Ryfujk

Format picture and text with TikZ and minipage

Humans have energy, but not water. What happens?

What is the blue range indicating on this manifold pressure gauge?

Giving Plot options defined outside of the Plot expression

Why does Deadpool say "You're welcome, Canada," after shooting Ryan Reynolds in the end credits?

US to Europe trip with Canada layover- is 52 minutes enough?

Does the Bracer of Flying Daggers benefit from the Dueling Fighting style?

It's a yearly task, alright

Can you reject a postdoc offer after the PI has paid a large sum for flights/accommodation for your visit?

How to deal with a cynical class?

Make a transparent 448*448 image

My story is written in English, but is set in my home country. What language should I use for the dialogue?

Is it ok to include an epilogue dedicated to colleagues who passed away in the end of the manuscript?

Word for a person who has no opinion about whether god exists

Can infringement of a trademark be pursued for using a company's name in a sentence?

How to discourage/prevent PCs from using door choke-points?

Good allowance savings plan?

How does Dispel Magic work against Stoneskin?

What has been your most complicated TikZ drawing?

Am I not good enough for you?

Coworker uses her breast-pump everywhere in the office

Does splitting a potentially monolithic application into several smaller ones help prevent bugs?

Time dilation for a moving electronic clock

Gravity alteration as extermination tool viable?

Is someone able to sniff our corporate emails?

Is it possible to setup an internal test email server to keep all mail sent to it?Need to get SMTP server on MS Server 2003How do I deal with a compromised server?Our security auditor is an idiot. How do I give him the information he wants?Possible to configure postfix for authenticated and non-authenticated sending?Configure email SMTP Server on Apache2Postfix sender acces restriction - Security breach?Postfix sending spam to local email addresses without authenticatingPostfix mail lost in active queuePostfix: Managing Subdomain DMARC, DKIM, and SPF when bounce emails come from the null sender “<>”

-1

To put the long story short: we discovered someone is able to access some of our "secret" links we do send to our clients over email. The links are highly secured with hashes, extremely difficult to guess them.

We do suspect someone is able to sniff our emails sent out from a postfix server. Is this possible? If so, what should we check on our Ubuntu 16.04 / 18.04 servers in order to find out more.

ubuntu security postfix firewall smtp

share|improve this question

asked Feb 15 at 10:51

MilosMilos

2112519

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Depends on your configuration and whether or not the emails are sent in an encrypted way or not.
  
  – Tommiie
  Feb 15 at 10:55
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  The question itself is stupid. To put it simply: Noting is 100% secure on the internet and everything can be cracked, hijacked. I've wrote you some scenarios and an idea what to do but the most important thing, you should take some IT Security Lessons.
  
  – Bert
  Feb 15 at 11:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If the links are hashes, MD5 , SHA etc. but the input to the hash function is not random data but for instance a customer number, transaction number etc. (without a random salt) or other predictable data; then the hashes values will be completely predictable too.
  
  – HBruijn
  Feb 15 at 11:06
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @Bert, thanks. Usually, no question is stupid, there are only stupid answers :). This is what one of my professors was saying and I do support his opinion. The question was more on where to start digging.
  
  – Milos
  Feb 15 at 11:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @HBruijn, thanks. As said, the links are almost impossible to guess. There are also completely custom links the attacker is able to find and access.
  
  – Milos
  Feb 15 at 11:39
  

  
  
  
  

 | 
show 2 more comments

-1

To put the long story short: we discovered someone is able to access some of our "secret" links we do send to our clients over email. The links are highly secured with hashes, extremely difficult to guess them.

We do suspect someone is able to sniff our emails sent out from a postfix server. Is this possible? If so, what should we check on our Ubuntu 16.04 / 18.04 servers in order to find out more.

ubuntu security postfix firewall smtp

share|improve this question

asked Feb 15 at 10:51

MilosMilos

2112519

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Depends on your configuration and whether or not the emails are sent in an encrypted way or not.
  
  – Tommiie
  Feb 15 at 10:55
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  The question itself is stupid. To put it simply: Noting is 100% secure on the internet and everything can be cracked, hijacked. I've wrote you some scenarios and an idea what to do but the most important thing, you should take some IT Security Lessons.
  
  – Bert
  Feb 15 at 11:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If the links are hashes, MD5 , SHA etc. but the input to the hash function is not random data but for instance a customer number, transaction number etc. (without a random salt) or other predictable data; then the hashes values will be completely predictable too.
  
  – HBruijn
  Feb 15 at 11:06
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @Bert, thanks. Usually, no question is stupid, there are only stupid answers :). This is what one of my professors was saying and I do support his opinion. The question was more on where to start digging.
  
  – Milos
  Feb 15 at 11:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @HBruijn, thanks. As said, the links are almost impossible to guess. There are also completely custom links the attacker is able to find and access.
  
  – Milos
  Feb 15 at 11:39
  

  
  
  
  

 | 
show 2 more comments

To put the long story short: we discovered someone is able to access some of our "secret" links we do send to our clients over email. The links are highly secured with hashes, extremely difficult to guess them.

We do suspect someone is able to sniff our emails sent out from a postfix server. Is this possible? If so, what should we check on our Ubuntu 16.04 / 18.04 servers in order to find out more.

ubuntu security postfix firewall smtp

share|improve this question

asked Feb 15 at 10:51

MilosMilos

2112519

share|improve this question

asked Feb 15 at 10:51

MilosMilos

2112519

share|improve this question

asked Feb 15 at 10:51

MilosMilos

2112519

asked Feb 15 at 10:51

MilosMilos

2112519

asked Feb 15 at 10:51

MilosMilos

2112519

2 Answers
2

active

oldest

votes

0

Nothing is 100% secure on the internet, I've learned that working with the local NSA Cyber Defence team. :) To put it straight: OFC someone can.

Option 1: The email got caught
In this scenario, simply one of the many gateways got interfered and told to send a copy of your email to the possible attacker.

Option 2; Your server is insecure
This is simple. Your server got penetrated and somebody simply sendin all the email to himself as well. I would check maillog, secure log, messages log from the time when a possibly "hacked" email was sent. Also enhance your security. If you do not use SMTP, you only use sendmail, then hide every IP you have open and make special firewall rules. Also use fail2ban to kick off all the SSH attacker. Use SSH-Key pairs to access your server, etc.... ok, I'll stop here otherwise I'll have to send you the bill. :D

Option 3; The client mailbox is hacked
This is, in my mind, the most obvious. The clients mailbox, who you send your sensitive data to, got hacked and simply somebody else can read all the messages. Change password, use 2 step verification, etc, and see if your information is still getting leaked out.

Bonus: Use encrypted emails
You can always use encrypted emails, however I don't know how to use that with sendmail. For Thunderbird and a dozen of android apps there is a plugin that uses https://www.openpgp.org/ and you can encrypt your email and the receiver can only read it if he has the other pair of your encryption key. Otherwise, even if an attacked hijacks your email and reads it, all he could see is random bullsh*t and good luck decrypting that.

share|improve this answer

answered Feb 15 at 11:04

BertBert

567519

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks @Bert, The 3 options looks like potential fields I can dig more in: Option 1: For this option, I need to check the Postfix mail logs, count number of received emails by recipient and check if an unknown email address commes to the top. Checkd and all looks ok on this side; Option 2: This will require more time to investigate, will follow up with some findings; Option 3: Not possible: There is no single client, there are tens of thousand of clients, and while cheking, no connection was made between compromised URLs, the clients are totally different, the compromised URLs also.
  
  – Milos
  Feb 15 at 12:50
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Option 4: Something like an antivirus/malware/spam scanner is automatically accessing the links as part of its normal functionality.
  
  – ceejayoz
  Feb 15 at 13:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ceejayoz, thanks. Your idea is that this might be running on server or client (recipient) side?
  
  – Milos
  Feb 15 at 15:01
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could be either. Depends on the nature of the clicks you're seeing. Log accesses to those URLs and take a look at the IPs and user agents.
  
  – ceejayoz
  Feb 15 at 16:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  No, we do not have this installed on the server side. When checking the IP, it looks like an already bad reputation IP registered in Canada.
  
  – Milos
  Feb 18 at 9:46
  

  
  
  
  

add a comment | 

0

As already described, it is possible that e-mails may fall into the hands of an attacker during transmission.

The cases mentioned by Bert also seem plausible. However, I think it is more likely that the web server or an application that works with these links is misconfigured. For example, indexing is enabled or a vulnerability is exploited that allows these secret links to be found on the server. I can't say much more about this with the current information.
It would be helpful to know how valuable these links could be for an attacker.
Social engineering and co-employees are additional factors.

share

answered 2 mins ago

robustorobusto

476

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f954107%2fis-someone-able-to-sniff-our-corporate-emails%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Nothing is 100% secure on the internet, I've learned that working with the local NSA Cyber Defence team. :) To put it straight: OFC someone can.

Option 1: The email got caught
In this scenario, simply one of the many gateways got interfered and told to send a copy of your email to the possible attacker.

Option 2; Your server is insecure
This is simple. Your server got penetrated and somebody simply sendin all the email to himself as well. I would check maillog, secure log, messages log from the time when a possibly "hacked" email was sent. Also enhance your security. If you do not use SMTP, you only use sendmail, then hide every IP you have open and make special firewall rules. Also use fail2ban to kick off all the SSH attacker. Use SSH-Key pairs to access your server, etc.... ok, I'll stop here otherwise I'll have to send you the bill. :D

Option 3; The client mailbox is hacked
This is, in my mind, the most obvious. The clients mailbox, who you send your sensitive data to, got hacked and simply somebody else can read all the messages. Change password, use 2 step verification, etc, and see if your information is still getting leaked out.

Bonus: Use encrypted emails
You can always use encrypted emails, however I don't know how to use that with sendmail. For Thunderbird and a dozen of android apps there is a plugin that uses https://www.openpgp.org/ and you can encrypt your email and the receiver can only read it if he has the other pair of your encryption key. Otherwise, even if an attacked hijacks your email and reads it, all he could see is random bullsh*t and good luck decrypting that.

share|improve this answer

answered Feb 15 at 11:04

BertBert

567519

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks @Bert, The 3 options looks like potential fields I can dig more in: Option 1: For this option, I need to check the Postfix mail logs, count number of received emails by recipient and check if an unknown email address commes to the top. Checkd and all looks ok on this side; Option 2: This will require more time to investigate, will follow up with some findings; Option 3: Not possible: There is no single client, there are tens of thousand of clients, and while cheking, no connection was made between compromised URLs, the clients are totally different, the compromised URLs also.
  
  – Milos
  Feb 15 at 12:50
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Option 4: Something like an antivirus/malware/spam scanner is automatically accessing the links as part of its normal functionality.
  
  – ceejayoz
  Feb 15 at 13:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ceejayoz, thanks. Your idea is that this might be running on server or client (recipient) side?
  
  – Milos
  Feb 15 at 15:01
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could be either. Depends on the nature of the clicks you're seeing. Log accesses to those URLs and take a look at the IPs and user agents.
  
  – ceejayoz
  Feb 15 at 16:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  No, we do not have this installed on the server side. When checking the IP, it looks like an already bad reputation IP registered in Canada.
  
  – Milos
  Feb 18 at 9:46
  

  
  
  
  

add a comment | 

0

Nothing is 100% secure on the internet, I've learned that working with the local NSA Cyber Defence team. :) To put it straight: OFC someone can.

Option 1: The email got caught
In this scenario, simply one of the many gateways got interfered and told to send a copy of your email to the possible attacker.

Option 2; Your server is insecure
This is simple. Your server got penetrated and somebody simply sendin all the email to himself as well. I would check maillog, secure log, messages log from the time when a possibly "hacked" email was sent. Also enhance your security. If you do not use SMTP, you only use sendmail, then hide every IP you have open and make special firewall rules. Also use fail2ban to kick off all the SSH attacker. Use SSH-Key pairs to access your server, etc.... ok, I'll stop here otherwise I'll have to send you the bill. :D

Option 3; The client mailbox is hacked
This is, in my mind, the most obvious. The clients mailbox, who you send your sensitive data to, got hacked and simply somebody else can read all the messages. Change password, use 2 step verification, etc, and see if your information is still getting leaked out.

Bonus: Use encrypted emails
You can always use encrypted emails, however I don't know how to use that with sendmail. For Thunderbird and a dozen of android apps there is a plugin that uses https://www.openpgp.org/ and you can encrypt your email and the receiver can only read it if he has the other pair of your encryption key. Otherwise, even if an attacked hijacks your email and reads it, all he could see is random bullsh*t and good luck decrypting that.

share|improve this answer

answered Feb 15 at 11:04

BertBert

567519

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks @Bert, The 3 options looks like potential fields I can dig more in: Option 1: For this option, I need to check the Postfix mail logs, count number of received emails by recipient and check if an unknown email address commes to the top. Checkd and all looks ok on this side; Option 2: This will require more time to investigate, will follow up with some findings; Option 3: Not possible: There is no single client, there are tens of thousand of clients, and while cheking, no connection was made between compromised URLs, the clients are totally different, the compromised URLs also.
  
  – Milos
  Feb 15 at 12:50
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Option 4: Something like an antivirus/malware/spam scanner is automatically accessing the links as part of its normal functionality.
  
  – ceejayoz
  Feb 15 at 13:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ceejayoz, thanks. Your idea is that this might be running on server or client (recipient) side?
  
  – Milos
  Feb 15 at 15:01
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could be either. Depends on the nature of the clicks you're seeing. Log accesses to those URLs and take a look at the IPs and user agents.
  
  – ceejayoz
  Feb 15 at 16:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  No, we do not have this installed on the server side. When checking the IP, it looks like an already bad reputation IP registered in Canada.
  
  – Milos
  Feb 18 at 9:46
  

  
  
  
  

add a comment | 

Nothing is 100% secure on the internet, I've learned that working with the local NSA Cyber Defence team. :) To put it straight: OFC someone can.

Option 1: The email got caught
In this scenario, simply one of the many gateways got interfered and told to send a copy of your email to the possible attacker.

Option 2; Your server is insecure
This is simple. Your server got penetrated and somebody simply sendin all the email to himself as well. I would check maillog, secure log, messages log from the time when a possibly "hacked" email was sent. Also enhance your security. If you do not use SMTP, you only use sendmail, then hide every IP you have open and make special firewall rules. Also use fail2ban to kick off all the SSH attacker. Use SSH-Key pairs to access your server, etc.... ok, I'll stop here otherwise I'll have to send you the bill. :D

Option 3; The client mailbox is hacked
This is, in my mind, the most obvious. The clients mailbox, who you send your sensitive data to, got hacked and simply somebody else can read all the messages. Change password, use 2 step verification, etc, and see if your information is still getting leaked out.

Bonus: Use encrypted emails
You can always use encrypted emails, however I don't know how to use that with sendmail. For Thunderbird and a dozen of android apps there is a plugin that uses https://www.openpgp.org/ and you can encrypt your email and the receiver can only read it if he has the other pair of your encryption key. Otherwise, even if an attacked hijacks your email and reads it, all he could see is random bullsh*t and good luck decrypting that.

share|improve this answer

answered Feb 15 at 11:04

BertBert

567519

share|improve this answer

answered Feb 15 at 11:04

BertBert

567519

answered Feb 15 at 11:04

BertBert

567519

answered Feb 15 at 11:04

BertBert

567519

0

As already described, it is possible that e-mails may fall into the hands of an attacker during transmission.

The cases mentioned by Bert also seem plausible. However, I think it is more likely that the web server or an application that works with these links is misconfigured. For example, indexing is enabled or a vulnerability is exploited that allows these secret links to be found on the server. I can't say much more about this with the current information.
It would be helpful to know how valuable these links could be for an attacker.
Social engineering and co-employees are additional factors.

share

answered 2 mins ago

robustorobusto

476

add a comment | 

0

As already described, it is possible that e-mails may fall into the hands of an attacker during transmission.

The cases mentioned by Bert also seem plausible. However, I think it is more likely that the web server or an application that works with these links is misconfigured. For example, indexing is enabled or a vulnerability is exploited that allows these secret links to be found on the server. I can't say much more about this with the current information.
It would be helpful to know how valuable these links could be for an attacker.
Social engineering and co-employees are additional factors.

share

answered 2 mins ago

robustorobusto

476

add a comment | 

As already described, it is possible that e-mails may fall into the hands of an attacker during transmission.

The cases mentioned by Bert also seem plausible. However, I think it is more likely that the web server or an application that works with these links is misconfigured. For example, indexing is enabled or a vulnerability is exploited that allows these secret links to be found on the server. I can't say much more about this with the current information.
It would be helpful to know how valuable these links could be for an attacker.
Social engineering and co-employees are additional factors.

share

answered 2 mins ago

robustorobusto

476

share

answered 2 mins ago

robustorobusto

476

answered 2 mins ago

robustorobusto

476

answered 2 mins ago

robustorobusto

476