Email Account under attack (really) - anything I can do?When secure email, is not really secureSpam Mail -...
Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore
If a centaur druid Wild Shapes into a Giant Elk, do their Charge features stack?
How to make payment on the internet without leaving a money trail?
Is "plugging out" electronic devices an American expression?
How to move the player while also allowing forces to affect it
Creating a loop after a break using Markov Chain in Tikz
Can a planet have a different gravitational pull depending on its location in orbit around its sun?
How to deal with fear of taking dependencies
New order #4: World
Why do UK politicians seemingly ignore opinion polls on Brexit?
Filling an area between two curves
Find the positive root of a 4-th degree polynomial equation
Doomsday-clock for my fantasy planet
What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?
"listening to me about as much as you're listening to this pole here"
What is the command to reset a PC without deleting any files
What is it called when one voice type sings a 'solo'?
How to manage monthly salary
Why do we use polarized capacitors?
Why is my log file so massive? 22gb. I am running log backups
When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?
I see my dog run
Why was the "bread communication" in the arena of Catching Fire left out in the movie?
Patience, young "Padovan"
Email Account under attack (really) - anything I can do?
When secure email, is not really secureSpam Mail - have someone broke in to my shared hosting account?Could someone stop another from accessing their own online account?Can/do botnets brute force “high value” users of services like Gmail?Hijacked Aol Email Account - Lack of security?Sending password reset links in emailIs there more of a security risk by providing an email when creating a new account?How viable is MITM interception of email, really?Email really sent or not?A safer way to read emails on Android devices
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.
My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.
Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?
email botnet
asked 2 days ago
clemdiaclemdia
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 2 more comments
Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.
My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.
Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?
email botnet
asked 2 days ago
clemdiaclemdia
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
36
Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?
– schroeder♦
2 days ago
7
Are you using one of the big email providers (Gmail, etc) or something smaller?
– Anders
2 days ago
23
Get a better provider that isn't so vulnerable to this kind of trivial DoS?
– Nate Eldredge
2 days ago
16
Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.
– jww
2 days ago
33
I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.
– pat3d3r
yesterday
|
show 2 more comments
Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.
My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.
Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?
email botnet
asked 2 days ago
clemdiaclemdia
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.
My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.
Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?
email botnet
email botnet
asked 2 days ago
clemdiaclemdia
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
clemdiaclemdia
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
clemdiaclemdia
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
clemdiaclemdia
42125
asked 2 days ago
clemdiaclemdia
42125
42125
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
36
Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?
– schroeder♦
2 days ago
7
Are you using one of the big email providers (Gmail, etc) or something smaller?
– Anders
2 days ago
23
Get a better provider that isn't so vulnerable to this kind of trivial DoS?
– Nate Eldredge
2 days ago
16
Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.
– jww
2 days ago
33
I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.
– pat3d3r
yesterday
|
show 2 more comments
36
Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?
– schroeder♦
2 days ago
7
Are you using one of the big email providers (Gmail, etc) or something smaller?
– Anders
2 days ago
23
Get a better provider that isn't so vulnerable to this kind of trivial DoS?
– Nate Eldredge
2 days ago
16
Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.
– jww
2 days ago
33
I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.
– pat3d3r
yesterday
36
36
Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?
– schroeder♦
2 days ago
Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?
– schroeder♦
2 days ago
7
7
Are you using one of the big email providers (Gmail, etc) or something smaller?
– Anders
2 days ago
Are you using one of the big email providers (Gmail, etc) or something smaller?
– Anders
2 days ago
23
23
Get a better provider that isn't so vulnerable to this kind of trivial DoS?
– Nate Eldredge
2 days ago
Get a better provider that isn't so vulnerable to this kind of trivial DoS?
– Nate Eldredge
2 days ago
16
16
Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.
– jww
2 days ago
Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.
– jww
2 days ago
33
33
I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.
– pat3d3r
yesterday
I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.
– pat3d3r
yesterday
|
show 2 more comments
5 Answers
5
active
oldest
votes
A few thoughts:
- Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.
- If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.
- If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)
- Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.
- Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.
answered 2 days ago
AndersAnders
50.3k22144166
15
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
2
What makes you think he's not already using IMAP?
– Barmar
2 days ago
2
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
6
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
9
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
|
show 3 more comments
No. That's pretty much the background noise of being on the internet.
From a random server I have with e-mail:
$ sudo grep -c "auth failed" /var/log/mail.log
1109
That's today. It's with fail2ban blocking more than five attempts from the same IP.
answered 2 days ago
vidarlovidarlo
3,764823
24
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
2
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
add a comment |
Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.
From: account-I-always-had@oldserver.com
Subject: Re: so-and-so
In-Reply-To: <4735813474834434634@theirmail.com>
Sender: burneraccount@newserver.com
Or something like that.
Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.
As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.
Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.
answered 2 days ago
HarperHarper
2,190414
2
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
4
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
1
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
add a comment |
tl/dr: This is your hosting company's problem, not yours. You'll have
to contact them to get it fixed. Their security policies shouldn't
lock you out of your own account. They need to do security better.
You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:
However as a result of the authentication failures, my hosting
provider keeps locking the email account.
In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.
In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.
Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).
answered yesterday
Conor ManconeConor Mancone
10.5k32152
5
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
2
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
2
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
2
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
1
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
|
show 1 more comment
Maybe buy a Titan Security Key. Last resort, though.
answered 6 hours ago
metlemmetlem
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
clemdia is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206923%2femail-account-under-attack-really-anything-i-can-do%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
A few thoughts:
- Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.
- If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.
- If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)
- Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.
- Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.
answered 2 days ago
AndersAnders
50.3k22144166
15
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
2
What makes you think he's not already using IMAP?
– Barmar
2 days ago
2
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
6
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
9
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
|
show 3 more comments
A few thoughts:
- Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.
- If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.
- If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)
- Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.
- Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.
answered 2 days ago
AndersAnders
50.3k22144166
15
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
2
What makes you think he's not already using IMAP?
– Barmar
2 days ago
2
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
6
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
9
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
|
show 3 more comments
A few thoughts:
- Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.
- If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.
- If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)
- Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.
- Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.
answered 2 days ago
AndersAnders
50.3k22144166
A few thoughts:
- Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.
- If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.
- If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)
- Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.
- Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.
answered 2 days ago
AndersAnders
50.3k22144166
answered 2 days ago
AndersAnders
50.3k22144166
answered 2 days ago
AndersAnders
50.3k22144166
answered 2 days ago
AndersAnders
50.3k22144166
50.3k22144166
15
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
2
What makes you think he's not already using IMAP?
– Barmar
2 days ago
2
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
6
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
9
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
|
show 3 more comments
15
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
2
What makes you think he's not already using IMAP?
– Barmar
2 days ago
2
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
6
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
9
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
15
15
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.
– Barmar
2 days ago
2
2
What makes you think he's not already using IMAP?
– Barmar
2 days ago
What makes you think he's not already using IMAP?
– Barmar
2 days ago
2
2
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
@Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.
– jpmc26
2 days ago
6
6
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.
– Barmar
2 days ago
9
9
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
@Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.
– Anders
yesterday
|
show 3 more comments
No. That's pretty much the background noise of being on the internet.
From a random server I have with e-mail:
$ sudo grep -c "auth failed" /var/log/mail.log
1109
That's today. It's with fail2ban blocking more than five attempts from the same IP.
answered 2 days ago
vidarlovidarlo
3,764823
24
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
2
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
add a comment |
No. That's pretty much the background noise of being on the internet.
From a random server I have with e-mail:
$ sudo grep -c "auth failed" /var/log/mail.log
1109
That's today. It's with fail2ban blocking more than five attempts from the same IP.
answered 2 days ago
vidarlovidarlo
3,764823
24
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
2
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
add a comment |
No. That's pretty much the background noise of being on the internet.
From a random server I have with e-mail:
$ sudo grep -c "auth failed" /var/log/mail.log
1109
That's today. It's with fail2ban blocking more than five attempts from the same IP.
answered 2 days ago
vidarlovidarlo
3,764823
No. That's pretty much the background noise of being on the internet.
From a random server I have with e-mail:
$ sudo grep -c "auth failed" /var/log/mail.log
1109
That's today. It's with fail2ban blocking more than five attempts from the same IP.
answered 2 days ago
vidarlovidarlo
3,764823
answered 2 days ago
vidarlovidarlo
3,764823
answered 2 days ago
vidarlovidarlo
3,764823
answered 2 days ago
vidarlovidarlo
3,764823
3,764823
24
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
2
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
add a comment |
24
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
2
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
24
24
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.
– John Keates
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...
– clemdia
2 days ago
2
2
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.
– aaaaaa
15 hours ago
add a comment |
Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.
From: account-I-always-had@oldserver.com
Subject: Re: so-and-so
In-Reply-To: <4735813474834434634@theirmail.com>
Sender: burneraccount@newserver.com
Or something like that.
Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.
As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.
Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.
answered 2 days ago
HarperHarper
2,190414
2
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
4
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
1
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
add a comment |
Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.
From: account-I-always-had@oldserver.com
Subject: Re: so-and-so
In-Reply-To: <4735813474834434634@theirmail.com>
Sender: burneraccount@newserver.com
Or something like that.
Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.
As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.
Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.
answered 2 days ago
HarperHarper
2,190414
2
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
4
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
1
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
add a comment |
Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.
From: account-I-always-had@oldserver.com
Subject: Re: so-and-so
In-Reply-To: <4735813474834434634@theirmail.com>
Sender: burneraccount@newserver.com
Or something like that.
Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.
As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.
Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.
answered 2 days ago
HarperHarper
2,190414
Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.
From: account-I-always-had@oldserver.com
Subject: Re: so-and-so
In-Reply-To: <4735813474834434634@theirmail.com>
Sender: burneraccount@newserver.com
Or something like that.
Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.
As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.
Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.
answered 2 days ago
HarperHarper
2,190414
answered 2 days ago
HarperHarper
2,190414
answered 2 days ago
HarperHarper
2,190414
answered 2 days ago
HarperHarper
2,190414
2,190414
2
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
4
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
1
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
add a comment |
2
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
4
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
1
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
2
2
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.
– Esa Jokinen
2 days ago
4
4
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.
– clemdia
2 days ago
1
1
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain
– sudo rm -rf slash
yesterday
add a comment |
tl/dr: This is your hosting company's problem, not yours. You'll have
to contact them to get it fixed. Their security policies shouldn't
lock you out of your own account. They need to do security better.
You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:
However as a result of the authentication failures, my hosting
provider keeps locking the email account.
In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.
In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.
Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).
answered yesterday
Conor ManconeConor Mancone
10.5k32152
5
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
2
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
2
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
2
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
1
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
|
show 1 more comment
tl/dr: This is your hosting company's problem, not yours. You'll have
to contact them to get it fixed. Their security policies shouldn't
lock you out of your own account. They need to do security better.
You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:
However as a result of the authentication failures, my hosting
provider keeps locking the email account.
In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.
In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.
Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).
answered yesterday
Conor ManconeConor Mancone
10.5k32152
5
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
2
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
2
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
2
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
1
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
|
show 1 more comment
tl/dr: This is your hosting company's problem, not yours. You'll have
to contact them to get it fixed. Their security policies shouldn't
lock you out of your own account. They need to do security better.
You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:
However as a result of the authentication failures, my hosting
provider keeps locking the email account.
In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.
In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.
Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).
answered yesterday
Conor ManconeConor Mancone
10.5k32152
tl/dr: This is your hosting company's problem, not yours. You'll have
to contact them to get it fixed. Their security policies shouldn't
lock you out of your own account. They need to do security better.
You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:
However as a result of the authentication failures, my hosting
provider keeps locking the email account.
In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.
In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.
Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).
answered yesterday
Conor ManconeConor Mancone
10.5k32152
edited 11 hours ago
answered yesterday
Conor ManconeConor Mancone
10.5k32152
answered yesterday
Conor ManconeConor Mancone
10.5k32152
answered yesterday
Conor ManconeConor Mancone
10.5k32152
10.5k32152
5
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
2
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
2
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
2
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
1
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
|
show 1 more comment
5
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
2
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
2
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
2
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
1
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
5
5
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...
– Steve Shipway
yesterday
2
2
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...
– clemdia
yesterday
2
2
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
@clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.
– Conor Mancone
yesterday
2
2
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
@clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.
– Conor Mancone
yesterday
1
1
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...
– Conor Mancone
yesterday
|
show 1 more comment
Maybe buy a Titan Security Key. Last resort, though.
answered 6 hours ago
metlemmetlem
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Maybe buy a Titan Security Key. Last resort, though.
answered 6 hours ago
metlemmetlem
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Maybe buy a Titan Security Key. Last resort, though.
answered 6 hours ago
metlemmetlem
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Maybe buy a Titan Security Key. Last resort, though.
answered 6 hours ago
metlemmetlem
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 hours ago
metlemmetlem
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 hours ago
metlemmetlem
1
answered 6 hours ago
metlemmetlem
1
1
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
metlem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
clemdia is a new contributor. Be nice, and check out our Code of Conduct.
clemdia is a new contributor. Be nice, and check out our Code of Conduct.
clemdia is a new contributor. Be nice, and check out our Code of Conduct.
clemdia is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206923%2femail-account-under-attack-really-anything-i-can-do%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
36
Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?
– schroeder♦
2 days ago
7
Are you using one of the big email providers (Gmail, etc) or something smaller?
– Anders
2 days ago
23
Get a better provider that isn't so vulnerable to this kind of trivial DoS?
– Nate Eldredge
2 days ago
16
Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.
– jww
2 days ago
33
I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.
– pat3d3r
yesterday