Compromised account detection

We'd like to improve our ability to detect when an end user account has 
been compromised.  We thought it would help if we could trigger some 
kind of real-time alert when a single account has sent a large number of 
messages.  Is there any way to do this from the iMS configuration?  Has 
anyone written an external program that can monitor mail server activity 
in real time and generate alerts?
Thanks,
John Dalbec
Datatel + SunGard HE Luminis system administrator
Youngstown State University

Re: Compromised account detection

Re: Compromised account detection

see
https://wikis.oracle.com/display/CommSuite/Triggering+Effects+From+Transaction+Logging.+The+LOG_ACTION+Mapping+Table

The idea is to use the LOG_ACTION table to specify what types of log
messages you want to count, ie call metermaid about, and then you can do
lots of things based on those counts in metermaid.

Kelly

On 3/6/2012 3:19 PM, John Dalbec wrote:
> We'd like to improve our ability to detect when an end user account has
> been compromised.  We thought it would help if we could trigger some
> kind of real-time alert when a single account has sent a large number of
> messages.  Is there any way to do this from the iMS configuration?  Has
> anyone written an external program that can monitor mail server activity
> in real time and generate alerts?
> Thanks,
> John Dalbec
> Datatel + SunGard HE Luminis system administrator
> Youngstown State University

--

-- 
Oracle <http://www.oracle.com>
Kelly Caudill | Principal Technical Support Engineer
Phone: +17814422056
Oracle Software Support : Sun Comms Suite
Green Oracle <http://www.oracle.com/commitment> Oracle is committed to
developing practices and products that help protect the environment

Email Hates the Living

I just stumbled across a decent quality video of Ricardo's presentation 
and remembered that I mentioned it here a long time ago.

https://www.youtube.com/watch?v=JENdgiAPD6c&lr=1

Jesse

Re: Compromised account detection

There's also info about this topic here

https://wikis.oracle.com/display/CommSuite/Protecting+Against+Spammers+who+Compromise+Messaging+Server+User+Accounts

On 3/6/12 3:25 PM, Kelly Caudill wrote:
> see
> https://wikis.oracle.com/display/CommSuite/Triggering+Effects+From+Transaction+Logging.+The+LOG_ACTION+Mapping+Table
>
> The idea is to use the LOG_ACTION table to specify what types of log
> messages you want to count, ie call metermaid about, and then you can do
> lots of things based on those counts in metermaid.
>
> Kelly
>
> On 3/6/2012 3:19 PM, John Dalbec wrote:
>> We'd like to improve our ability to detect when an end user account has
>> been compromised.  We thought it would help if we could trigger some
>> kind of real-time alert when a single account has sent a large number of
>> messages.  Is there any way to do this from the iMS configuration?  Has
>> anyone written an external program that can monitor mail server activity
>> in real time and generate alerts?
>> Thanks,
>> John Dalbec
>> Datatel + SunGard HE Luminis system administrator
>> Youngstown State University
>

Re: Compromised account detection

We have postfix on our smtp machines, so this may not be too useful. 
http://osdir.com/ml/mail.ims.general/2008-02/msg00030.html suggests that 
much of this is also possible with Oracle Messaging.

We have convergence sending through a postfix / policyd setup which 
throttles the number of messages users can send per hour. I've also 
written a script to monitor our postfix logs for excessive numbers of 
smtp auths.

I'm interested to hear how other folks deal with this problem.

Rich

mapping entries patterns help

We are on MS 7u4.

We are trying to craft a filter mapping (called by sieve filter) to get the first 5 words of a subject.  we
created something like this in the mappings file:

FILTER_parsesubject

   first5words|$S*$T*$S*$T*$S*$T*$S*$T*$S**        $0$ $2$ $4$ $6$ $8$Y$E

We thought this works, until we came across characters like ":" in the subject line that apparently won't
match by $S*.  Is there any metacharacter that represents more character sets than $S*, something like NOT
$T* to cover everthing that is not space or tab?

Victor 		 	   		  

Re: mapping entries patterns help

Here are two possible approaches.

(1) If the characters you want to allow are those in some range, use a "glob" match.
For instance, $[!-~]% will match any character in the US-ASCII range between ! and ~, 
while $[!-~]* will match any number of any such characters.

(2) Use $T% to ensure that at least one space/htab/vtab character is present, with
subsequent $T* to get any additional spaces, and then take advantage of "minimal" 
matching, indicated via $_, to have your * wildcards match as little as possible 
between such "forced" $T%$T* matches.  That is, by including a $T% to ensure that 
your space matches "get" at least one space, then using "minimal" matching "between" 
such spaces gets you everything-up-to-but-not-including-the-space.  

Either one of these approaches, but perhaps especially (2), needs some more work
(probably some additional mapping table entries) if you also need to handle cases
of fewer than five space-separated words.  (Also, what do you want to do about
possible leading spaces?)  So take these as starting points...

For example, here are two mapping tables:

X-5WORDS-GLOB

 
$[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T*$ <at> * \
$0$1_$2$3_$4$5_$6$7_$8$9$Y

X-5WORDS-MINIMAL

  %$_*$ <at> T%$ <at> T*%$_*$ <at> T%$ <at> T*%$_*$ <at> T%$ <at> T*%$_*$ <at> T%$ <at> T*%$_*$ <at> T%$ <at> T*$ <at> * \
$0$1_$2$3_$4$5_$6$7_$8$9$Y

each of which expect at least five space separated (terminated) words in the input 
string, and which will output <word1>_<word2>_<word3>_<word4>_<word5>, discarding any
additional text.  Note the use of the " <at> " prefix on the $T matches, to "turn off
saving" of that wildcard -- that's so that the matches that we want to save
to reuse in a substitution on the right hand side (the matches to the first five words, 
split into first character, rest of word) only count up to substitution $9.

# imsimta test -mapping -table=X-5WORDS-GLOB
Input string: one two three four five more text
Output string: one_two_three_four_five
Output flags: [0, 'Y' (89)]

or

# imsimta test -mapping -table=X-5WORDS-MINIMAL
Input string: one two three four five more text
Output string: one_two_three_four_five
Output flags: [0, 'Y' (89)]

One more note: When coming up with these sorts of more complex matching 
templates, keep in mind that imsimta test -match can be your friend!  I find 
it really helpful for refining such templates.  E.g.,

# imsimta test -match
Pattern: $[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T*$[!-~]%$[!-~]*$ <at> T
*$[!-~]%$[!-~]*$ <at> T*$ <at> *
  [  1S] cchar [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [  2S] cglob [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [  3] cglob []
  [  4S] cchar [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [  5S] cglob [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [  6] cglob []
  [  7S] cchar [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [  8S] cglob [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [  9] cglob []
  [ 10S] cchar [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [ 11S] cglob [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [ 12] cglob []
  [ 13S] cchar [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [ 14S] cglob [!"#$%&'()*+,-./0123456789:;<=>? <at> ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~]
  [ 15] cglob []
  [ 16] glob, req -1, reps 0
Target: one two three four five more text
Match.
0 - o
1 - ne
2 - t
3 - wo
4 - t
5 - hree
6 - f
7 - our
8 - f
9 - ive

Regards,

Kristin

On Mar 7, 2012, at 3:27 PM, Victor Shum wrote:

> 
> We are on MS 7u4.
> 
> 
> 
> We are trying to craft a filter mapping (called by sieve filter) to get the first 5 words of a subject.  we
created something like this in the mappings file:
> 
> 
> 
> FILTER_parsesubject
> 
> 
> 
>   first5words|$S*$T*$S*$T*$S*$T*$S*$T*$S**        $0$ $2$ $4$ $6$ $8$Y$E
> 
> 
> 
> 
> 
> We thought this works, until we came across characters like ":" in the subject line that apparently won't
match by $S*.  Is there any metacharacter that represents more character sets than $S*, something like NOT
$T* to cover everthing that is not space or tab?
> 
> 
> 
> 
> 
> Victor 		 	   		  

Migration advice

Hi,

We are in the process of moving from an Oracle-only mail system (MES MTA 
+ store) to a hybrid system (MES MTA + Microsoft Exchange store, i.e., 
the MTA will be communicating with an Exchange Hub). Before the actual 
migration, we will pilot the new system by moving some of our users to 
the new system. In our current production environment, mail addresses 
are in the form firstname.lastname <at> [sub.]domain.com, but the pilot group 
will also have an internal address 
firstname.lastname <at> [sub.]pilot.domain.com to enable mail delivery 
between MES and EX. The question is, is there a recommended way to 
configure mail routing for the pilot group?

So far we have tried various approaches. For example, we can set 
mailDeliveryOption = forward and mailForwardingAddress = 
firstname.lastname <at> [sub.]pilot.domain.com for our pilot group, and mail 
will flow nicely between the two systems. (We can also use address 
rewriting to make sure internal addresses stay internal and/or there 
won't be too many traces of internal addresses left in the archived 
messages once the migration is over.)

The problem with the forwarding arrangement is that the pilot group will 
still have access to the old webmail (Convergence) and can theoretically 
change the forwarding settings there (rather than in the new Exchange 
environment).

We have also toyed with other approaches, but they all tend to be more 
complicated than this and/or have unwanted side-effects - so we welcome 
input as to what might be both a neat and a safe solution :)

Marko

Re: Adding a headerline with Date/Time value

On 2/22/12 5:35 PM, Rolf E. Sonneveld wrote:
> On 2/21/12 11:00 PM, Ned Freed wrote:

[...]

>>
>> Off topic, but a couple of comments on Sieve style are in order:
>>
>> (1) Using header tests on fields containing addresses is dangerous 
>> because
>>    of the high degree of variability allowed in address syntax. All of
>>    these are valid, equivalent addresses under RFC 822 rules:
>>
>>    postmaster@...
>>    postmaster  <at>  example.com
>>    postmaster(foo) <at> (bar)example.com
>>    postmaster (foo)  <at>  (bar) example.com
>>
>>    But only the first will match the tests you're using. Additionally,
>>    there can be problems with stuff like this matching when it 
>> shouldn't:
>>
>>    other.postmaster@...
>>    postmaster@...
>>    "postmaster@..." <aliasexpansionaddress@...>
>>
>>    All of this is why the address test exists - it parses and 
>> canonicalizes
>>    addresses and eliminates all of these issues:
>>
>>    if address "To" "postmaster@..."
>>
>>    And it makes the script simpler and the intent clearer. A win all 
>> around.

[...]

Unfortunately, after having enabled MM_DEBUG=10 in option.dat and 
testing again, I have not been able to reproduce the problem  So I 
have no useful logfiles to share. Anyway, using the information you 
provided me with, I created the following script:

application.filter:

require ["editheader", "envelope", "variables", "date"];

if envelope :all :is "to"
["mailbox1@...","mailbox2@..."] {
    deleteheader "X-Example-Received";
    if currentdate :matches "std11" "*" {
       addheader "X-Example-Received" "${0}";
    }
}

and that works in all 60+ tests I performed. I have chosen to test the 
envelope recipient address in the sieve script, as the 5321.RcptTo 
address has a one-to-one relation with the destination mailbox for which 
we want this filter apply. This is important, as we have no control over 
what senders will use in the header To (5322.To): for the application of 
this customer, in 99% of all cases the 5322.To and 5321.RcptTo will be 
equal, but the remaining 1% is important as well.

Thanks for your help,

/rolf