SurgeMail Archive: Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay

Subject:	Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay
From:	dward@nccumc.org
Date:	25-Nov-2010
Thanks for this information! �Listed below are some of the entries from today's msg101124.rec file: 24 19:15:47 [140563] Received 59.112.81.3 <peter@gmail.com> <w852@ymail.com> 693 <q183611$$4o06$2$v4ii-aHIDDEN@jkxdv> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" 24 19:50:47 [140567] Received 59.112.81.3 <peter@gmail.com> < z2007tw@yahoo.com.tw> <gk49fawn@yahoo.com.tw> 706 <b1l54k5mb-6$92--r1ep7$4u258HIDDEN@obg> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" Douglas Ward IT Director NC Methodist Conference On Wed, Nov 24, 2010 at 10:36 PM, Support ChrisP <surgemailHIDDEN@t@netwinsite.com> wrote: The msg*.rec log entry always contains the account name used to authenticate an email just find the 'Received' entry for the outgoing spam and then look for the 'relay=' string... `Received 60.234.149.210 .... "Body has arrived, Relay=smtpauth=USER@DOMAIN.NAME,` `��ChrisP.` On Thursday 25/11/2010 at 4:16 pm, surgemailHIDDEN@etwinsite.com wrote: I've looked at this as well.� Nothing in the status advanced view shows me which user accounts are authenticating when these spam messages are slipping through.� The only thing I can think to do now is to manually reset the passwords for all of the accounts on this box.� It's a few hundred addresses across about 40-50 domains... Douglas Ward IT Director NC Methodist Conference On Wed, Nov 24, 2010 at 9:28 PM, Lyle Giese <lyle@lcrcomputer.info> wrote: The headers should show the orginating IP address.� Use that to track down connections under the advanced view in Status.� Should help narrow it down. Lyle Giese dward@nccumc.org wrote: Additional information: After finding a legitimate e-mail in the queue I found an X-Authenticated-User field in the message header.� The spam messages do not have this field in their header records.� Any thoughts on how I can track this down? Douglas Ward IT Director NC Methodist Conference ---------- Forwarded message ---------- From: dward@nccumc.org> Date: Wed, Nov 24, 2010 at 4:54 PM Subject: Compromised mailbox allowing spam relay To: surgemailHIDDEN@etwinsite.com Happy Thanksgiving! I have discovered today that one of the accounts on my surgemail server has been compromised. �It appears that a spammer has brute forced a password to relay authenticated mail through our mail server. �Unfortunately, I cannot find any trace within the surgemail logs which account is compromised. �I have checked all of the log files and all I see is the spoofed to/from fields. �The account used to authenticate to the surgemail server is nowhere to be found. �How can I find this? �Once I change this password all is well and I can go back to my vacation. �Any help you might offer would be most appreciated. �Thank you in advance! Douglas Ward IT Director NC Methodist Conference

Last Message | Next Message


Search website: