SurgeMail Archive: Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay

Subject:	Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay
From:	dward@nccumc.org
Date:	25-Nov-2010
My system does not have an sws.rec file. �The only files that I have in the /usr/local/surgemail/rec1011/ directory is msg.rec and stat.dat. �Neither of these files show the authentication. �Where else could surgemail be storing this? �Any information you could provide would be most helpful. �We are a few hours away from the third full day that this system has been affected. �My next plan would be to dump the server completely and start over but I don't know which user account is authenticating. �I would likely migrate the same problem to the new installation. If surgemail is just not going to record this authentication information is there a way for me to quickly enforce a system wide password reset? �Can I disable all of the domains and turn them back on selectively to test which domain user is causing the issue? �If I could at least do that then I could narrow it down to a segment of accounts. Douglas Ward IT Director NC Methodist Conference On Thu, Nov 25, 2010 at 9:38 AM, Lyle Giese <lyle@lcrcomputer.info> wrote: On my system, the msg.rec file has the from and to fields and not the authenication.� The sws.rec file has the auth information. Lyle Giese LCR Computer Services, Inc. dward@nccumc.org wrote: Thanks for this information! �Listed below are some of the entries from today's msg101124.rec file: 24 19:15:47 [140563] Received 59.112.81.3 < peter@gmail.com> <w852@ymail.com> 679 <2tv64j$j$2-j--$se4hHIDDEN@1e.r0wrxg> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" 24 19:59:58 [140568] Received 114.36.46.72 <z2007tw@yahoo.com.tw> <gk49fawn@yahoo.com.tw> 706 <b1l54k5mb-6$92--r1ep7$4u258HIDDEN@obg> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" Douglas Ward IT Director NC Methodist Conference On Wed, Nov 24, 2010 at 10:36 PM, Support ChrisP <surgemailHIDDEN@t@netwinsite.com> wrote: The msg.rec log entry always contains the account name used to authenticate an email just find the 'Received' entry for the outgoing spam and then look for the 'relay=' string... `Received 60.234.149.210 .... "Body has arrived, Relay=smtpauth=,` surgemailHIDDEN@etwinsite.com wrote: I've looked at this as well.� Nothing in the status advanced view shows me which user accounts are authenticating when these spam messages are slipping through.� The only thing I can think to do now is to manually reset the passwords for all of the accounts on this box.� It's a few hundred addresses across about 40-50 domains... Douglas Ward IT Director NC Methodist Conference On Wed, Nov 24, 2010 at 9:28 PM, Lyle Giese <HIDDEN@rcomputer.info> wrote: The headers should show the orginating IP address.� Use that to track down connections under the advanced view in Status.� Should help narrow it down. Lyle Giese dward@nccumc.org wrote: Additional information: After finding a legitimate e-mail in the queue I found an X-Authenticated-User field in the message header.� The spam messages do not have this field in their header records.� Any thoughts on how I can track this down? Douglas Ward IT Director NC Methodist Conference ---------- Forwarded message ---------- From: dHIDDEN@cumc.org> Date: Wed, Nov 24, 2010 at 4:54 PM Subject: Compromised mailbox allowing spam relay To: surgemailHIDDEN@etwinsite.com Happy Thanksgiving! I have discovered today that one of the accounts on my surgemail server has been compromised. �It appears that a spammer has brute forced a password to relay authenticated mail through our mail server. �Unfortunately, I cannot find any trace within the surgemail logs which account is compromised. �I have checked all of the log files and all I see is the spoofed to/from fields. �The account used to authenticate to the surgemail server is nowhere to be found. �How can I find this? �Once I change this password all is well and I can go back to my vacation. �Any help you might offer would be most appreciated. �Thank you in advance! Douglas Ward IT Director NC Methodist Conference

Last Message | Next Message


Search website: