ME exploit?

Discussion forum for Enterprise Edition.
Post Reply
dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

ME exploit?

Post by dunc » Sat Apr 18, 2015 8:58 pm

I have begun receiving a few of these each day using ME Ent 8.58. Two examples seen. They are routed to my personal inbox, yet appear to have no sender nor receiver. No content.

I can't find the sending IP (like 95.159.144.33) in any ME log files, either. Obviously an attack. I use McAfee SAAS as a pre-filter, and no trace found there either.

Suggestions?

Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 06:20:50 -0600
Received: from h095159144033.ys.dsl.sakhalin.ru ([95.159.144.33]) by mail.airbase1.com with MailEnable ESMTP; Sat, 18 Apr 2015 06:20:48 -0600
Message-ID: <9[10
X-ME-Bayesian: 40.000000
Return-Path: <Allred_Stacy30@cpame.com>

Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 05:08:31 -0600
Received: from 198.143.133.86 ([178.68.229.92]) by mail.airbase1.com with MailEnable ESMTP; Sat, 18 Apr 2015 05:08:30 -0600
Message-ID: <5[10
X-ME-Bayesian: 40.000000
Return-Path: <Mccabe_Wesley30@caovilla.com>

MailEnable-Ian
Site Admin
Posts: 9227
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME exploit?

Post by MailEnable-Ian » Mon Apr 20, 2015 6:12 am

Hi,

Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 06:20:50 -0600 means that the message originated from the postoffice connector. Most likely the message is a mailbox redirection.
Regards,

Ian Margarone
MailEnable Support

dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

Re: ME exploit?

Post by dunc » Mon Apr 20, 2015 3:53 pm

Thanks Ian. I have several mailboxes with redirects to my personal account. Is there any way to determine which of these mailboxes was used? What would I search for, and in what log file?

MailEnable-Ian
Site Admin
Posts: 9227
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME exploit?

Post by MailEnable-Ian » Tue Apr 21, 2015 6:46 am

Hi,

Search for Mccabe_Wesley30@caovilla.com within the SMTP logs as a start to see if there are any entries relating to that envelope sender address and to who the message was sent to.
Regards,

Ian Margarone
MailEnable Support

dunc
Posts: 94
Joined: Mon Oct 24, 2005 11:05 pm
Location: Colorado, USA

Re: ME exploit?

Post by dunc » Tue Apr 21, 2015 2:35 pm

That was a big help. Thanks Ian. I had done a similar grep before, but perhaps I misspelled what I was looking for. Apparently hackers were testing that the mailbox exists. Later I see numerous attempts to log into that account using brute force - guessing passwords, and using other IPs. Per ME http://forum.mailenable.com/viewtopic.php?t=27976, I guess it is time to try something like pfsense or ScrollOutF1.

Do you have any other suggestions?

MailEnable-Ian
Site Admin
Posts: 9227
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME exploit?

Post by MailEnable-Ian » Wed Apr 22, 2015 3:26 am

Hi,

Yeah either attempt to configure the open source ones or invest on a spam gateway (Barracuda).
Regards,

Ian Margarone
MailEnable Support

Post Reply