Additional information: After finding a legitimate
e-mail in the queue I found an X-Authenticated-User field in the
message header. The spam messages do not have this field in their
header records. Any thoughts on how I can track this down?
---------- Forwarded message
----------
From:
dward@nccumc.org
<dward@nccumc.org>
Date: Wed, Nov 24, 2010 at 4:54 PM
Subject: Compromised mailbox allowing spam relay
To:
surgemail-list@netwinsite.com
Happy Thanksgiving!
I have discovered today that one of the accounts on my
surge
mail server has been compromised. It appears that a spammer has
brute forced a password to relay authenticated mail through our mail
server. Unfortunately, I cannot find any trace within the surgemail
logs which account is compromised. I have checked all of the log files
and all I see is the spoofed to/from fields. The account used to
authenticate to the surge
mail server is nowhere to be found. How can I
find this? Once I change this password all is well and I can go back
to my vacation. Any help you might offer would be most appreciated.
Thank you in advance!
Douglas Ward
IT Director
NC Methodist Conference