How exactly do you get this information?
We run a number of honeypots, one such type acts like a Proxy. Any SMTP traffic that is attempted to be sent using the proxy honeypot is intercepted and routed to our SMTP honeypots. The attacker using the honeypot then believes that they are connected to your SMTP server, so they attempt to authenticate. We then intercept the authentication data and any spam that is attempted to be sent using those credentials and the source IPs of the hosts this are immediately listed in Abusix Mail Intelligence. If we've never seen this username in the wild before, we report it to you using this report.
What metadata do you provide with the reports, and are they machine-readable?
We report the username, the first 5 characters of the SHA-1 hash of the first password we saw for this account, the first IP address that we saw the attempt from and the date/time (UTC) of the first attempt, this is all in a CSV format file attached to the message.
How do you determine which Abuse Contacts need to be notified from the domain name of the compromised account?
We resolve the MX records of the domain, lookup the A records of each host, and then use our freely available Abuse Contact DB to get a distinct list of contacts for those IPs. This isn't perfect as it makes some presumptions - like the inbound and outbound mail being handled by the same entity. Still, we concluded that a compromised account would potentially affect the inbound MXs too.
Do you send a notification every time you see a new login attempt from an account?
No, to limit the amount of noise and to keep the data as small and as useful as possible - we only send notices for accounts that are newly observed. We store every username seen and only send notifications for an account if we haven't seen any activity on it for 32 or more days.
Why do you say Potentially Compromised?
A: We don't actively test each account and password to see if they work. We're merely reporting that we've never seen traffic for that account before, and it, therefore, might be compromised. It's up to you to determine if it is really compromised.
You're reporting to me accounts that don't exist! Why don't you test to make sure the account exists first?
Because this is impossible, there is no standard way to do this and even if there were, it would then look like we are attacking you.
Do you keep the passwords that you've seen?
Can you provide the passwords hashed as <hash function>
No, we provide the first 5 characters of the SHA-1 for the first password we observe for a specific account. This plays nicely with HIBP, and is relatively safe for us to provide.
The IPs you're reporting don't belong to us!
The IPs shown in the report are the IPs that we saw logging into the account that we are reporting. We're sending you the report because you're either the postmaster for the domain of the compromised account, or the MX of that domain is hosted on your network, not because we're seeing the attack on the account coming from your network.
Can you provide this data more often? Up to 24 hours old is too long!
Yes - we are working on a live mechanism at the moment. If you are interested, please reach out to us at firstname.lastname@example.org or use the Intercom Live Chat.
I got a report from you, but I'm not interested - please don't send me any more.
Please click the unsubscribe at the bottom of the mail.
When and how often do you send the reports?
Every day at midnight GMT, but only if we have something to report, you will not get empty reports.
How else can I use the data that you're providing?
If the account is valid, then look for suspicious activity - if you find any, then change the account password immediately. You can also check your logs for account activity from the IP addresses that we've reported to you and see if you've seen any successful logins from them. If you do, then it's highly likely that this account is also compromised. You can also use the same mechanism on a much larger scale with our AuthBL (authentication blocklist), which is part of Abusix Mail Intelligence. If the account isn't valid, then you could activate it and use it as a spam trap for your network. This can be used to help train filters and to give you an early warning for Phishing attacks targeting your domain.