Navigating Phishing Attacks on My Mail Server: Lessons Learned and Effective Security Strategies

What to do if your mail server is targeted by phishing?

One of the users of my mail server entered their credentials into a phishing form sent via email. It was disguised as a commercial document and looked like this:

fishing-attack

After that, for about a day (yes, it’s my oversight), my server was used to send out similar forms. Interestingly and amusingly, my colleague denies entering the data into the form – but they always do that (we know that everything breaks on its own, especially computer equipment and information systems) LMAO

So, first of all, I changed the password for the compromised user. He started receiving replies about nonexistent accounts from various servers – the variety of them shocked me. The attacker used an email address generator with mail lists, it seems to me.

See also  How to set Timezone and Region to all computers of Active Directory

About 30,000 responses came in within 3 days, and I also deleted the EXIM queue to send 40,000 messages with this command:

cd /var/spool/exim4/input #Mail queue directory

exim -bp #Show messages

ls -l | wc -l #Show quantity

exiqgrep -i | xargs exim -Mrm #delete messages

 

I should consider security issues:
1) Limit the price of sending messages by time and quantity with account blocking and notification.
2) Password policies should be tightened.
3) Connect an antivirus gateway that would check emails before reaching the server to preliminarily exclude the delivery of phishing to my inexperienced users.
4) Conduct explanatory work among users.

Author: admin

Leave a Reply

Your email address will not be published. Required fields are marked *