UPDATE: In response to the question about how the URLs are modified and probed.
It's an ASP.NET application suite written entirely in C#. UPDATE: In response to the question about PHP/WordPress: Neither. And since the probing attacks are coming consistently from two specific subnets inside data centers, even though the emails were sent to completely different customer companies, we think that points to something inside those data centers.Īnyway, we'll follow up with AboveNet and see if they can offer advice. We also don't believe it's in the user's specific email client because it happens even when their machine isn't turned on. Because of that, we believe that the emails are being scanned after they've left our network, somewhere along the SMTP chain. Our server sends out large numbers of email each day to many different customers, and this behavior only occurs with two specific sites. Once it finds a target URL, in this case our web application, it modifies the URL before using it to contact our application. We believe something is just searching the emails for URLs to attempt an attack. With regards to your suggestion, the e-mail is actually successfully delivered to the customer unchanged. Thanks ahead of time for any suggestions, and let us know if there's any additional information we can provide that would help.
ONLINE EMAIL OBFUSCATOR ROT13 HOW TO
We've looked but haven't found any reports of similar behavior, and we're hoping that the StackExchange community might be able to give us some suggestions on where to look, or how to proceed with our investigation. Here are the datacenter IP addresses we're seeing the attacks from:
However, we just took a new customer live, and we're seeing it happen for a lot of their users, and with the same behavior: probing "attacks" on our servers from one of two datacenters within seconds of sending an email to those users. The "attacks" would come from one of two datacenters (one in New York and one in the UK), even though the user wasn't in either of those locations, and would rotate through a variety of IPs on specific subnets. There's no apparent danger from this behavior, and at first we thought it might be some kind of anti-malware agent deployed inside one of our customer's environments. This usually happens within seconds of the email being sent, and independent of whether or not the user's email client is active, indicating that it's being intercepted and processed somewhere in between. Then it takes the response page (usually a sign-in or error page) extracts the page contents, constructs a postback URL with those contents included as parameters, and sends it to the server. We've recently started seeing probes in the web server logs that indicate something is taking one of the URLs from those emails, partially obfuscating the parameters using a ROT-13 approach, and sending it to our server.
ONLINE EMAIL OBFUSCATOR ROT13 SOFTWARE
The software sends emails to users when they have new tasks in the system, or reminder emails when those tasks become overdue.
Our company develops web-based process management software and hosts it for our customers. We're looking for help/advice from website security experts.
0 kommentar(er)
