Additional Info





An adversary capable of implanting the right virus or accessing the right terminal can cause massive damage. (George Tenet, director of the U.S. Central Intelligence Agency)

The psychological profiling [of a programmer] is mostly the ability to shift levels of abstraction, from low level to high level. To see something in the small and to see something in the large. (Donald Knuth)








This post tagged:



Share

Monitoring Kerio Connect for suspicious activity


2013/07/09

Kerio's How to detect that Kerio Connect has been compromised and used for spamming talks about some of the things you could check if you suspect a compromised account. There is more that you can do, however.

First off, they suggest looking at your mail queue. That's fine, but once the mail has been sent, it's no longer in the queue, so unless there is some delivery problem, you might not find anything there. As the same information is in the mail.log, why not look there? This perl script will pick out discrepancies between the "From" address and the mail user who sent the message.



#!/usr/bin/perl
$domain="aplawrence.com";
open(I,"/opt/kerio/mailserver/store/logs/mail.log") or die "Log files??";
while (<I>) {
  $m=$_;
  $from="";$user="";
  @s=split /,/;
  foreach(@s) {
   $from=$_ if /^ From:/;
   $user=$_ if /^ User:/;
}
$b=$user;
$b  =~ s/ User: //;
 if ($user =~ /$domain/ and $from !~ /$b/) {
   print "$from $user\n$m\n" if ($user =~ /$domain/ and $from !~ /$b/);
 }
}
 

That's a bare-bones script. If I run it on my system right now, I see this:

 From: <[email protected]>  User: [email protected]
[03/Jul/2013 09:43:41] Recv: Queue-ID:
51d42a8d-000017d2, Service: Kerio Connect client,
From: <[email protected]>, To: <[email protected]>,
Size: 801, Sender-Host: 192.168.24.38, User:
[email protected], SSL: yes, Subject: From Kerio, Msg-Id:
<[email protected]>

 From: <[email protected]>  User: [email protected]
[03/Jul/2013 11:07:08] Recv: Queue-ID:
51d43e1c-000017f1, Service: Kerio Connect client,
From: <[email protected]>, To: <[email protected]>,
Size: 799, Sender-Host: 217.36.238.98, User:
[email protected], SSL: yes, Subject: Helpless, Msg-Id:
<[email protected]>
 

However, both "[email protected]" and "[email protected]" are aliases that I can use (that's how I sent these messages, in fact). If that were something I did often, I might want to alter the script to not bother when it sees one of my common "From:" addresses.

I also might want to look at "Sender-Host". If I and other users typically come from the same LAN as the server, that "Sender-Host: 217.36.238.98" might be a big red flag.

The time stamps also might be worth looking at. Mail sent by me at 2:00 A.M. would generally be very suspicious. In some companies, anything sent out of office hours might be worth a second look.

The "Service:" could indicate something odd if I don't ordinarily use the Kerio Connect Client. I've mentioned before that if a user will never use specific services, those should be disallowed in their access profile.

In some cases, the "To:" address might signal an oddity. For example, if the normal activity of an account is replying to people who have previously sent mail, a "To:" that wasn't in a recent "From:" may be worth a deeper look.

Another thing a script like that might do is to count how many messages each user has sent in some period of time. Obviously the "suspicious" number will vary by user and also probably by time of day, but a bit of sophistication can ferret these out.

Getting even more sophisticated, you might keep a database of normal activity levels and spit out warnings when those patterns change.

User's machines

Don't neglect securing user's access to mail ports. In most cases, user's machines should not be able to access mail related ports anywhere except on your mail server. If you don't have a firewall rule that enforces that, an infected machine can just bypass your server and go direct to the Internet. You'd have nothing in the mailserver logs to look at!



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Monitoring Kerio Connect for suspicious activity




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us