MBF Knowledge Base
MBF · MBF Knowledge Base Home · Handling Compromised Email Accounts

How To Prevent/Handle Compromised Email Accounts In SmarterMail and IMail

THE PROBLEM

We have all seen it. All of a sudden you start to receive several complaints from your customers that their email is being bounced when trying to send to certain domains or that they are receiving bounces from messages that they never sent out. You start to panic while researching the cause only to further discover your mail server IP is on several real-time blacklists. You check your mail logs and see that one or more of the email accounts that you host has been compromised and is sending out massive amounts of spam messages.

Still in a panic, you wonder how to stop the immediate damage, how that could have happened? What you could have done to prevent this? That is what we are going to explain in this article.

THE CAUSE

We have found 9 out of 10 times; it is NOT your server that has been compromised, but rather your customer’s computer that is the security breach. As we all know, it is impossible to control what your customers will do, but it is a good idea to start to educate them about this problem. The good news is it gives you a reason to communicate with your customers though a newsletter or an update.

THE SOLUTION

There are several ways in which one can approach this problem. We have identified the following approach:

  1. Educate your Customer about keeping the computer clean of malware or viruses.

  2. Educate your Customer on strong and secure passwords.

  3. Use your server’s built in functionality to help reduce the mayhem.

  4. Use of software to prevent compromised accounts.

  5. Determine the next step now that you've been Hijacked.

Keep it Clean

Stress the importance to your customers of keeping their computers free of malware and viruses. We personally instruct our customers to download, install and update the following three, free programs then run live scans at least once per week to keep their computers clean…

  1. Spybot Search & Destroy - http://download.cnet.com/Spybot-Search-Destroy/3000-8022_4-10122137.html?tag=mncol;1

  2. Malwarebytes Anti-Malware - http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1

  3. AVG AntiVirus Free 2013 - http://download.cnet.com/AVG-AntiVirus-Free-2013/3000-2239_4-10320142.html?tag=mncol;1

These 3 programs will remove just about anything that can cause a computer to be compromised by a virus or malware. Yes, it will take a bit of effort to help your customers install, update and use these programs, but the time you spend will be well worth it because you won’t have to spend your time and money dealing with customer complaints, non-deliverability of your emails, server reputation and the overall loss of business due to compromised accounts.

Keep it Strong

Most often email accounts are compromised because users have weak passwords. Creating strong passwords for all your online accounts is not a thing that should be done it is an imperative. In brief these are the important things to note:

  • Length. Make your passwords at least eight (8) characters long.

  • Complexity. Include a combination of at least three (3) upper and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.

  • Variation. Change your passwords often. Set an automatic reminder to update passwords on your email, banking, and credit card websites every three months.

  • Variety. Don't use the same password for everything. Cyber criminals can steal passwords from websites that have poor security, and then use those same passwords to target more secure environments, such as banking websites.

For more information on Password Security http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Keep it Slow

If your server has the ability to throttle the outbound email this is another way to help reduce the effects of a hijacked account.

Throttling allows system administrators to limit the number of messages, amount of bandwidth, and/or the number of bounced messages that will be allowed to or from a domain, user, or mailing list in a given amount of time to prevent system abuse. Actions can be automated based upon the throttling parameters to prevent abuse in real-time.

To find out how to setup SmarterMail Throttling:

http://portal.smartertools.com/KB/search.aspx?categoryid=2&search=Setup+Hard+Limit+Throttling&type=0

Keep it Contained

Most of you probably already know this, but there is a product called Declude Hijack which will prevent mass emails from being sent out of your server if an account does become compromised. It will also alert you when an account is compromised and is trying to send out spam. Declude Hijack is a free product that we offer here at Mail’s Best Friend as part of the free Declude Security Suite.

You can download the Hijack manual and read more about how it works at the following link: http://mailsbestfriend.com/downloads/docs/Declude_Hijack_Manual.pdf

We have personally found this to be the best method in preventing SmarterMail and IMail servers from ending up on blacklists in the case of a compromise.

Again, this is a free product. You can download Declude Security Suite from the following link and configure and install it yourself http://mailsbestfriend.com/downloads/

If you prefer that we do this for you, there is a one-time $75 fee for install and configuration. We also offer support packages that you can purchase to have us continue to support Declude Security Suite and help in the event of a compromise.

Keep it Simple

Here we discuss how to handle the situation when an account becomes compromised:

  1. Once you check your mail logs and discover which account is sending out mass spam, the first action is to change the account’s password on your mail server. This will immediately stop the flow of spam from the compromised account since the malware/virus or bot will be using your customer’s mail client to send out the spam.

  1. Call your customer and have them download, install and scan their computer with the 3 programs listed above. Be sure to have them update their programs after install to ensure that they have the latest definition files. DO NOT GIVE YOUR CUSTOMER THE NEW PASSWORD TO THEIR ACCOUNT UNTIL YOU HAVE VERIFIED THAT THEY HAVE RUN THE 3 PROGRAMS AND REMOVED THE THREATS. This is very important because if you give them the password without verifying, you will end up in the same boat as you were before.


  2. Now that you have the problem under control on the customer’s end, you will need to contact the administrators of all of the blacklists that your server ended up on and explain the issue, explain what you did to fix the problem and request removal from their lists. To see which Blacklists your server is listed on you can use tools from our Tools directory.http://mailsbestfriend.com/tools/index.shtml

You are probably asking, “What could I have done to prevent this compromise in the first place since I don’t have control over my customer’s computers?” The honest answer is, there is really no way to 100% prevent malware and viruses from ending up on a customer’s computer. Even with the preventive measures, there is still a chance of a compromise. Since this is the case, these are the best things you can do is minimize the fallout from the compromise.

We hope you have found this article informative and helpful. If you have any questions about what you have read above, please send us an email at support@mailsbestfriend.com. We would love to hear your feedback.