NinerNet Communications™
Blog

Corporate Blog

Compromised email accounts are being accessed via webmail

29 August 2022 11:01:18 +0000

It is becoming more and more common, once an email account has been compromised by a computer virus or other malware, for the email account in question to be accessed through the webmail. When this happens, one or all of three things (and sometimes more) happen:

  • The criminal behind the virus/malware uses your webmail account to send spam or more viruses (the viruses will be stopped by our server though, but sometimes some spam will still get through),
  • The criminal poses as you (or one of your employees) and dupes your customers into sending payments to their bank account(s), and/or
  • The criminal creates filters in your email account to siphon off email to external email accounts they or their associates control.

While all are very negative and need to be stopped quickly — and this is why a compromised email account’s password must be changed, and the old password never used again — the last is particularly insidious as you might not use the filters, or you may not even know that they exist! Filters are a legitimate tool for people to use to handle some email in an automated fashion, and they have been around as long as email has been around.

The bottom line is that a compromised email account is a very serous matter. Your machines and devices need to be protected, by security software (anti-virus software, firewalls, encryption, anti-malware software, etc.), physically (access control, passwords, physical locks, etc.), and with education, knowledge and vigilance. If an email account is compromised the reason should be determined and the cause fixed or addressed in some other way. You then also need to examine the (now formerly) compromised account; one of the first things you should check is the integrity of the account’s filters. If unauthorised filters remain in place, the account is still compromised.

It is vital that you not gloss over an email account compromise as a “cost of doing business” and just carry on as usual after the inconvenience in your day. If you do not take all of the above steps your lack of action will come back to bite you in the buttocks, as Forrest Gump said. And this bite could cost your business in money, goodwill and business.

Another thing to consider is that the mail server’s control panel allows its users to designate any email account as a “domain admin”. We have always discouraged this, instead creating dedicated accounts for domain admins, but it’s a popular and widely used feature. However, consider this: If you designate bob@example.com as a “domain admin”, and Bob’s account is compromised, then the criminal behind the compromise will have access to all of the email accounts on the example.com domain. The results could be significantly more than just the inconvenience of having one email account compromised.

Something else for you to consider is how you can protect your employees from phishing emails. (Please see our “scams” section for many examples of scam emails, many of which are phishing emails.) Phishing emails try to get their recipients to click a link where they are asked to enter their email address and email password. Of course, none of us would be fooled by this, but many people a day are. How the page where people are asked to enter their log-in information looks depends on the nature of the email. If it was allegedly from a bank, the log-in page will be an exact copy of the log-in page for the bank they’re trying to present themselves as. If they’re trying to get your email password, everything will look like a webmail log-in page. It’s convincing. When you enter your log-in information, either nothing will happen, or your browser will be redirected to a legitimate webmail log-in page, but you won’t (of course) be logged in. In the meantime, your log-in information will be saved, and available for the scammer to use.

If this happens to you, you must immediately change the password on your account.

But back to the original question: How can you protect your company from your employees potentially falling for this phishing scam? One way is to not give your employees their email passwords. If they don’t have it, they can’t enter it in a phishing form. Of course, you need to weigh the advantages and disadvantages of this. A disadvantage is that you or your IT person will have to enter it for them when setting up their email account on their machine and/or phone, but the advantage is that they won’t be able to make the mistake of inadvertently providing their password.

If you haven’t recently, it’s probably a good idea to check the filters in your webmail account right now to confirm that you put them all there and that you still need them. And while you’re at it, change your email password too! Make sure it’s at least 12 characters long, includes upper- and lower-case letters, numbers and special characters. And use a password manager too. We use and strongly recommend KeePass.

Mail server in and out of capricious blacklist

10 March 2020 02:33:48 +0000

As you’re aware, we work hard to ensure that our mail servers do not get into blacklists. On the rare occasion that one of our IP addresses is blacklisted, we investigate the cause of the problem, fix the problem (often a client with a compromised machine) and (if possible) try to have our IP address removed from the blacklist. Often though, manual removal from the blacklist is unnecessary, as modern, well-maintained blacklists are automated, and offending IP addresses are removed very soon after they no longer show any signs of sending spam.

It’s not often any more that we run into old-style blacklists — blacklists that are poorly maintained, that blacklist huge swathes of the Internet, or that offer no discernible removal process — but there are still some of them out there. Not many are used by mail servers that accept email on behalf of any sizeable number of users, but we have run into one that happens to fit that exact trifecta: urbl.hostedemail.com.

This blacklist is used by Hostedemail(.com), a subsidiary of OpenSRS/Tucows. Good luck getting to their website though, as one doesn’t exist. Their email hosting service is a white-label service sold by their resellers, and they don’t even have a way for other mail server administrators to contact them, to search their blacklist or ask to be taken out of it.

Thankfully though, we are still hanging onto our own long-established reseller account with OpenSRS, and we contacted them about this block of our (non-resold) primary mail server (NC036). We first did this in February when we noticed that email from some clients was being blocked with this error message:

host mx.DOMAIN.com.cust.a.hostedemail.com[216.40.42.4] refused to talk to me: 554 5.7.1 Service unavailable; Client host [178.62.195.26] blocked using urbl.hostedemail.com; Your IP has been manually blacklisted

(It was the reference to being “manually blacklisted” that really got our attention, as this is a hallmark of the aforementioned poorly maintained blacklists.)

OpenSRS responded quickly, and we were removed from the blacklist within about eight hours. But we were surprised to see, a couple of weeks later in March, that we were blacklisted again, so we contacted OpenSRS yet again. The response this time was much slower, but we have again been removed. This time, however, we pressed for an explanation for the block, as we are not listed in about 300 other blacklists that are more widely used. This is part of their response:

I am just replying back on the RBL listing you inquired about and I can confirm the IP was once again de-listed but I did get some additional information for you as requested. I needed to do a bit of checking but the IP 178.62.195.26 is provided by RIPE Network Coordination Centre, the IP assigned to the user by the hosting provider carries the reputation of the rest of the CIDR. The nature of VPS/Shared IPs is to be disposable …. But of course for the time being we have de-listed the IP but assuming nothing changes its [sic] likely it will be listed again in the future.

This kind of outdated thinking is another of the hallmarks of old-style blacklists: blacklisting half of the Internet based on some outmoded way of thinking that died off around the end of the twentieth century. Essentially, Hostedemail.com is blacklisting all IP addresses in major data centres around the world, which is very counterproductive for their own customers.

We’ll be contacting individual clients whose emails were blocked by this blacklist to point them to this post, and we recommend that if your email is blocked with the above message you contact your correspondent by some other means to advise them to move to a more enlightened mail service provider.


Update, 2019-03-19: Our primary mail server is again blacklisted by this one mail provider in the world out of about 300 major blacklists we have checked. OpenSRS/Tucows/Hostedemail warned us this would happen, so we’re not surprised. We can take no further logical action against an illogical practice. We’re sorry to those clients who are affected, but we again suggest that you tell your correspondents to move to an email service provider that doesn’t run their mail servers based on practices from the last century.

Diet and weight loss spam

24 July 2017 07:06:34 +0000

This is a long post, but certain sections of it might be useful to you.

We have been hearing from some clients over the last few months that they are being inundated with spam advertising weight loss drugs, diet pills, etc. ad nauseam. NinerNet does have anti-spam measures on our mail servers — and they stop thousands of messages a day that you never see — but they generally rely on methods of filtering that do not involve what is called “content scanning” — i.e., having a machine essentially read all of your email to see if it mentions topics you don’t want to hear about. They also don’t generally involve blocking email addresses, as spammers almost always send from a different email address every time, so blocking one email address after the fact is pointless.

Additionally, what is a clear indicator of spam for one client can be part of a perfectly legitimate email for another client: for example, a medical client might send and receive completely legitimate emails that include the word “diet” or the phrase “weight loss”, and so we can’t filter for those words across the entire server. Even everyday communications can contain these words when one person enquires after another person’s health, even in a business email: “How’s the diet going?”; “Bob has experienced significant weight loss since he got sick last month”; and so on. In other words, if we deleted all messages containing the word “diet”, for example, we’d delete a lot of legitimate email and upset a lot of clients.

Then there are spelling mistakes: If we delete email containing the phrase “diet supplement”, we’ll miss the misspelling “diet suplemment”.

So what can you do? Potential solutions fall into two categories — prevention and cure — and we all know that an ounce of prevention is worth a pound of cure. We’ll deal with prevention first, but if it’s already too late for you, skip right to the (potential) cures at the end.

Prevention

  • Don’t put your email address(es) on websites: Spammers use the same techniques as the search engines to index (“scrape”) websites for email addresses. If you put an email address on a website — yours, or a forum that you’re involved in — it is going to be spammed. Instead use a contact form. These are not foolproof either, but they’re better than nothing and you can tweak them over time in response to their misuse.
  • Avoid using certain email addresses: Certain email addresses get more spam than others. These are called RFC 2142 addresses, and they include info@example.com, sales@, etc. These are common addresses that spammers will send email to in the hope that they go to a real person. Instead of info@, consider an alternative like contact@.
  • Avoid common first names: Yes, your name might be Jim and you want to use jim@example.com, but avoid it. If your surname is Smith, try jims@example.com, jsmith@example.com or even jimsmith@example.com instead. Consider adding punctuation — e.g., j.smith@example.com.
  • Domain registrations: Use a dedicated email address for your domain registrations. Over the years most domain registries have been part of the spam problem by publishing email addresses in their “WHOIS” databases, which are scraped the same way websites are. Instead of using your primary address as the public contact for your domain registration, use a secondary one. However, it must work and you should check it regularly — e.g., once a month or so. The registry that NinerNet uses does not publish the billing contact’s email address, making the email address for this contact less likely to receive spam. And while we do provide WHOIS privacy where all of the contact information for your domain registration is hidden, we don’t recommend this for businesses as looking up the WHOIS information for a domain is a legitimate method for your customers to verifying the legitimacy of your business.
  • Use throwaway addresses: If you need to give an email address out in situations where you’re concerned it might be abused by the person or organisation you’re giving it to, create a throwaway address for one-time use.
  • Don’t be part of the problem!: See “How and Why to Blind Copy Multiple-Recipient Emails“. Also, don’t send mass emails yourself to people you assume will be happy to receive them — e.g., customers who once did business with you six years ago!
  • Use an anti-virus scanner: Prevent your computer being taken over by criminals who want to mine it for data, not the least of which are the email addresses of your friends, family and business contacts.

Cure

In truth, there is no cure. If your email address is on a spammer’s list, it’s going to be sold and traded on. But no matter how well you do on the prevention side, someone else who has your email address on their computer is going to allow a virus in, and your email address will end up on a list.

However, on the particular topic of this blog post — weight loss spam — if no legitimate email coming into your account is going to refer to “diet pills” or “weight loss”, then you can set up a filter in your webmail account. Follow these instructions (illustrated at right):

  1. Log into your email account at mail.niner.net.

    Spam filtering

    Spam filtering.

  2. Click “Settings” in the top, right-hand corner.
  3. Click “Filters” in the left-hand column under the “Settings” heading.
  4. Click the plus sign at the bottom of the third column from the left under the “Filters” heading.
  5. In the “Filter name” box, give the filter a name like “Diet spam”.
  6. In the “For incoming mail” section you probably want to leave the default “matching any of the following rules” setting in place.
  7. In the first drop-down list, select “Body”.
  8. In the second drop-down list leave “contains” selected.
  9. In the blank field to the right, enter a word (single words are risky) or phrase that you think indicates spam. (Some suggestions culled from sample emails sent to us by clients are below.)
  10. To add more spammy words or phrases, click the plus sign to the right to add another “rule”.
  11. In the “…execute the following actions” section, we recommend you select “Move message to” in the first drop-down list, and “Junk” in the second drop-down list.
  12. At the bottom of the page click the “Save” button.

Now emails matching the filter you have created will automatically be filtered to your “junk” folder. We suggest that you check your junk folder regularly for a while after you create a rule to make sure it doesn’t catch any legitimate email.

Some spammy words and phrases from sample emails sent to us by clients:

  • diet aid
  • weight loss
  • fat
  • body
  • skinny
  • weight goals
  • diet supplement
  • weight reduction
  • excessive weight
  • boost your metabolism
  • beach body
  • live a better life
  • living a better life
  • dietary product
  • fight weight
  • big discount

Please note that you use these phrases and instructions for filtering your email at your own risk!

We hope this helps you fight some of the spam you’re receiving. If you have any questions, please contact support.

NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email encryption facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: