How/where to check for a possible intrussion on the ME server?

Discussions on webmail and the Professional version.
Post Reply
Posts: 23
Joined: Wed Mar 23, 2011 12:30 am

How/where to check for a possible intrussion on the ME server?

Post by rgomez » Fri Nov 06, 2020 1:37 am


Today we had a big scare, as suddenly we started getting for some accounts, emails about passwords being changed/reset on different services/sites.

The mailboxes that received this were using strong and unique passwords, so the problem was not that. The passwords are mantained and managed with 1Password, so I tend to think the problem was elsewhere.

The server has enabled the temporary ban for failed logins, but I can't see on the logs evidence that these mailboxes were even tried. In one case, of a mailbox that was using quite probably an easy password, I can see that they connected to the webmail page (as they sent a couple of emails from there, and I can see on the headers that it was via webmail). But those mailboxes are actually only redirecting ones, in a domain that is not the ones where the big problem occured, and those users are just USER privileges, not ADMIN or SYSADMIN.

The ADMIN and the one SYSADMIN accounts that existed (I downgraded it to ADMIN) were using strong passwords, and I can't find the IPs reported by the different services/websites that had the passwords reset in the logs.

I had installed version 9.84. Just upgraded some moments ago to the latest, 10.31. But I can't find on the change logs any entry that could seem to be security-related.

My issue then is: how can I try to find the attack vector? Is it possible it was some security hole on the webmail site, or the webadmin one?

I changed the passwords of the compromised accounts, enabled the country restrictions on the ME settings (our users are all on the same country), enabled for my particular accounts the OTP when a new IP is used, but the reality is that without knowing how did they break in I'm just shooting blindly.

The server is Windows 2016 with all the updates as of today installed.

Any ideas?

Post Reply