SurgeMail Archive: Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay

Subject:	Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay
From:	Jim Crews
Date:	25-Nov-2010
Did you blacklist any of the offensive ips "dward@nccumc.org" <dward@nccumc.org> wrote: >Thanks for this information! Listed below are some of the entries from >today's msg101124.rec file: > >24 19:15:47 [140563] Received 59.112.81.3 <peter@gmail.com> <w852@ymail.com> >693 <q183611$$4o06$2$v4ii-a$f7@je0jkxdv> "Body has arrived, >Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" > >24 19:50:47 [140567] Received 59.112.81.3 <peter@gmail.com> <w852@ymail.com> >679 <2tv64j$j$2-j--$se4h$v74@kz1e.r0wrxg> "Body has arrived, >Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" > >24 19:59:58 [140568] Received 114.36.46.72 <z2007tw@yahoo.com.tw> < >gk49fawn@yahoo.com.tw> 706 <b1l54k5mb-6$92--r1ep7$4u258$0b@j2oobg> "Body has >arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" > >Douglas Ward >IT Director >NC Methodist Conference > > >On Wed, Nov 24, 2010 at 10:36 PM, Support ChrisP < >surgemail-support@netwinsite.com> wrote: > >> The msg*.rec log entry always contains the account name used to >> authenticate an email just find the 'Received' entry for the outgoing spam >> and then look for the 'relay=' string... >> >> Received 60.234.149.210 .... "Body has arrived, Relay=smtpauth=USER@DOMAIN.NAME, >> >> >> ChrisP. >> >> >> >> On Thursday 25/11/2010 at 4:16 pm, surgemail-list@netwinsite.com wrote: >> >> I've looked at this as well. Nothing in the status advanced view shows me >> which user accounts are authenticating when these spam messages are slipping >> through. The only thing I can think to do now is to manually reset the >> passwords for all of the accounts on this box. It's a few hundred addresses >> across about 40-50 domains... >> >> Douglas Ward >> IT Director >> NC Methodist Conference >> >> >> On Wed, Nov 24, 2010 at 9:28 PM, Lyle Giese <lyle@lcrcomputer.info> wrote: >> >>> The headers should show the orginating IP address. Use that to track down >>> connections under the advanced view in Status. Should help narrow it down. >>> >>> Lyle Giese >>> >>> >>> dward@nccumc.org wrote: >>> >>> Additional information: After finding a legitimate e-mail in the queue I >>> found an X-Authenticated-User field in the message header. The spam >>> messages do not have this field in their header records. Any thoughts on >>> how I can track this down? >>> >>> Douglas Ward >>> IT Director >>> NC Methodist Conference >>> >>> >>> ---------- Forwarded message ---------- >>> From: dward@nccumc.org <dward@nccumc.org> >>> Date: Wed, Nov 24, 2010 at 4:54 PM >>> Subject: Compromised mailbox allowing spam relay >>> To: surgemail-list@netwinsite.com >>> >>> >>> Happy Thanksgiving! >>> >>> I have discovered today that one of the accounts on my surgemail server >>> has been compromised. It appears that a spammer has brute forced a password >>> to relay authenticated mail through our mail server. Unfortunately, I >>> cannot find any trace within the surgemail logs which account is >>> compromised. I have checked all of the log files and all I see is the >>> spoofed to/from fields. The account used to authenticate to the surgemail >>> server is nowhere to be found. How can I find this? Once I change this >>> password all is well and I can go back to my vacation. Any help you might >>> offer would be most appreciated. Thank you in advance! >>> >>> Douglas Ward >>> IT Director >>> NC Methodist Conference >>> >>> >>> >> >>

Last Message | Next Message


Search website: