A daily report of newly observed accounts seen authenticating to our traps which therefore might be compromised.
Compromised accounts are one of the biggest issues today. These accounts are often used to send spam, phishing, and malware, which results in endless problems on several levels.
So, starting today, we're going to do something to help you with those compromised accounts.
In December 2019, we found some interesting data coming from a set of special honeypots that we run. Those honeypots receive a huge amount of SMTP Authentication attempts for external domains (not for our spam trap domains). This raw set of data alone helped several of our customers to find and close down hundreds of compromised accounts.
The data is inherently noisy due to dictionary attacks, past compromises or password leaks. We do some magic tricks to make this data available with the minimum amount of noise and the maximum possible value.
We create daily summaries of all the compromised accounts we've observed over the previous 24 hours add necessary metadata and send it to the affected Postmasters and Abuse Desks once per day.
This mechanism provides immediately actionable data to catch compromised accounts and handle them.
If you have any questions, feedback, or suggestions, please feel free to reach out to us via [email protected] or use the Intercom Live Chat that is available on all of our sites.
Q: How exactly do you get this information?
A: We run a number of honeypots, one such type acts like a Proxy. Any SMTP traffic that is attempted to be sent using the proxy honeypot is intercepted and routed to our SMTP honeypots. The attacker using the honeypot then believes that they are connected to your SMTP server, so they attempt to authenticate. We then intercept the authentication data and any spam that is attempted to be sent using those credentials and the source IPs of the hosts this are immediately listed in Abusix Mail Intelligence. If we've never seen this username in the wild before, we report it to you using this report.
Q: What metadata do you provide with the reports, and are they machine-readable?
A: We report the username, the first 5 characters of the SHA-1 hash of the first password we saw for this account, the first IP address that we saw the attempt from and the date/time (UTC) of the first attempt, this is all in a CSV format file attached to the message.
Q: How do you determine which Abuse Contacts need to be notified from the domain name of the compromised account?
A: We resolve the MX records of the domain, lookup the A records of each host, and then use our freely available Abuse Contact DB to get a distinct list of contacts for those IPs. This isn't perfect as it makes some presumptions - like the inbound and outbound mail being handled by the same entity. Still, we concluded that a compromised account would potentially affect the inbound MXs too.
Q: Do you send a notification every time you see a new login attempt from an account?
A: No, to limit the amount of noise and to keep the data as small and as useful as possible - we only send notices for accounts that are newly observed. We store every username seen and only send notifications for an account if we haven't seen any activity on it for 32 or more days.
Q: Why do you say Potentially Compromised?
A: We don't actively test each account and password to see if they work. We're merely reporting that we've never seen traffic for that account before, and it, therefore, might be compromised. It's up to you to determine if it is really compromised.
Q: You're reporting to me accounts that don't exist! Why don't you test to make sure the account exists first?
A: Because this is impossible, there is no standard way to do this and even if there were, it would then look like we are attacking you.
Q: Do you keep the passwords that you've seen?
Q: Can you provide the passwords hashed as <hash function>
A: No, we provide the first 5 characters of the SHA-1 for the first password we observe for a specific account. This plays nicely with HIBP, and is relatively safe for us to provide.
Q: The IPs you're reporting don't belong to us!
A: The IPs shown in the report are the IPs that we saw logging into the account that we are reporting. We're sending you the report because you're either the postmaster for the domain of the compromised account, or the MX of that domain is hosted on your network, not because we're seeing the attack on the account coming from your network.
Q: Can you provide this data more often? Up to 24 hours old is too long!
A: Yes - we are working on a live mechanism at the moment. If you are interested, please reach out to us at [email protected] or use the Intercom Live Chat.
Q: I got a report from you, but I'm not interested - please don't send me any more.
A: Please click the unsubscribe at the bottom of the mail.
Q: When and how often do you send the reports?
A: Every day at midnight GMT, but only if we have something to report, you will not get empty reports.
Q: How else can I use the data that you're providing?
A: If the account is valid, then look for suspicious activity - if you find any, then change the account password immediately. You can also check your logs for account activity from the IP addresses that we've reported to you and see if you've seen any successful logins from them. If you do, then it's highly likely that this account is also compromised. You can also use the same mechanism on a much larger scale with our AuthBL (authentication blocklist), which is part of Abusix Mail Intelligence. If the account isn't valid, then you could activate it and use it as a spam trap for your network. This can be used to help train filters and to give you an early warning for Phishing attacks targeting your domain.
Q: How can I help and support this service?
Our award-winning customer care team is here for you.Contact Support