Recurring attempt sending SPAM mail MailEnable Professional 10.9

Discussions on webmail and the Professional version.
Post Reply
Jose Hicks
Posts: 1
Joined: Wed Oct 31, 2018 7:15 pm
Location: Torreon Coahuila Mexico
Contact:

Recurring attempt sending SPAM mail MailEnable Professional 10.9

Post by Jose Hicks » Wed Oct 31, 2018 7:35 pm

Hello, I have a serious problem in my mail server apparently they seeded a script for massive mail. it is not possible to find the "sender"

The SMTP sending mode is controlled by smart host in all my domains. The CPU consumption is the maximum regularly. he apparently can not send mail. the destination destinations are random and do not exist in mailboxes

Already install the last licensed version of mailenable 10.19
and reinstall and same problem.

Please HELP

Part of debug file

10/31/18 13:19:19 ME-I0074: [1656] (Debug) End of conversation
10/31/18 13:19:23 ME-I0135: Authenticating User:majordom@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:24 ME-I0101: [1656] Local Delivery: Address ([SMTP:compras@clinicaandalucia.com.mx]) is local.
10/31/18 13:19:25 ME-I0074: [1756] (Debug) End of conversation
10/31/18 13:19:27 ME-I0135: Authenticating User:maui@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:27 ME-I0135: Authenticating User:creative@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:27 ME-I0135: Authenticating User:alex@3tic.com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:28 ME-I0149: [1656] BD2202FF238A47C7B148689EEE8A6A3F.MAI was received successfully and delivery thread was initiated
10/31/18 13:19:29 ME-I0074: [1588] (Debug) End of conversation
10/31/18 13:19:29 ME-I0074: [1644] (Debug) End of conversation
10/31/18 13:19:29 ME-I0074: [1980] (Debug) End of conversation
10/31/18 13:19:29 ME-E0072: [1656] (send) could not send response to client (10054)
10/31/18 13:19:29 ME-I0074: [1656] (Debug) End of conversation
10/31/18 13:19:32 ME-I0135: Authenticating User:rick@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:33 ME-I0135: Authenticating User:maximus@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:33 ME-I0074: [1800] (Debug) End of conversation
10/31/18 13:19:34 ME-I0074: [1764] (Debug) End of conversation
10/31/18 13:19:36 ME-I0135: Authenticating User:machine@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:41 ME-I0074: [1412] (Debug) End of conversation
10/31/18 13:19:41 ME-I0135: Authenticating User:membership@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:43 ME-I0074: [1808] (Debug) End of conversation
10/31/18 13:19:44 ME-E0070: (recv) socket [1740] error during [EHLO] command from host 194.53.142.2. Socket was disconnected - Error: (10060)
10/31/18 13:19:44 ME-I0074: [1740] (Debug) End of conversation
10/31/18 13:19:47 ME-I0135: Authenticating User:jon@3tic.com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:48 ME-I0074: [1692] (Debug) End of conversation
10/31/18 13:19:48 ME-I0135: Authenticating User:menu@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:49 ME-I0135: Authenticating User:auditor@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:50 ME-I0074: [1604] (Debug) End of conversation
10/31/18 13:19:51 ME-I0135: Authenticating User:modifications@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:51 ME-I0074: [1980] (Debug) End of conversation
10/31/18 13:19:52 ME-I0074: [1596] (Debug) End of conversation
10/31/18 13:19:54 ME-I0135: Authenticating User:hunter@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:55 ME-I0074: [1620] (Debug) End of conversation
10/31/18 13:19:57 ME-I0135: Authenticating User:mouse@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:19:59 ME-I0074: [2020] (Debug) End of conversation
10/31/18 13:20:03 ME-I0135: Authenticating User:movie@com.mx using Authentication Provider Credentials failed (unknown user)
10/31/18 13:20:04 ME-I0074: [1604] (Debug) End of conversation


activity log

10/31/18 13:33:01 SMTP-OU 647AA7DC7D6044A7806F453F2649AF62.MAI 1804 45.33.53.153 DATE . 250 OK id=1gHwEe-rlZGN8-P8 30367 28 esmeralda.medina@clinicaandalucia.com.mx ULTIMO PAGO LIC. FRANCISCO GALINDO EDIFICIO ABASOLO
10/31/18 13:33:01 SMTP-OU 647AA7DC7D6044A7806F453F2649AF62.MAI 1804 45.33.53.153 QUIT QUIT 221 mail.smtp2go.com closing connection 6 41 esmeralda.medina@clinicaandalucia.com.mx ULTIMO PAGO LIC. FRANCISCO GALINDO EDIFICIO ABASOLO
10/31/18 13:33:01 SMTP-IN 9F9381C3EAA54DCF94C466DDA8BD8843.MAI 1400 208.91.199.207 220 webmail.3tic.com.mx ESMTP MailEnable Service, Version: 10.19-10.19- ready at 10/31/18 13:33:01 100 0
10/31/18 13:33:01 SMTP-IN 45D5E3A36DBE4B0398B0CE2692D7FB61.MAI 1808 194.53.142.42 220 webmail.3tic.com.mx ESMTP MailEnable Service, Version: 10.19-10.19- ready at 10/31/18 13:33:01 100 0
10/31/18 13:33:01 SMTP-IN 9F9381C3EAA54DCF94C466DDA8BD8843.MAI 1400 208.91.199.207 EHLO EHLO us2-ob2-6.mailhostbox.com 250-franco.com [208.91.199.207], this server offers 4 extensions 227 32
10/31/18 13:33:01 SMTP-IN FA91DFC2B1D240C19F626B1B1CC15BE2.MAI 876 194.53.142.231 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/31/18 13:33:01 SMTP-IN 9F9381C3EAA54DCF94C466DDA8BD8843.MAI 1400 208.91.199.207 MAIL MAIL FROM:<alejandra.salas@switchpublicidad.com> 250 Requested mail action okay, completed 43 50
10/31/18 13:33:01 SMTP-IN C552854D2D324BAC8D601ADB3B88EB03.MAI 1800 194.53.142.2 EHLO EHLO User 250-franco.com [194.53.142.2], this server offers 4 extensions 225 11
10/31/18 13:33:02 SMTP-IN 45D5E3A36DBE4B0398B0CE2692D7FB61.MAI 1808 194.53.142.42 EHLO EHLO User 250-franco.com [194.53.142.42], this server offers 4 extensions 226 11
10/31/18 13:33:02 SMTP-IN FA91DFC2B1D240C19F626B1B1CC15BE2.MAI 876 194.53.142.231 AUTH {blank} 334 UGFzc3dvcmQ6 18 26 shane@3tic.com.mx
10/31/18 13:33:02 SMTP-IN C552854D2D324BAC8D601ADB3B88EB03.MAI 1800 194.53.142.2 RSET RSET 250 Requested mail action okay, completed 43 6
10/31/18 13:33:03 SMTP-IN 45D5E3A36DBE4B0398B0CE2692D7FB61.MAI 1808 194.53.142.42 RSET RSET 250 Requested mail action okay, completed 43 6
10/31/18 13:33:03 SMTP-IN FA91DFC2B1D240C19F626B1B1CC15BE2.MAI 876 194.53.142.231 AUTH cGFzc3dvcmQ= 535 Invalid Username or Password 34 14 shane@3tic.com.mx
10/31/18 13:33:04 SMTP-IN C552854D2D324BAC8D601ADB3B88EB03.MAI 1800 194.53.142.2 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/31/18 13:33:04 SMTP-IN 45D5E3A36DBE4B0398B0CE2692D7FB61.MAI 1808 194.53.142.42 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/31/18 13:33:04 SMTP-IN FA91DFC2B1D240C19F626B1B1CC15BE2.MAI 876 194.53.142.231 QUIT QUIT 221 Service closing transmission channel 42 6 shane@3tic.com.mx
10/31/18 13:33:05 SMTP-IN 45D5E3A36DBE4B0398B0CE2692D7FB61.MAI 1808 194.53.142.42 AUTH {blank} 334 UGFzc3dvcmQ6 18 22 wanglx@com.mx
10/31/18 13:33:05 SMTP-IN C552854D2D324BAC8D601ADB3B88EB03.MAI 1800 194.53.142.2 AUTH {blank} 334 UGFzc3dvcmQ6 18 22 sports@com.mx
10/31/18 13:33:05 SMTP-IN 6A2AF9DD7DBF4C6080578E9E010F1A56.MAI 856 194.53.142.2 220 webmail.3tic.com.mx ESMTP MailEnable Service, Version: 10.19-10.19- ready at 10/31/18 13:33:05 100 0
10/31/18 13:33:06 SMTP-IN 45D5E3A36DBE4B0398B0CE2692D7FB61.MAI 1808 194.53.142.42 AUTH MTM1Nzk= 535 Invalid Username or Password 34 10 wanglx@com.mx
10/31/18 13:33:06 SMTP-IN 6A2AF9DD7DBF4C6080578E9E010F1A56.MAI 856 194.53.142.2 EHLO EHLO User 250-franco.com [194.53.142.2], this server offers 4 extensions 225 11
10/31/18 13:33:06 SMTP-IN C552854D2D324BAC8D601ADB3B88EB03.MAI 1800 194.53.142.2 AUTH MTIzNDU= 535 Invalid Username or Password 34 10 sports@com.mx
Jose Hicks
Redireccion De Servicios Operativos
TRC COAH MX
tic@3tic.com.mx

MailEnable-Ian
Site Admin
Posts: 9028
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Recurring attempt sending SPAM mail MailEnable Professional 10.9

Post by MailEnable-Ian » Thu Nov 08, 2018 1:59 am

Hi,

In your log snippets there is only evidence of inbound connections trying to authenticate and failing. In your SMTP Debug log file there no evidence of relays being granted to send outbound. Check the outbound queue for the spam message ID and then double click the message and check the search history to see where its originating from and which mailbox was used to authenticate.
Regards,

Ian Margarone
MailEnable Support

Post Reply