RANT: Spam and Sonic.net

General discussions and other topics.
148 posts Page 11 of 15
by tensigh » Tue Aug 12, 2014 3:17 pm
Ankh, as far as I understand, someone must have found out what your password is and managed to send email as you.

This happened to me and my parents, and now you. I'm beginning to wonder if there was a password breech at Sonic. I choose complicated passwords so it seems kind of odd that somebody just "guessed" it.
by kgc » Tue Aug 12, 2014 3:44 pm
It is very unlikely that it was just guessed. The two most likely reasons for user & password combination to be exploited (in particularly by a SPAM botnet) are that your computer(s) is infected with malware or that the email/user & password combination was in use at another service that has had a data breach.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by tensigh » Tue Aug 12, 2014 3:50 pm
Sure, I thought about that as well.

The thing is no other password for myself or my parent's computer got breached, only our Sonic passwords. Second, I'm pretty vigilant on malware. My parents' computer didn't appear to be infected either (I scanned it and they always ask me about suspicious links, emails, etc). The only other place where we access our Sonic accounts from is on our iPhones. I never use open Wifi networks (specifically for this reason) and I think my parents' iPhones have WiFi turned off.
by ankh » Tue Aug 12, 2014 4:37 pm
Same here -- nobody has answered the question:

Should sent mail contain the spam sent by the account, assuming the account was in fact compromised -- anyone?

I'm wondering if some other sort of spoof is possible that would have triggered suspicion.

I have no problem with Sonic locking the account on suspicion (and phoning me).
I just want to know why they told me that "a computer might be compromised" but can't say anything else.

There's nothing in the sent mail folders where they told me to look.
I'm hoping someone at support will have taken my emailed permission to look at anything and get back to me about what triggered their suspicion and what the evidence is so I can look further.

I know some malware isn't detected -- if they're sure this happened, I'll be asking how to get help with the home computers if that's still suspect, or do whatever else.

I don't reuse passwords, don't use anything short or simple or possible to remember.

I've run multiple malware/virus scans (as we do routinely) on the computers here -- nothing found.

Hearing it's happened to someone else recently makes me wonder a bit harder what actually happened and how to check.

(If staff doesn't want to answer this in public-- which might be the right approach -- email or phone me)
by kgc » Tue Aug 12, 2014 5:48 pm
It may be a little extreme but I think the only reliable A/V scan at this point is removing the hard drives and then scanning them from a "known clean" machine. You cannot assume that your A/V software has been able to thwart and detect all of the sophisticated malware that are currently out in the wild. This is one of the reasons that we've chosen to filter our DNS responses using an RPZ feed from a security vendor in hopes that it will interfere with malware and bots C&C mechanisms.

http://www.pcworld.com/article/2150743/ ... virus.html

Many users that have their passwords stolen end up being repeat offenders. While I don't have any hard evidence to back it up, I think this suggests their computers are the source of the compromise.

For the record, our passwords are currently stored using SHA512 with 16 chars of random salt and are only present on our authentication servers. We'd use bcrypt if it was readily available using linux crypt().
Kelsey Cummings
System Architect, Sonic.net, Inc.
by kgc » Tue Aug 12, 2014 5:51 pm
ankh wrote:Same here -- nobody has answered the question:
Should sent mail contain the spam sent by the account, assuming the account was in fact compromised -- anyone?
No, it would be odd for them to use IMAP to store a copy of their spam. Occasionally we see hand delivered spam through webmail but this tends to be limited to 419 scams.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by ankh » Tue Aug 12, 2014 6:29 pm
> postby kgc » Tue Aug 12, 2014 5:48 pm
> ... removing the hard drives and then scanning them from a "known clean" machine.

I can remove the hard drives (from the Macs) and get the support guy who supports the one Windows user in our household to do that for the Windows machine.

As to finding a "known clean" machine --- does Sonic have one?
This is the "trusting trust" problem.
I'd gladly drive to Santa Rosa with a box of hard drives.

Another query then, since we have to assume at least one of the machines is now compromised:

Would it be of any use to put each machine on a different IP address?

Our account has spare fixed IPs and is using the Sonic rental modem. Would that help you identify the source if there is a repeat of the problem?

(again if this shouldn't be discussed in public feel free to email or phone. You know how to find me)
by ankh » Tue Aug 12, 2014 7:36 pm
PS -- about removing the hard drives --
That's the first time I've heard that -- I'm guessing this means that booting from a CD or from an external Firewire drive (or booting a Mac as a firewire drive, operated from another machine) is no longer good enough. So something in the hardware is apt to be infested -- is this just Windows, or also Unix/Linux and Mac computers?

Right?
by kgc » Tue Aug 12, 2014 8:05 pm
I should be clear that I'm not an expert on viruses or malware but I think all of the roads lead back to system security. I don't know what is going on these day for Macs or if any of the router exploits have been used to glean passwords from users behind them. If the passwords were only every used for sonic then you should be suspicious of your devices until you find something.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by virtualmike » Tue Aug 12, 2014 10:46 pm
First thing: change the password on the account that was used to send spam.

Next: ask Sonic.net support how the spam mail was sent. Was it via webmail? or did someone send through the SMTP server?

Sonic.net's system requires authentication to send email. When sending via webmail, logging into that authenticates you. If you use a mail program (e.g., Thunderbird, Outlook, Eudora, iOS Mail, Android Mail, etc.), then your user ID/password must be entered into the program so it can authenticate you before sending.

If the mail was sent by your account, Sonic.net will have logs that show it.

Sonic.net is too advanced to assume that you sent the mail simply because your name/address is shown as the sender. That's the second oldest spammer trick for diverting investigation.
148 posts Page 11 of 15

Who is online

In total there are 35 users online :: 1 registered, 0 hidden and 34 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: seth.lohr and 34 guests