Compromised accounts are one of the biggest issues today. These accounts are often used to send spam, phishing, and malware, which results in endless problems on several levels.
So, starting today, we're going to do something to help you with those compromised accounts.
In December 2019, we found some interesting data coming from a set of special traps we run. Those traps receive a ton of SMTP Authentication attempts for external domains (not for our trap domains). This raw set of data alone helped several of our customers to find and close down hundreds of compromised accounts.
The data is inherently noisy due to dictionary attacks, past compromises or password leaks. We did some magic tricks to make this data available with the minimum amount of noise and the maximum possible value.
We create daily summaries of all the compromised accounts we've observed over the previous 24 hours add necessary metadata and send it to the affected Postmasters and Abuse Desks.
This mechanism provides immediately actionable data to catch compromised accounts and handle them with the focus they need and deserve.
If you have any questions, feedback, or suggestions, please feel free to reach out to us. [email protected]
Q: What metadata do you provide with the reports, and are they machine-readable?
A: We report the username, the first 5 characters of the SHA-1 hash of the first password we saw for this account, the first IP address that we saw the attempt from and the date/time (UTC) of the first attempt, this is all in a CSV format file attached to the message.
Q: How do you determine which Abuse Contacts need to be notified from the domain name of the compromised account?
A: We resolve the MX records of the domain, lookup the A records of each host, and then use our freely available Abuse Contact DB to get a distinct list of contacts for those IPs. This way isn't perfect as it makes some presumptions - like the inbound and outbound mail being handled by the same entity. Still, we concluded that a compromised account would potentially affect the inbound MXs too.
Q: Do you send a notification every time you see a new login attempt from an account?
A: No, to limit the amount of noise and to keep the data as small and as useful as possible - we only send notices for accounts that are newly observed. We store every username seen and only send notifications for an account if we haven't seen any activity on it for 32 or more days.
Q: Why do you say Potentially Compromised?
A: We don't actively test each account and password to see if they work. We're merely reporting that we've never seen traffic for that account before, and it, therefore, might be compromised. It's up to you to determine if it is really compromised.
Q: You're reporting to me accounts that don't exist! Why don't you test to make sure the account exists first?
A: Because this is impossible, there is no standard way to do this and even if there were, it would then look like we are attacking you.
Q: Do you keep the passwords that you've seen?
Q: Can you provide the passwords hashed as <hash function>
A: No, we provide the first 5 characters of the SHA-1 for the first password we observe for a specific account. This plays nicely with haveibeenpwned, and is relatively safe for us to provide.
Q: The IPs you're reporting don't belong to us!
A: The IPs shown in the report are the IPs that we saw logging into the account that we are reporting. We're sending you the report because you're either the postmaster for the domain of the compromised account, or the MX of that domain is hosted on your network, not because we're seeing the attack on the account coming from your network.
Q: Can you provide this data more often? Up to 24 hours old is too long!
A: Yes - we are working on a live mechanism at the moment. If you are interested, please reach out to us. [email protected]
Q: I got a report from you, but I'm not interested - please don't send me any more.
A: Please click the unsubscribe at the bottom of the mail.
Q: When and how often do you send the reports?
A: Every day at midnight GMT, but only if we have something to report, you will not get empty reports.
Q: How else can I use the data that you're providing?
A: You can check your logs for account activity from the IP addresses that we've reported to you and see if you've seen any successful logins from them. If you do, then it's highly likely that this account is also compromised. You can also use the same mechanism on a much larger scale with our AuthBL (authentication blacklist), which is part of Abusix Mail Intelligence.
Q: How can I help and support this service?
A: You can donate your unused domains to our blackhole.mx service, try Abusix Mail Intelligence, check out our Threat or Brand Intelligence feeds, or turbocharge the speed and efficiency of your Abuse Desk with AbuseHQ.