Both of these account compromises were caused by weak password reset questions. And although Palin certainly was/is a high profile account, the Twitter compromise was caused by a low-profile IT Administrator who happened to store sensitive company documents in their Google Docs folder. This goes to show that everyone, from the CEO of a large company, to a low-level system administrator, is accountable for the security of their accounts.

Sample (bad) Password Reset Questions:

Many e-mail accounts use a typical range of password reset questions:

• What is your mother’s maiden name?
• What was your first pet’s name?
• What is your favorite sport?
• What is your oldest daughter’s name?
• More Questions

Even questions regarded as “Good” on this list are easily guessable if you have access to the social networks of an individual. For example: What is the middle name of your youngest child? What is your oldest sibling’s middle name? Answers to these questions often appear on Facebook or other social media websites.

After coming up with the idea to write this article, I took a look at my own email account password reset question. It was set to my Father’s middle name. I had probably set this when I first signed up for a  beta account back in 2005 or so – I was not in the mindset that it would become my primary account and also be the gateway to a bevy of information. As with many folks, when I sign up for a new account on a website, it will often e-mail me my account information (including my password, boo!) to my e-mail account. And, as I suspect with most people, I do not follow best practices and use a different password for each account. Not to mention that many other accounts will send an email to your account on file in order to reset their passwords. Therefore, since not only the main account password at risk, there is a lot riding on the security of your email account. If someone can gain access to your email account, they also gain access to a lot of frequently used passwords and accounts. Domain hijacking has occurred using this method.

The Solution

The first step is that password reset questions must not be answerable by information available via social networking sites. For someone who is very active in social networking, this might be hard to come up with at first, but really is not hard.

A good password reset question is:
Not easily guessable from online or offline sources (secure)
Stays the same over a long period of time (stable)
Is readily recallable by authoritative person (obtainable)
Has only one answer (definitive)

My source for questions that satisfy these metrics is my wallet. I look for cards that have information that will stay the same for a long period of time, for example, a driver’s license, library card or other membership card.

You can then reset your password question to a value on those cards. If the site does not let you ask your own password reset question, you might try to replace a common one, such as “mother’s maiden name” with this. Just be careful you don’t get too tricky, or you might forget the correct question/response to the answer and lose access to your account for good.

For a sample answer, you might use the first 5 digits of your driver’s license ID, plus the last 6 of your gym membership card. Really you can use any information that you want that you do not share on social media websites.  Just make sure they follow the four guidelines above.

Do you have any tips for a good password reset question?

To get Postini to white list an IP address, you need to go into the Batch editing mode and issue this command:

addallowedip organization name,domain.com:10.0.0.0

Full Postini Batch Reference

See page 30 for ‘addallowedip’ syntax and more information.

Fortunately there is a way around this, because by the default way it is set up, you would have to enter your password every time you open up Outlook.

First step is to change the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Change lmcompatibilitylevel to “2″

Here is the meanings of these numbers (source):

0 – Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
1 – Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
2 – Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.
3 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
4 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.
5 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

I’ve uploaded a registry file which will automatically make the change here.

You then need to access the advanced user dialog properties (see my previous article on this if you do not see a tab in Control Panel -> Users & Accounts dialog). Click “Manage Passwords” and then add a new entry. This entry should be the Exchange server’s real name – the name that pops up in your password prompt windows. In my example, in is MAILXXX.mail.lan.

Finally, make sure that the Exchange server’s local name, MAILXXX.mail.lan, is in your hosts file. For most Windows XP folks, this is C:\WINDOWS\system32\drivers\etc\hosts.

The format is:

69.x.x.x MAILXXX.mail.lan

where the real accessible IP address is the first part, and the real Exchange server name is the section part. This allows your PC to locate the “Real” Exchange server name over the internet, even though it is not a real exchange server’s hostname on the internet.

Of course this is not supported by Lyris and if you have problems with it after making your changes, don’t expect them to support it. Make backup of your files – in Linux this is /usr/local/lm

For this example, I’m going to add the Full Name field to survey results. By default, it shows the email address but not the name of the responding user.

Step 1:

Backup!

cp -R /usr/local/lm /usr/local/lm.bak

Step 2:

Open the file which holds the routine for the “Survey Details” page. This is in /htdocs/reports/surveys/.tml

vi /usr/local/lm/htdocs/reports/surveys/.tml

Step 3:

Modify the code to add in FullName:

In the routine surveyreports::page_all_answers

Change
set sql "SELECT lyrSurveyResponse.WebDocID, lyrSurveyResponseAnswers.ResponseID as ResponseID, lyrSurveyQuestions.UserQuestionNumber, lyrSurveyResponse.ResponseTime, lyrSurveyResponse.MemberID, lyrSurveyResponse.RespondingIP, lyrSurveyResponse.MailingID, lyrSurveyQuestions.QuestionText, lyrSurveyAnswers.AnswerText, lyrSurveyResponseAnswers.FreeFormAnswer, [dbinfo::members_name].[dbinfo::members_emailaddr]

set sql "SELECT lyrSurveyResponse.WebDocID, lyrSurveyResponseAnswers.ResponseID as ResponseID, lyrSurveyQuestions.UserQuestionNumber, lyrSurveyResponse.ResponseTime, lyrSurveyResponse.MemberID, lyrSurveyResponse.RespondingIP, lyrSurveyResponse.MailingID, lyrSurveyQuestions.QuestionText, lyrSurveyAnswers.AnswerText, lyrSurveyResponseAnswers.FreeFormAnswer, [dbinfo::members_name].[dbinfo::members_emailaddr] as EmailAddr, members_.fullname_ as FullName


Change

array set heading_labels "AnswerText {Answer} ResponseTime {Date} QuestionText {Question} EmailAddr {Email Address}"

array set heading_labels "AnswerText {Answer} ResponseTime {Date} QuestionText {Question} FullName {Full Name} EmailAddr {Email Address}"

Change

array set column_width "ResponseTime 15 QuestionText 25 AnswerText 25 EmailAddr 25 Action_ 10"

array set column_width "ResponseTime 15 QuestionText 25 AnswerText 10 FullName 15 EmailAddr 25 Action_ 10"

Change

set sortable {QuestionText AnswerText ResponseTime EmailAddr RespondingIP}

set sortable {QuestionText AnswerText ResponseTime FullName EmailAddr RespondingIP}

Save this file and that is it! You will now have full names in your survey responses.

However, after Thunderbird 2.0 was released, this old plugin was not compatible. Eyalroz re-released the plugin under GPL and with updates for Thunderbird 2.0. If you have a need to remove duplicate emails – this is the plugin you need! Get it:

1. If your system is acting as a spam / antivirus / relay server for secondary internal servers, and your destination mail server is down, postfix will queue your messages to resend at a later time. In order for postfix to instantly re-queue these messages you use:

postqueue -f

2. The mailq equivilant specific to postfix is

postqueue -p

3. If you want to delete specific messages in your queue, use an ncurses based open source software called pfqueue. It will give you a menu that shows mail currently queued, and allows you to delete specific emails.

This worked fine for months. However, I was then “joe jobbed” – which means that some spammer used my domain name as the “from” or “reply to” address on their e-mails. This causes a flood of e-mails from mail servers, which messages such as, no user exists, this account has been deleted, etc. These e-mails are completely valid and authentic responses from e-mail servers.

Now – it is my personal opinion that mail servers should reject connections to users who are not real – not generate more messages and bandwidth sending out their rejection response. But I understand why some e-mail providers wish to keep this option on, and I think Exchange has it on by default. So trying to change peoples minds is not going to work – we need to deal with these rejection messages responsibly.

Here is where my server configuration showed its flaws. Here is the official definition of the 450 and 550 error messages:

450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy)
550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)

The difference between the two error codes is not really apparent at first glance. However, 400 level commands tells the remote servers that there is a temporary error, and it should try again later. How much later depends on each server’s settings. The 500 level commands tell the remote server that it is a permanent failure, and it should not try again later.

In the case of a joe job – you have thousands of servers responding to your server that addresses can’t be found (or any other error). When you have each of those servers “retrying” their e-mail connects every 10 minutes or so, your server will quickly find itself rejecting a whole lot of messages.

Fortunately, the fix is easy. Fix your server to respond with a 550 instead of 450. Look at the change in the graph below – almost immediately after I switched to the 550 message:

You can see the benefits of keeping the 550 message. In postfix, the change is simple, change the soft_bounce line to:

soft_bounce = no

You can also customize your rejection codes for particular errors as below.

unknown_local_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

For more codes: Postconf manual

Step #1: The first thing is to try to compact the folder. This should help if you have a large inbox. If you can’t even get to this step, or if it is just too slow, try step #2.

Step #2: The .msf “index” file is corrupted. If this file gets corrupted, you could see a slow initial loading of your inbox, messages will not open, you can not delete messages, etc. You may also see a message in the status windows when you open Thunderbird that says something about rebuilting index. The solution to this is to first close out of Thunderbird, then delete the inbox.msf file. If this is for a different folder name, you will see “folder name.msf” file corresponding to that folder. This file is located in your profile directory. For me this was: “C:\Documents and Settings\Dave\Application Data\Thunderbird\Profiles\default\svxnp81c.slt\Mail\systembash.com”
But this varies because of the random profile string and your account profile name.
Delete this file. Make sure you leave the real inbox file alone – this is a file that is named “inbox” (or your folder name) without a file extension.

Re-open Thunderbird – the index will automatically be rebuilt and you should now have normal access to your inbox!

In order to break this vicious cycle, you just need to clear out the bayesian tokens. It’s very easy to do. As root user, type:
sa-learn --clear
This starts you fresh. By default, Spamassassin won’t use the bayes filter until it has 200 spam and ham messages, so until you get to that level it will continue to learn based the other Spamassassin detection settings.

Ideally, I would have sa-learn train using these spam messages. But since I use Outlook, and there is no “easy” way to have it interface with sa-learn, I find it easier to clean out the bayes tokens every once in a while. SpamAssassin Coach is a plugin for outlook which should connect to your spamd server and “learn” a message as ham or spam. But in practice, it did not work for me. It looks like the project has a lot of potential.

For more information on how Bayesian filtering works, check out this wikipedia article.

Anyway, once you have this system set up (there are some great instructions here, maybe I will cover this more another day), you may wish to sync up your Exchange users with your postfix “relay users” in order to trash messages coming in who are not addressed to anyone on the Exchange server. This will free up CPU cycles on the exchange server postfix server, and also reduce some bandwidth. Fortunately, Exchange 2000 and beyond use LDAP to publish this information. You can use Perl’s Net::LDAP module to grab this information. Chris Covington put together this nice script to grab the Exchange users and post to a file, which can then be postmapped and used in relay_recipient_maps. I hope you find it as useful as I did! [Local Mirror of the Script]