On 2/18/2016 7:19 PM, James B. Byrne wrote: > > One of our staff had their email account compromised. We have changed > that user's login and password. However I lack experience > interpreting what happened. Would someone take a look at the > following headers and tell me how this was done? I can make a > reasonable guess but I would like a definitive answer. > > This is a representative header from one of the messages relayed: > > <--- > > Received from localhost (localhost [127.0.0.1]) by > inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 3137662492; Tue, > 16 Feb 2016 09:44:30 -0500 (EST) > > X-Virus-Scanned amavisd-new at harte-lyne.ca > > Received from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by > localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, > port 10024) with ESMTP id YweOTfrrhigz; Tue, 16 Feb 2016 09:44:28 > -0500 (EST)
The headers above this appear to be normal passing through your content_filter. > > Received from [127.0.0.1] (ppp-171-96-116-78.revip8.asianet.co.th > [171.96.116.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 > bits)) (Client did not present a certificate) by > inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id 4B48362499; > Tue, 16 Feb 2016 09:44:07 -0500 (EST) Here's where the mail entered your system. The attacker had the user's sasl credentials. The attacker connected from IP 171.96.116.78 using a HELO hostname of [127.0.0.1]. As for how the attacker got the user's credentials, likely either they were phished or they reused a password from some other site that was hacked. The user should consider that password compromised and never use it again for anything. -- Noel Jones
