I have begun receiving a few of these each day using ME Ent 8.58. Two examples seen. They are routed to my personal inbox, yet appear to have no sender nor receiver. No content.
I can't find the sending IP (like 95.159.144.33) in any ME log files, either. Obviously an attack. I use McAfee SAAS as a pre-filter, and no trace found there either.
Suggestions?
Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 06:20:50 -0600
Received: from h095159144033.ys.dsl.sakhalin.ru ([95.159.144.33]) by mail.airbase1.com with MailEnable ESMTP; Sat, 18 Apr 2015 06:20:48 -0600
Message-ID: <9[10
X-ME-Bayesian: 40.000000
Return-Path: <Allred_Stacy30@cpame.com>
Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 05:08:31 -0600
Received: from 198.143.133.86 ([178.68.229.92]) by mail.airbase1.com with MailEnable ESMTP; Sat, 18 Apr 2015 05:08:30 -0600
Message-ID: <5[10
X-ME-Bayesian: 40.000000
Return-Path: <Mccabe_Wesley30@caovilla.com>
ME exploit?
-
MailEnable-Ian
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: ME exploit?
Hi,
Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 06:20:50 -0600 means that the message originated from the postoffice connector. Most likely the message is a mailbox redirection.
Received: with MailEnable Postoffice Connector; Sat, 18 Apr 2015 06:20:50 -0600 means that the message originated from the postoffice connector. Most likely the message is a mailbox redirection.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
Re: ME exploit?
Thanks Ian. I have several mailboxes with redirects to my personal account. Is there any way to determine which of these mailboxes was used? What would I search for, and in what log file?
-
MailEnable-Ian
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: ME exploit?
Hi,
Search for Mccabe_Wesley30@caovilla.com within the SMTP logs as a start to see if there are any entries relating to that envelope sender address and to who the message was sent to.
Search for Mccabe_Wesley30@caovilla.com within the SMTP logs as a start to see if there are any entries relating to that envelope sender address and to who the message was sent to.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
Re: ME exploit?
That was a big help. Thanks Ian. I had done a similar grep before, but perhaps I misspelled what I was looking for. Apparently hackers were testing that the mailbox exists. Later I see numerous attempts to log into that account using brute force - guessing passwords, and using other IPs. Per ME http://forum.mailenable.com/viewtopic.php?t=27976, I guess it is time to try something like pfsense or ScrollOutF1.
Do you have any other suggestions?
Do you have any other suggestions?
-
MailEnable-Ian
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: ME exploit?
Hi,
Yeah either attempt to configure the open source ones or invest on a spam gateway (Barracuda).
Yeah either attempt to configure the open source ones or invest on a spam gateway (Barracuda).
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
