well....
this exact circumstance happened to us today, from an infected computer.
i now understand why adding the 'from' ip into all the deny settings AND
iptables didn't work.
changing the account password and restarting did work, BUT if i give the
user the new password and the machine is still infected, back to square one.
meanwhile, we've set the account in readonly mode. this is unfortunate
for the user, but until the machine is once again pristine, there's
nothing else we can do.
david camm
advanced web systems
keller, tx
ps - anyone know the name of the virus?
d
On 9/28/2012 8:22 AM, Frank Bulk wrote:
> Chris:
>
> You’re right, if there’s not an open connection then changing the
> password is effective.
>
> I’m sure SM’s feature request list is longer than my bucket list, but if
> you could embed the closing of any active SMTP/POP3/IMAP connections on
> a password change, or at least after the singular message in process has
> been sent/retrieved/pulled, that would be appreciated.
>
> Frank
>
> *From:*Support [mailto:surgemailHIDDEN@t@netwinsite.com]
> *Sent:* Thursday, September 27, 2012 5:50 PM
> *To:* surgemailHIDDEN@etwinsite.com
> *Subject:* re: [SurgeMail List] RE: Halting a spammer
>
> Indeed if the spammer has an open smtp connection then changing the
> password won't stop them until the connection is closed... and there is
> no command to do that currently, a restart is the best optoin.
>
> If they don't have an open connection, then changing the password should
> be sufficient. But there is a cache in surgemail which must be cleared
> too...
>
> tellmail clear_cache
>
> That is automatic in some instances, but it depends how you change the
> account details (specifically doing it via surgemail should make it
> clear the cache)
>
> personally I would do a restart too ;-)
>
> And of course deleting any queued messages for their account is essential.
>
> ChrisP.
>
> FYI, had the issue again today and the only solution was to restart
> SM on both servers.
>
> Does SM cache the SMTP AUTH credentials? If we change the password
> and flush the messages from the queues, why can spammers continue to
> use the account?
>
> Frank
>
> -----Original Message-----
>
> From: Frank Bulk
>
> Sent: Wednesday, December 14, 2011 8:43 PM
>
> To: surgemailHIDDEN@etwinsite.com
> <mailto:surgemailHIDDEN@etwinsite.com>
>
> Subject: RE: Halting a spammer
>
> We had the issue again today, another account. We ended up disabling
> the account to stop the problem.
>
> Could someone from Surgemail support suggest how we can kill
> existing sessions (after we've changed the subscriber's password)?
>
> Frank
>
> -----Original Message-----
>
> From: Frank Bulk [mailtoHIDDEN@mypremieronline.com]
> <mailto:[mailtoHIDDEN@mypremieronline.com]>
>
> Sent: Wednesday, December 07, 2011 9:27 PM
>
> To: surgemailHIDDEN@etwinsite.com
> <mailto:surgemailHIDDEN@etwinsite.com>
>
> Subject: [SurgeMail List] RE: Halting a spammer
>
> Chris, anyone else from tech support want to chime in?
>
> Frank
>
> -----Original Message-----
>
> From: Frank Bulk [mailtoHIDDEN@mypremieronline.com]
> <mailto:[mailtoHIDDEN@mypremieronline.com]>
>
> Sent: Tuesday, December 06, 2011 12:34 PM
>
> To: 'surgemailHIDDEN@etwinsite.com'
>
> Subject: [SurgeMail List] Halting a spammer
>
> We had a spamming incident that began around 2:30 am that leveraged
> a compromised Surgemail account. Our monitoring system caught the
> issue at 3:17 am, so when our help desk person started his day at 6
> am he was able to identify the compromised account that the spammer
> was using for smtpauth. But changing the Surgemail account's
> password did not stop the spamming from continuing. Assuming that
> Surgemail maintained the initial SMTP authentication (which the
> Surgemail logs support), we restarted Surgemail on both nodes
> (surgemail stop; wait until the process disappears; surgemail
> start). But the spamming continued. We ended up removing the email
> account to halt the spamming.
>
> How should we have addressed this issue? Is there a command that
> will clear any and all existing SMTP AUTH session for a particular
> username?
>
> Frank
>
> ------------------------------------------------------------------------
>
> Sent with YesImOnline email client http://yesimonline.com/yes (free client)
>
|
