EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 29 Apr 2017, 10:10 PM   #1
RickNY
Member
 
Join Date: Jul 2005
Location: Long Island, NY
Posts: 52
Old server name notifications from hacking attempts

There has always been a handful of failed login attempts to my FM account in the logs due to hackers trying to gain access.. Ive never gone out of my way to check them - I just know they do happen.. But now, there are hackers doing it and trying to do it by accessing Fastmail's old server names (mail.messagingengine.com) -- which in turn is generating automated emails being sent from FM to me informing me that I need to use the new names.. I'm getting several of these a day.. The account is secure -- I'm using 2FA, and all of my clients are utilizing app passwords.. I'm not concerned in any way that the account is compromised -- its not. (They are failed login attempts, and all of my successful ones are from known locations)

The emails say "You have just tried to log in to our IMAP service using an old server name such as mail.messagingengine.com, caldav.messagingengine.com or carddav.messagingengine.com.
These servers names no longer work and have been replaced by our new server names:
". When I check access logs, they are always attempted logins, usually from Ukraine or Russia.

Is anyone else receiving these? I'm inclined to create a specific Sieve rule to start filtering them because FM said they cannot turn off the notifications for the old server name usage.

Rick
RickNY is offline   Reply With Quote

Old 29 Apr 2017, 10:27 PM   #2
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,625
I have not seen attacks such as you mention, but (assuming the attackers are using a dictionary attack) that is unsurprising as none of the account names used by my customers are short and simple.

Rather than creating a Rule to discard the messages from FastMail, maybe you could eliminate the issue with an account rename. I appreciate that this means settings changes in the clients. However, I would personally be wary of discarding warning emails coming from FastMail.
BritTim is offline   Reply With Quote
Old 29 Apr 2017, 10:29 PM   #3
TenFour
Essential Contributor
 
Join Date: Feb 2017
Posts: 311
I began receiving those messages this week. I thought they were related to an old smartphone I have plugged in that hasn't been updated in a long time. Now you make me want to double check that all is well, but the message appears to be legitimate to me.
Quote:
You have just tried to log in to our IMAP service using an old server name such as mail.messagingengine.com, caldav.messagingengine.com or carddav.messagingengine.com.

These servers names no longer work and have been replaced by our new server names:

IMAP - imap.fastmail.com, port=993, SSL/TLS enabled
POP - pop.fastmail.com, port=995, SSL/TLS enabled
SMTP - smtp.fastmail.com, port=465, SSL/TLS enabled
CalDAV - https://caldav.fastmail.com/
CardDAV - https://carddav.fastmail.com/
WebDAV - https://webdav.fastmail.com/
Please update your settings to use the correct server name.
TenFour is offline   Reply With Quote
Old 29 Apr 2017, 10:37 PM   #4
RickNY
Member
 
Join Date: Jul 2005
Location: Long Island, NY
Posts: 52
Of course, the other solution is just wait until the hackers start using the correct server names.. LOL. Then it will just stick a failed login in the login log without an email notification.
RickNY is offline   Reply With Quote
Old 30 Apr 2017, 07:50 AM   #5
glass
Member
 
Join Date: Dec 2013
Posts: 54
I started getting these yesterday. My login name is at my own domain so I doubt they're guessing usernames from a dictionary.

My guess is they're not really trying to get access, just scare/annoy people by triggering the notifications. Well, it's working.
glass is offline   Reply With Quote
Old 30 Apr 2017, 11:21 AM   #6
joe_devore
Essential Contributor
 
Join Date: Dec 2003
Location: Dover, NH, USA
Posts: 294
me too, I opened a support ticket to alert FM, but they apparently don't block excessive FAILS from a single IP...

I'm not really worried either... more or less lol
joe_devore is offline   Reply With Quote
Old 30 Apr 2017, 07:02 PM   #7
moulles
Junior Member
 
Join Date: Jan 2015
Posts: 1
For about a month, I'm seeing them from IPs all over the world. They hit every 7-12 hours for a day. Then disappear for a number of days.

Just a very patient botnet looking for users with bad passwords.
moulles is offline   Reply With Quote
Old 30 Apr 2017, 09:27 PM   #8
TenFour
Essential Contributor
 
Join Date: Feb 2017
Posts: 311
Hopefully it isn't creating a traffic problem for FM, and hopefully they are working on blocking the traffic.
TenFour is offline   Reply With Quote
Old 30 Apr 2017, 09:33 PM   #9
joe_devore
Essential Contributor
 
Join Date: Dec 2003
Location: Dover, NH, USA
Posts: 294
Quote:
Originally Posted by TenFour View Post
Hopefully it isn't creating a traffic problem for FM, and hopefully they are working on blocking the traffic.
The reply I got from a support ticket on this matter...
Quote:
Originally Posted by Anto
>also... do you guys block an IP if it fails to many attempts? like if a hacker is attempting to >BRUTE CRACK a password?

I am afraid we do not block a particular IP from accessing the account if that fails multiple times. Too many failed logins from single IP address is normal because if a user has forgotten his password or incorrectly configure the IMAP client, too many failed logins are usually followed. Normally, if there are too many login attempts to an account from different IP addresses or locations that are suspicious, we would lock out the account itself. The user will have to get in touch with us with verification details in order to get the account unlocked.

Hope that clarifies your questions. Let me know if there is anything else that I can help you with.
joe_devore is offline   Reply With Quote
Old 30 Apr 2017, 10:21 PM   #10
Jacinto
Essential Contributor
 
Join Date: Jun 2009
Posts: 347
Quote:
Normally, if there are too many login attempts to an account from different IP addresses or locations that are suspicious, we would lock out the account itself. The user will have to get in touch with us with verification details in order to get the account unlocked.
That would be a very asinine way to handle the problem.

How can one run a business that depends on E-Mail under threat that Fastmail may lock out the account?

Should Fastmail lock out my account, how am I supposed to get in touch with FM?

I went through this a couple of times a long time ago with Speakeasy. However, SE was in Seattle and did offer telephone support. FM is in Australia and doesn't offer telephone support.

Hopefully, no one on this Forum will have her or his account locked out by Fastmail.

--
Jacinto
Jacinto is offline   Reply With Quote
Old 30 Apr 2017, 10:34 PM   #11
joe_devore
Essential Contributor
 
Join Date: Dec 2003
Location: Dover, NH, USA
Posts: 294
Unhappy

Quote:
Originally Posted by Jacinto View Post
FM is in Australia and doesn't offer telephone support.

Hopefully, no one on this Forum will have her or his account locked out by Fastmail.

--
Jacinto
me too they have a landline # but... I can't call international
Company
I've been with FM since 2003 and have not had any issues... so I wouldn't worry too much I HOPE lol...
joe_devore is offline   Reply With Quote
Old 1 May 2017, 12:04 AM   #12
Jacinto
Essential Contributor
 
Join Date: Jun 2009
Posts: 347
Quote:
Originally Posted by joe_devore View Post
me too they have a landline # but... I can't call international
Company
It wouldn't matter even if you could.

This is from the web page you referred to:

Quote:
Phone

+61 2 9475 0859

Please note, we do not provide customer or sales support over the phone. Please contact our support team using our ticket system or email address above.
I wonder why they're bothering publishing the phone number in the first place?

Quote:
Originally Posted by joe_devore View Post
I've been with FM since 2003 and have not had any issues... so I wouldn't worry too much I HOPE lol...
I, too, have been a subscriber for many years. Nevertheless, not having been aware until today of FM's unenlightened trade practice of locking-out accounts without notice to the subscriber, I am concerned about the possibility of losing access to E-Mail because of it.

Before I set-up a back-up mirror account with another provider, I would like to know whether or not a rule to forward a copy of all incoming messages to an outside account would be honored by FM while an account is locked out.

Perhaps, someone on this Forum knows the answer?

--
Jacinto

Last edited by Jacinto : 1 May 2017 at 03:30 AM.
Jacinto is offline   Reply With Quote
Old 1 May 2017, 12:45 AM   #13
TenFour
Essential Contributor
 
Join Date: Feb 2017
Posts: 311
Quote:
I wonder why they bothering publishing the phone number in the first place?
It makes things work better for all sorts of contacts who aren't customers. For example, a potential investor is having problems finding your office or the door to the building is locked. They look on the website, can't find a phone number, and leave. You may laugh, but it happens all the time. I also suspect some vendors lose a fair bit of business by not having any sort of phone service. Many of us have been burnt by filing tickets and support requests through online automated forms that seem to be instead a funnel into a black hole.
TenFour is offline   Reply With Quote
Old 1 May 2017, 09:13 AM   #14
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,563
The phone number is a fake one as its a Sydney phone number and Fastmail are in Melbourne which starts with +61 3
Terry is offline   Reply With Quote
Old 1 May 2017, 09:21 AM   #15
TenFour
Essential Contributor
 
Join Date: Feb 2017
Posts: 311
Quote:
The phone number is a fake one as its a Sydney phone number and Fastmail are in Melbourne
Seems unlikely they would post a fake number. More likely it is a Sydney office or an answering service. In any case, they don't take customer service calls.
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:51 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy