RANT: Spam and Sonic.net

General discussions and other topics.
148 posts Page 12 of 15
by tensigh » Wed Aug 13, 2014 2:40 am
I know that when something like this happens, the first instinct is to assume someone's computer has been infected with malware, but more and more I find this less often to be the case. Even casual users these days are less gullible to virus attached emails and later editions of Windows are better protected against malware. In short, this isn't 2001 and no one's running Windows 98 anymore.

Where users are more vulnerable would probably be wifi hotspots since unencrypted wifi packets can be easily intercepted. Similarly, WEP encrypted routers can be pretty vulnerable, too. But these days most wifi routers come with encryption turned on and again, even casual users are becoming more adept at turning on encryption (my mother changed out her wifi router a year ago and managed to turn on encryption on the new one, and she was 67 at the time!)

It sounds like Sonic didn't have any kind of breach and they're very adept to security issues so I'm guessing it was something that we as users did that managed to get our passwords mugged somehow. I do find it a little odd that both my password and my parents' accounts got our passwords hacked despite not using our computers to download lots of files or using any public wifi services. Mind you, I'm not trying to point the finger at Sonic, I'm just trying to find a common link. Either way, I hadn't changed my Sonic password in a l-o-o-o-o-o-o-ong time so that part is definitely my bad.
by tensigh » Wed Aug 13, 2014 2:44 am
ankh wrote:Same here -- nobody has answered the question:

Should sent mail contain the spam sent by the account, assuming the account was in fact compromised -- anyone?
Do you mean the sent folder on an email client on your own computer, or the web mail page?

Most likely once a spammer can access an SMTP mail server, they will probably run a script using a language like PERL or Python to send email to multiple addresses as that user. Sonic's SMTP server requires user authentication to send email (to prevent spam), so once they have a user's login credentials then all they need to do is create a list of target recipients, run their program (which logs in to Sonic's email server as the hijacked user) and spam away.

Does this answer your question?
by tensigh » Wed Aug 13, 2014 2:50 am
ankh wrote:>
As to finding a "known clean" machine --- does Sonic have one?
This is the "trusting trust" problem.
I'd gladly drive to Santa Rosa with a box of hard drives.
Actually, a "clean" computer can be any computer that boots to a medium other than a hard drive. If you make a bootable USB flash drive with Linux, you can boot to the USB drive instead of your system's hard drive and scan for malware. I've done this many times (these days it's pretty easy).

This can be overkill though since in my experience the issue tends to be viruses infecting computers less and less. 10 or 15 years ago when most people were first experiencing the Internet, people clicked on every attachment that landed in their inbox. I worked helpdesk back then and had to deal with call after call of virus infections. Around 2006/7, I realized that when I sent emails to users warning about suspicious emails going around, even the least skilled tech person already knew what emails looked fake.
by ankh » Wed Aug 13, 2014 8:58 am
Virtualmike, of course I did all that.
I've been asking for that exact information.
I'm not getting it. I've pointed the phone/mail support people to this thread.

Staff reading here, it's Sonic #2789070, user ankh -- please look. There must be more info than I'm getting.

I'd like, as I've been asking, to know how and exactly when the mail was sent, what the logs say, and whatever.

Support told me to look in the Sent Mail folder. Staff here said that's not expected to be useful, and it wasn't.

I've sent you logs from another email provider showing an IP address in the US East Coast making failing login attempts on my email at that provider, and asked if Sonic has logs showing failed logins that I can compare, with the times and the single fixed IP address we use.

WiFi has not been on here. No portable access devices. Meanwhile of course I'm trying to find malware on the home machines, presuming that's how it happened -- come up with nothing yet.

When I had my own modem, I collected the log files daily and checked them at least weekly -- it was common to have 20 or 30 port scans and failed attempts to get in every day. I don't know what logs the rental Sonic modem provides -- I"ve been asking if I can look at those myself without messing up the Sonic modem.
by Guest » Wed Aug 13, 2014 10:16 am
ankh,

Do you have and use a Sonic shell account? (The reason I ask is that Sonic's shell server runs an old back-level version of Linux, which raises the possibilty of unpatched security holes that could allow accounts to be compromised.)
by ankh » Wed Aug 13, 2014 10:55 am
I've used the FTP access, not for a few years, so yes, that's possible.
That's among the logs the Support folks would be looking into, I trust.
Thanks for mentioning it, I didn't know that might be an issue.

Not much there now:
Primary Account
MB # Files
FTP 0.00 1
by ankh » Wed Aug 13, 2014 1:02 pm
P.S. re shell -- I'm a fossil; shell was all Sonic offered when I started here, dialup modem, text terminal, Usenet and email. So some old vulnerability might be there that dates from before today's staff were born. Something to check.

Hm, also found a hosted blog that claims to be able to auto-update, and that informed me a while back it had auto-updated, is actually still at WordPress v3.7.1 -- should be 3.9.something -- and is giving a "server error ... contact support" message when I try to get it to manually update. I did contact support on that.

No idea if that's another vulnerability to check, just mentioning it.

I'm going to stay with email on my specific problem(s) unless there's more to say that would be useful in public, but thank you all for the comments, I'll trust support is putting the various loose ends together and will email me further.

And if _anyone_ sees evidence of spam sent from 'ankh@sonic' please forward with full headers to me and Support here.
by tensigh » Wed Aug 13, 2014 3:41 pm
ankh wrote:I've used the FTP access, not for a few years, so yes, that's possible.
That's among the logs the Support folks would be looking into, I trust.
Thanks for mentioning it, I didn't know that might be an issue.
FTP sends passwords in plain text, so unless you're using SFTP or SCP then it's possible someone could get your password that way.

Second, your username is "ankh" which is only 4 letters and a dictionary word. I wouldn't be surprised if someone ran a script trying to log in to Sonic's servers and came across your user name. Once they have your user name, trying to log in as you using a dictionary attack is likely.

As far as getting logs from Sonic, usually an ISP won't turn that over unless there's a major crime involved. There could be tens of thousands of lines in their log files of this attacker from the East Coast so I can understand Sonic not turning over all of the information they have when seemingly little harm has been done. If your account was used in a hack attack against say, the White House, I can see them getting more involved. But if your account is being used just for spam, I can see where Sonic would basically just have you change your password and then go about their business.

My real question is that has this been happening consistently or has there been a recent spike in attacks? I've been a Sonic customer for over 10 years so it strikes me as odd that suddenly a large number of customers get attacked and there's nothing going on at Sonic. To assume the fault is with the users would only make sense if the rate of attacks is consistent. If there's a spike (say, for the past 3-4 months) and a large number of customers have to change their passwords then something at Sonic seems like it's vulnerable. Just a guess.
by toast0 » Wed Aug 13, 2014 4:10 pm
My account was also flagged for this today (#2799314). :( It would be great to have more details about how the password was used, but phone support wasn't able to provide any information. There's some chance of a false positive because I run a server on my DSL that forwards mail (to my yahoo.com account) via the Sonic mail infrastructure, so it would be nice to rule that out.

I did not use this password for anything else, and I recall asking phone support to generate the password for me when I last reset it (based on the mtime of the file i stored it in, that was Oct 30, 2007). Maybe the password was weak: !9KwRD*)
by tensigh » Wed Aug 13, 2014 5:49 pm
toast0, that looks like a good password to me! The more I hear about hacked passwords from Sonic, the more curious I am how frequently this is happening. Again, if this happens regularly then it's just par for the course. But if they've seen a spike of hacked passwords this year then it leads me to believe that something in their infrastructure is vulnerable.

Sonic is aces when it comes to security so I'm sure whatever hole there might be they'll figure it out (if any). But I am curious if there has been a spike of hacked passwords this year.
148 posts Page 12 of 15

Who is online

In total there are 25 users online :: 0 registered, 0 hidden and 25 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 25 guests