Dec 19, 2008

Prevention of unauthorized access to customer mailboxes

As a part of our security and abuse prevention plan, today we automatically changed the passwords of all mailboxes on our servers, which we found to be insecure. The weak password detection was performed by using automated tools utilizing swaks (Swiss Army Knife SMTP) and simple brute-force attempts, performed on our side against each mailbox.

Weak passwords may result in successful authentication attempts from malicious users which will lead to spam transmitted from our servers through the hacked mailboxes. To prevent this, we will continue to perform such security tests in the future. This will help us fight outgoing spam from our servers, also this will improve the security of the mailboxes of our customers by preventing unauthorized access to their mailboxes and the content there.

We consider weak passwords most popular words, as well as keyboard combinations such as "qwerty"," asdf", "qaz", etc, combinations such as "1234", "abcdef", "aaaa", "11111" and all similar. Also, there are other patterns of weak passwords and hack attempts such as password same as the mailbox username, email user@domain.com with a password "user1", passwords strings "password", "passw0rd", "changeme", etc.

We recommend to all customers to be careful when choosing the password for their mailboxes. A strong password is considered to be a string of at least 8 symbols, which contain letters and numbers. Having upper and lower cases also increases password security, as passwords are case sensitive.