[mailop] [FEEDBACK REQUEST] Login-Referrals capability and abuse potential

Sat, 27 Apr 2019 08:06:27 -0700

Came into the office on a Saturday to catch up on dull CEO responsibilities like licensing agreements etc..
And got totally distracted helping one of our Spam Auditors working on a different smaller bot net.. And trying to decide if one operation or two separate ones. 


This one has a small static footprint.. (list below) But investigation 
revealed something interesting when looking at the Aruba ones


nmap reveals..


ssl-cert: Subject: 
commonName=mailserver.cloud.it/organizationName=mailserver.cloud.it/stateOrProvinceName=GuangDong/countryName=CN


(Always strange to see a Chinese address, for an italian cloud service)

imap-capabilities: STARTTLS OK LOGINDISABLEDA0001 more LOGIN-REFERRALS


Shamed to admit it, wasn't up on that capability until now, but this may 
explain the Brute Force attacks coming from those servers..



Seems these servers do a static login referral.. to other servers.. 
almost a proxy type IMAP (Uhoh! IMAP Phishing?)



What I could use some one else shedding light on, as I can't see how it 
could happen from a legitimate email service, is isn't this something 
that only the server can configure?  How could it be abused to be 
redirected to legitimate servers?  Is there an end user capability that 
say a legitimate provider could expose that allows a user to specify 
which server to connect to?



Or is this just a bad actor taking advantage of Aruba, and forging their 
cloud infrastructure, and doing this at the back end, for proxy based 
auth attacks?



(Oh, if these were legit IP(s) then cloud.it should be putting a PTR 
record on those outgoing requests.. and a couple of other things they 
should od)






Google:
104.199.47.22   x1  22.47.199.104.bc.googleusercontent.com
35.187.17.160   x1  160.17.187.35.bc.googleusercontent.com
35.203.122.249  x1  249.122.203.35.bc.googleusercontent.com


Amazon:
15.164.93.247   x1 ec2-15-164-93-247.ap-northeast-2.compute.amazonaws.com
3.122.244.152   x3 ec2-3-122-244-152.eu-central-1.compute.amazonaws.com


Digital Ocean:
134.209.231.28  x11 NXDOMAIN
134.209.240.245 x8  NXDOMAIN
134.209.248.73  x11 NXDOMAIN
134.209.255.170 x11 NXDOMAIN
157.230.126.140 x3  NXDOMAIN
159.65.10.120   x191    NXDOMAIN
159.65.175.92   x27 NXDOMAIN
165.227.218.191 x76 NXDOMAIN
167.99.185.245  x12 NXDOMAIN
174.138.10.64   x5  NXDOMAIN
178.128.191.106 x2  NXDOMAIN
178.128.235.120 x21 NXDOMAIN
206.189.118.88  x5  NXDOMAIN


Aruba:
188.213.166.229 x7  host229-166-213-188.serverdedicati.aruba.it
195.231.8.112   x38 host112-8-231-195.serverdedicati.aruba.it
195.231.8.114   x49 host114-8-231-195.serverdedicati.aruba.it
195.231.8.156   x69 host156-8-231-195.serverdedicati.aruba.it
195.231.8.159   x43 host159-8-231-195.serverdedicati.aruba.it
195.231.8.161   x47 host161-8-231-195.serverdedicati.aruba.it
195.231.8.18    x45 host18-8-231-195.serverdedicati.aruba.it
195.231.8.182   x59 host182-8-231-195.serverdedicati.aruba.it
195.231.8.198   x53 host198-8-231-195.serverdedicati.aruba.it
195.231.8.210   x52 host210-8-231-195.serverdedicati.aruba.it
195.231.8.216   x45 host216-8-231-195.serverdedicati.aruba.it
195.231.8.30    x39 host30-8-231-195.serverdedicati.aruba.it
195.231.8.52    x53 host52-8-231-195.serverdedicati.aruba.it
195.231.8.53    x34 host53-8-231-195.serverdedicati.aruba.it
195.231.8.81    x59 host81-8-231-195.serverdedicati.aruba.it


Unifiedlayer:
142.4.10.217    x1  142-4-10-217.unifiedlayer.com
142.4.15.173    x32 142-4-15-173.unifiedlayer.com
142.4.23.125    x12 142-4-23-125.unifiedlayer.com
162.144.35.28   x26 162-144-35-28.unifiedlayer.com
162.144.50.132  x5  162-144-50-132.unifiedlayer.com
162.144.68.157  x18 162-144-68-157.unifiedlayer.com
162.144.84.118  x2  162-144-84-118.unifiedlayer.com




--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop














    











					Reply via email to