago 5.188.206.202 Dec-2020  91.54%  57s ago 5.188.206.203 Dec-2020  55.00%  42s ago 5.188.206.204 Dec-2020  11.66% Aug-2021 5.188.206.205 Jan-2021  32.61% Aug-2021 5.188.206.206 Jun-2021   9.31% Aug-2021 5.188.206.234 Feb-2021   7.82% Aug-2021 5.188.206.235 Feb-2021  20.26% Aug-2021 5.188.206.236 Apr-2021   8.97% Aug-2021 5.188.206.237 Jun-2021   7.26% Aug-2021 5.188.206.238 Jun-2021  12.76% Aug-2021 5.188.206.246 Mar-2021   0.98% May-2021 40 record(s) selected, 0 deleted,

Best Ale --

Those brute force attacks are so ridiculous that I agree with those who call them "clowns". 40 addresses (15.7%) of it.  Here's the list: .206.255, secs, min prob 0=0.00%, max prob 2147483647=100.00%. PACKETS  UPDATED      DECAY  THRESHOLD     CAUGHT DESCRIPTION 184598 Oct-2021 2.7648e+06          7         13 SMTP auth dictionary attack 187446 Oct-2021 2.7648e+06          7         13 SMTP auth dictionary attack 191132 Oct-2021 2.7648e+06          7         14 SMTP auth dictionary attack 195623 Oct-2021 2.7648e+06          7         13 SMTP auth dictionary attack 193158 Oct-2021 2.7648e+06          7         14 SMTP auth dictionary attack 38385 Jul-2021     172800          3         11 SMTP auth dictionary attack 2690 May-2021      43200          1          6 SMTP auth dictionary attack 199790 Oct-2021 2.7648e+06          7         13 SMTP auth dictionary attack 200505 Oct-2021 5.5296e+06          8         14 SMTP auth dictionary attack 188176 Oct-2021 2.7648e+06          7         13 SMTP auth dictionary attack 201093 Oct-2021 2.7648e+06          7         12 SMTP auth dictionary attack 186692 Oct-2021 1.3824e+06          6         16 SMTP auth dictionary attack 16 May-2021      21600          0          4 Domain does not exist 49 May-2021      21600          0          6 SPF failure 8 Apr-2021         60          0          3 SPF failure 9 May-2021         60          0          3 SPF failure 12 May-2021         60          0          4 SPF failure 0 May-2021         60          0          1 SPF failure 0 May-2021      21600          0          1 Domain does not exist 0 May-2021      21600          0          1 Domain does not exist 321619 Jun-2021     691200          5         13 SMTP auth dictionary attack 106607  53s ago 2.7648e+06          7         24 SMTP auth dictionary attack 225627 569s ago 2.7648e+06          7         25 SMTP auth dictionary attack 170925  54s ago 2.7648e+06          7         58 SMTP auth dictionary attack 172424  57s ago 5.5296e+06          8         37 SMTP auth dictionary attack 234734 573s ago 5.5296e+06          8         34 SMTP auth dictionary attack 191169 572s ago 5.5296e+06          8         23 SMTP auth dictionary attack 189656  60s ago 5.5296e+06          8         23 SMTP auth dictionary attack 659987 687s ago 5.5296e+06          8         30 SMTP auth dictionary attack 466233  62s ago 5.5296e+06          8         25 SMTP auth dictionary attack 214836  50s ago 5.5296e+06          8         23 SMTP auth dictionary attack 374345 Aug-2021 2.7648e+06          7         25 SMTP auth dictionary attack 168831 Aug-2021 5.5296e+06          8         22 SMTP auth dictionary attack 139334 Aug-2021 2.7648e+06          7         18 SMTP auth dictionary attack 137165 Aug-2021 2.7648e+06          7         44 SMTP auth dictionary attack 341048 Aug-2021 5.5296e+06          8         22 SMTP auth dictionary attack 150635 Aug-2021 2.7648e+06          7         18 SMTP auth dictionary attack 135883 Aug-2021 2.7648e+06          7         20 SMTP auth dictionary attack 137208 Aug-2021 2.7648e+06          7         20 SMTP auth dictionary attack 58297 May-2021 2.7648e+06          7         13 SMTP auth dictionary attack 0 failed deletion(s)

Re: [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?

Alessandro Vesely