Old server name notifications from hacking attempts

[RickNY]

There has always been a handful of failed login attempts to my FM account in the logs due to hackers trying to gain access.. Ive never gone out of my way to check them - I just know they do happen.. But now, there are hackers doing it and trying to do it by accessing Fastmail's old server names (mail.messagingengine.com) -- which in turn is generating automated emails being sent from FM to me informing me that I need to use the new names.. I'm getting several of these a day.. The account is secure -- I'm using 2FA, and all of my clients are utilizing app passwords.. I'm not concerned in any way that the account is compromised -- its not. (They are failed login attempts, and all of my successful ones are from known locations)

The emails say "You have just tried to log in to our IMAP service using an old server name such as mail.messagingengine.com, caldav.messagingengine.com or carddav.messagingengine.com.
These servers names no longer work and have been replaced by our new server names:
". When I check access logs, they are always attempted logins, usually from Ukraine or Russia.

Is anyone else receiving these? I'm inclined to create a specific Sieve rule to start filtering them because FM said they cannot turn off the notifications for the old server name usage.

Rick

[BritTim]

I have not seen attacks such as you mention, but (assuming the attackers are using a dictionary attack) that is unsurprising as none of the account names used by my customers are short and simple.

Rather than creating a Rule to discard the messages from FastMail, maybe you could eliminate the issue with an account rename. I appreciate that this means settings changes in the clients. However, I would personally be wary of discarding warning emails coming from FastMail.

[TenFour]

I began receiving those messages this week. I thought they were related to an old smartphone I have plugged in that hasn't been updated in a long time. Now you make me want to double check that all is well, but the message appears to be legitimate to me.

Quote:

You have just tried to log in to our IMAP service using an old server name such as mail.messagingengine.com, caldav.messagingengine.com or carddav.messagingengine.com.

These servers names no longer work and have been replaced by our new server names:

IMAP - imap.fastmail.com, port=993, SSL/TLS enabled
POP - pop.fastmail.com, port=995, SSL/TLS enabled
SMTP - smtp.fastmail.com, port=465, SSL/TLS enabled
CalDAV - https://caldav.fastmail.com/
CardDAV - https://carddav.fastmail.com/
WebDAV - https://webdav.fastmail.com/
Please update your settings to use the correct server name.

[RickNY]

Of course, the other solution is just wait until the hackers start using the correct server names.. LOL. Then it will just stick a failed login in the login log without an email notification.

[glass]

I started getting these yesterday. My login name is at my own domain so I doubt they're guessing usernames from a dictionary.

My guess is they're not really trying to get access, just scare/annoy people by triggering the notifications. Well, it's working.

[joe_devore]

me too, I opened a support ticket to alert FM, but they apparently don't block excessive FAILS from a single IP...

I'm not really worried either... more or less lol

[moulles]

For about a month, I'm seeing them from IPs all over the world. They hit every 7-12 hours for a day. Then disappear for a number of days.

Just a very patient botnet looking for users with bad passwords.

[TenFour]

Hopefully it isn't creating a traffic problem for FM, and hopefully they are working on blocking the traffic.

[joe_devore]

Quote:

Originally Posted by TenFour

Hopefully it isn't creating a traffic problem for FM, and hopefully they are working on blocking the traffic.

The reply I got from a support ticket on this matter...

Quote:

Originally Posted by Anto

>also... do you guys block an IP if it fails to many attempts? like if a hacker is attempting to >BRUTE CRACK a password?

I am afraid we do not block a particular IP from accessing the account if that fails multiple times. Too many failed logins from single IP address is normal because if a user has forgotten his password or incorrectly configure the IMAP client, too many failed logins are usually followed. Normally, if there are too many login attempts to an account from different IP addresses or locations that are suspicious, we would lock out the account itself. The user will have to get in touch with us with verification details in order to get the account unlocked.

Hope that clarifies your questions. Let me know if there is anything else that I can help you with.

[Jacinto]

Quote:

Normally, if there are too many login attempts to an account from different IP addresses or locations that are suspicious, we would lock out the account itself. The user will have to get in touch with us with verification details in order to get the account unlocked.

That would be a very asinine way to handle the problem.

How can one run a business that depends on E-Mail under threat that Fastmail may lock out the account?

Should Fastmail lock out my account, how am I supposed to get in touch with FM?

I went through this a couple of times a long time ago with Speakeasy. However, SE was in Seattle and did offer telephone support. FM is in Australia and doesn't offer telephone support.

Hopefully, no one on this Forum will have her or his account locked out by Fastmail.

--
Jacinto

[joe_devore]

Quote:

Originally Posted by Jacinto

FM is in Australia and doesn't offer telephone support.

Hopefully, no one on this Forum will have her or his account locked out by Fastmail.

--
Jacinto

me too they have a landline # but... I can't call international
Company
I've been with FM since 2003 and have not had any issues... so I wouldn't worry too much I HOPE lol...

[Jacinto]

Quote:

Originally Posted by joe_devore

me too they have a landline # but... I can't call international
Company

It wouldn't matter even if you could.

This is from the web page you referred to:

Quote:

Phone

+61 2 9475 0859

Please note, we do not provide customer or sales support over the phone. Please contact our support team using our ticket system or email address above.

I wonder why they're bothering publishing the phone number in the first place?

Quote:

Originally Posted by joe_devore

I've been with FM since 2003 and have not had any issues... so I wouldn't worry too much I HOPE lol...

I, too, have been a subscriber for many years. Nevertheless, not having been aware until today of FM's unenlightened trade practice of locking-out accounts without notice to the subscriber, I am concerned about the possibility of losing access to E-Mail because of it.

Before I set-up a back-up mirror account with another provider, I would like to know whether or not a rule to forward a copy of all incoming messages to an outside account would be honored by FM while an account is locked out.

Perhaps, someone on this Forum knows the answer?

--
Jacinto

[TenFour]

Quote:

I wonder why they bothering publishing the phone number in the first place?

It makes things work better for all sorts of contacts who aren't customers. For example, a potential investor is having problems finding your office or the door to the building is locked. They look on the website, can't find a phone number, and leave. You may laugh, but it happens all the time. I also suspect some vendors lose a fair bit of business by not having any sort of phone service. Many of us have been burnt by filing tickets and support requests through online automated forms that seem to be instead a funnel into a black hole.

[Terry]

The phone number is a fake one as its a Sydney phone number and Fastmail are in Melbourne which starts with +61 3

[TenFour]

Quote:

The phone number is a fake one as its a Sydney phone number and Fastmail are in Melbourne

Seems unlikely they would post a fake number. More likely it is a Sydney office or an answering service. In any case, they don't take customer service calls.