cancel
Showing results for 
Search instead for 
Did you mean: 

Serious security flaw in mail.btconnect.com mail relay. Are you receving multiple NDRs?

bobdonkey
Member

I am posting this here as support have so far been absolutely no use in resolving my issue.

 

My client has an account on btconnect.com which is receiving hundreds of non delivery reports. I can see in the email header that they are authenticating using the account. But changing the password for the account makes no difference.

 

So I setup the account in Outlook and tried other passwords.

 

Guess what? The old password was a simple word, but still works to authenticate. But even worse, anything added at the end of the password also works. So, say the old password was hello. Even though I changed that ages ago on btconnect.com, I can still send email using that account. But I can use hello1, hello99 hello1234812304 and so on.

 

Top notch security BT. And thanks for ignoring this issue for several weeks.

12 REPLIES 12

kuerten
Super User

Wow! First time I heard this so far. Can anyone else confirm this?

OldWolf
Guru

Hi,

 

There are two separate problems here:

 

1. The password? No idea.  Could be a server error, or something else.  Try the Helpdesk again, and see if they can escalate it.  They're more email platforms anyway, so it may be a moot point in the end.

 

2. The Non-Delivery Reports?  Email spoofing, which I posted up about the other day elsewhere.  If your own system is clean of malware then someone else who has your email address and a virus, or someone who has harvested your address online, is sending email as if it were you.

 

Clean your system, and let everyone that you know has your email address know that they may have a malware infection.

 

That's about the best you can do to be honest.  Email spoofing is a horrible thing and difficult to track the source of.

 

Hope that helps.

 

Cheers.

 

Dave A

bobdonkey
Member

Yes someone is sending as my client, I can see in the email headers from various IPs in china. It is not from our machine.

 

But it is the password issue that is the problem - you update on btconnect.com and it hasnt removed the old password, and worse than that, a variety of passwords work so it would be easy to guess as yo uhave more chances.

bobdonkey
Member

Trying to contact the security team is virtually impossible. I have called them several times, they always promise to call be back and never do. BT support said to just email them, they never respond. One guy said that there are only 8 guys on the team and they get thousands of emails per day.

 

I just waiting on hold for 10 mins and then was cut off, so now waiting again. The joke is that the on hold message says to email the abuse email address, but if you do that they never respond.

 

This is shocking customer service, I would not recommend BT to any of my business customers, they're attitude to security is a joke.

bobdonkey
Member

Well they finally fixed this. It was as I suspected to do with the Office365 migration. Since the migration obviously there are different servers to use, but the old account on btconnect.com somehow got out of sync and unsecure and was allowing all sorts of passwords. Took me an hour on the phone to explain and then they fixed it, now I can only send through mail.btconnect.com using the correct password and none others.

 

So they do indeed have a security issue.

bobdonkey
Member

OK I spoke too soon.

 

They did manage to change the password and I can no longer send using the old password using Outlook. But...I can login as the user using telnet and the password in Base64, and the old password works and not the new one! This is messed up. I can also use the old password with any character after it. Why Outlook doesnt work I don't know.

 

time for another call to the abuse team...

bobdonkey
Member

OK, after BT fiixed this account on the btconnect.com SMTP relays it looks as though the spam has stopped.

 

I have found that you can still authenticate using Base64 encoding via telnet, so it is still possible to relay. But I dont think the spammers are using that technique.

 

Either way there are mutliple security holes on the mail.btconnect.com mail servers, as a result of the move to Office365.

 

Apparently someone from the mail team is contacting me later so I can show them how I can spam through their servers.

DanSmith87
Member

Firstly, I'm surprised that you were using mail.btconnect.com to send E-Mail despite using mail relay. Office 365 platform aside, I would have expected smtp.btconnect.com in use with authentication here. With regard to the mail.btconnect.com mailserver, it doesn't usually require authentication as it usually authenticates via the DSL line; if the line is with BT, it leaves it at that. If users are able to authenticate with it and it accepts it, that may indeed be something BT would be interested in.

 

Secondly, are you running a mailserver from site using the BT Mailservers? If so, I'd imagine that you're using a static IP. Had you setup reverse DNS? If not, other spam filters may realise that E-Mail flagged as coming from mailserver@mydomain.com was actually coming from 123456.ukcore.bt.net, or something along those lines.

bobdonkey
Member

I am not using mail.btconnect.com, that is irrelevant. The spammers are using that to relay mail.

 

I am not running a mailserver.

 

The spam has actually start again due this security issue, BT security team have promised several times to call me and never have, they don't care.

 

I can login to BT mail servers and send mail on behalf of a user without knowing their password, and I am not on the BT network. This is a serious issue.