topic Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs? in Archive

Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Sat, 21 Apr 2012 17:27:51 GMT

I am posting this here as support have so far been absolutely no use in resolving my issue.

My client has an account on btconnect.com which is receiving hundreds of non delivery reports. I can see in the email header that they are authenticating using the account. But changing the password for the account makes no difference.

So I setup the account in Outlook and tried other passwords.

Guess what? The old password was a simple word, but still works to authenticate. But even worse, anything added at the end of the password also works. So, say the old password was hello. Even though I changed that ages ago on btconnect.com, I can still send email using that account. But I can use hello1, hello99 hello1234812304 and so on.

Top notch security BT. And thanks for ignoring this issue for several weeks.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

kuerten — Sat, 21 Apr 2012 18:42:36 GMT

Wow! First time I heard this so far. Can anyone else confirm this?

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

OldWolf — Mon, 23 Apr 2012 07:24:00 GMT

Hi,

There are two separate problems here:

1. The password? No idea. Could be a server error, or something else. Try the Helpdesk again, and see if they can escalate it. They're more email platforms anyway, so it may be a moot point in the end.

2. The Non-Delivery Reports? Email spoofing, which I posted up about the other day elsewhere. If your own system is clean of malware then someone else who has your email address and a virus, or someone who has harvested your address online, is sending email as if it were you.

Clean your system, and let everyone that you know has your email address know that they may have a malware infection.

That's about the best you can do to be honest. Email spoofing is a horrible thing and difficult to track the source of.

Hope that helps.

Cheers.

Dave A

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Mon, 23 Apr 2012 08:25:48 GMT

Yes someone is sending as my client, I can see in the email headers from various IPs in china. It is not from our machine.

But it is the password issue that is the problem - you update on btconnect.com and it hasnt removed the old password, and worse than that, a variety of passwords work so it would be easy to guess as yo uhave more chances.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Mon, 23 Apr 2012 10:12:51 GMT

Trying to contact the security team is virtually impossible. I have called them several times, they always promise to call be back and never do. BT support said to just email them, they never respond. One guy said that there are only 8 guys on the team and they get thousands of emails per day.

I just waiting on hold for 10 mins and then was cut off, so now waiting again. The joke is that the on hold message says to email the abuse email address, but if you do that they never respond.

This is shocking customer service, I would not recommend BT to any of my business customers, they're attitude to security is a joke.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Mon, 23 Apr 2012 11:09:36 GMT

Well they finally fixed this. It was as I suspected to do with the Office365 migration. Since the migration obviously there are different servers to use, but the old account on btconnect.com somehow got out of sync and unsecure and was allowing all sorts of passwords. Took me an hour on the phone to explain and then they fixed it, now I can only send through mail.btconnect.com using the correct password and none others.

So they do indeed have a security issue.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Mon, 23 Apr 2012 15:08:32 GMT

OK I spoke too soon.

They did manage to change the password and I can no longer send using the old password using Outlook. But...I can login as the user using telnet and the password in Base64, and the old password works and not the new one! This is messed up. I can also use the old password with any character after it. Why Outlook doesnt work I don't know.

time for another call to the abuse team...

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Tue, 24 Apr 2012 12:21:50 GMT

OK, after BT fiixed this account on the btconnect.com SMTP relays it looks as though the spam has stopped.

I have found that you can still authenticate using Base64 encoding via telnet, so it is still possible to relay. But I dont think the spammers are using that technique.

Either way there are mutliple security holes on the mail.btconnect.com mail servers, as a result of the move to Office365.

Apparently someone from the mail team is contacting me later so I can show them how I can spam through their servers.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

DanSmith87 — Tue, 24 Apr 2012 22:11:50 GMT

Firstly, I'm surprised that you were using mail.btconnect.com to send E-Mail despite using mail relay. Office 365 platform aside, I would have expected smtp.btconnect.com in use with authentication here. With regard to the mail.btconnect.com mailserver, it doesn't usually require authentication as it usually authenticates via the DSL line; if the line is with BT, it leaves it at that. If users are able to authenticate with it and it accepts it, that may indeed be something BT would be interested in.

Secondly, are you running a mailserver from site using the BT Mailservers? If so, I'd imagine that you're using a static IP. Had you setup reverse DNS? If not, other spam filters may realise that E-Mail flagged as coming from mailserver@mydomain.com was actually coming from 123456.ukcore.bt.net, or something along those lines.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Wed, 25 Apr 2012 19:52:13 GMT

I am not using mail.btconnect.com, that is irrelevant. The spammers are using that to relay mail.

I am not running a mailserver.

The spam has actually start again due this security issue, BT security team have promised several times to call me and never have, they don't care.

I can login to BT mail servers and send mail on behalf of a user without knowing their password, and I am not on the BT network. This is a serious issue.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

Seraphsailor — Thu, 26 Apr 2012 08:01:45 GMT

Bob; if you truely believe you have exhausted the routine BT support routes and feel you need to get the attention at the highest level in BT then message me and I'll give you the email address of BT top level management and the Executive Level Support Team.

Two other options:

If you are on "Linkedin" then you can find BT Managers on there whom you can contact/lobby.

Or get in touch with the Guardian (newspaper) Technical Reporting Team and talk to them! LOL

Edit: take a look at this link: found it whilst looking for BT Data Protection Officer. Whilst it's BT Compliance at least it gives personal email addresses:

http://www.btplc.com/Thegroup/RegulatoryandPublicaffairs/Regulatorycompliancepolicy/Regulatorycompliancepolicy.htm

Bob! fill this form in and shake 'em up!

http://globalservices.bt.com/Feedback.do?method=VIEW&recordId=Managed_Security_Services_solutions_uk_en-gb&recordName=Managed%20Security%20Services&primDimName=solutions&Context=Solutions&webRefNum=30026

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey — Thu, 26 Apr 2012 09:15:10 GMT

Actually I am thinking of submitting mail.btconnect.com to some SMTP blacklists, that should get them to fix it pretty quickly.

I'll also give details to the register or someone if this doesnt get sorted.

Re: Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

gugaguga — Sun, 29 Apr 2012 15:13:18 GMT

SMTP blacksit like spamhaus would autmatically block an SMTP server. They will also assess if it really needs to be blocked. At this point, I don't think they will be able to do that since all the mail traffic from their end would come up clean.