Vulnerabilities of Kolab 3.4

Johannes Ranke jranke at uni-bremen.de
Mon Apr 29 16:17:14 CEST 2019


Homer,

I was hoping someone more knowledgeable would reply. As this is not the case 
so far, I'll give my best (which is not very much I am afraid):

a) The content of emails (e-mail addresses of real contacts, as well as 
message contact) will generally travel unencrypted and can therefore 
potentially be harvested if systems along the way are compromised. Therefore, 
if you find e-mail contents in spam messages, this may mean that your server is 
compromised, but not necessarily so.

b) In addition, e-mail addresses can be spoofed, i.e. an e-mail can have a 
sender address in the From: header that is not in the domain of the server 
from which it is sent.

I have personally experienced: a) The name of a person that I have 
corresponded with used as "Real name" in a spam message (like Real Name 
<something.cryptic at xyz.org>), but no other contents of a legitimate e-mail in 
spam and b) e-mail addresses that are in use on my kolab domain occuring in 
the From: header of Spam messages that I received.

In order to avoid b), I have started to use DKIM to sign messages originating 
from my kolab server, so receivers (including myself) can check if a message 
was signed on my server. I am still receiving spoofed messages, but they do 
not contain any DKIM signature. Therefore I assume that my server is OK.

Kind regards,

Johannes



Am Donnerstag, 25. April 2019, 12:40:13 CEST schrieb Homer Dokes:
> Greetings all,
> 
> Recently we have been experiencing a tremendous number of spam/malware
> emails with origination addresses from our own Kolab server members. 
> Our Kolab server sits behind a firewall allowing only ports 587, 25,
> 8585 (for the gui interface) and 993 for through traffic.
> 
> What kind of vulnerabilities, if any, exist for a would be attacker to
> extract email information from the server under these conditions.  In a
> few instances we have actually had 'threaded' email exchanges shown in
> the body of the malware email making it look legit.  What is accessible
> on the Kolab server that would allow anyone to retrieve that information
> through those ports? Our concern is that the damage is already done and
> we are compromised.
> 
> Thank you,
> 
> hdokes
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


-- 
PD Dr. Johannes Ranke
Grenzach-Wyhlen


More information about the users mailing list