A group of hackers and spammers, possibly ChaosCC Hacking Group, hijacked the STDCarriers.com email server and used it to send tens of thousands of spam emails with the subject line "Attention Funds Beneficiary." They said the messages were from a John Wagner at STD Carriers but no such person exists.In one sample email the reply to header said "sprinig12@163.com" and the ip address was 197.255.167.137 which is in Nigeria.
There are striking similarities between this attack and previously received that included an ancient password, a monetary demand, and claims to have explicit footage to recipient. Those emails were claimed by a group calling itself ChaosCC Hacking Group. The emails also immediately followed an announcement titled "STDCarriers.com is back" that was sent to registered members of the website. Within 24 hours of that announcement someone had a bot send tens of thousands of messages to the STDCarriers.com server with spoofed headers claiming to be from the webmaster. STDCarriers.com suspects that the person responsible has a STDCarriers.com account and was doing two things with this attack. First, of course they hoped to scam people that received the message. Second, they wanted to get STDCarriers.com blacklisted by mainstream email service providers so that STDCarriers.com cannot let users know that the site is back up.
How was this possible? A vulnerablity in hMailServer allowed these messages to be sent through the system without having to be authenticated. That problem has been fixed and the server will not send messages without a password. Part of the problem was that the STDCarriers.com administrator was not aware that hMailServer only considers "external" mail to be mail from another domain and does not include external computers. Another issue is that the webmaster was not aware that an email claiming to be the webmaster from an external machine without a password would not be blocked by a setting prohibiting the sending of external to external mail. Since it was not classified as external due to the spoof the server sent the messages because it was considered an internal email and internal authentication was not required. That hole has been plugged by going to the IP ranges part of the hMailServer administrator and for both your computer and internet making sure the setting are as follows:
- Require authentication for internal to external emails
- Require authentication for internal to internal emails
- Disable external to external addresses
STDCarriers.com already had external to external disabled and never realized that because it received external emails and did not authenticate internal to internal or internal to external, that an external email spoofed to look like an internal account could then be sent internally and to other external locations.
LESSON LEARNED:
When setting up your mail server make sure that you require authentication for all outgoing email. That way only emails sent by someone with a password will be sent out from the server. If you don't do that spoofers can make hMailServer think that their mail is internal.