ME020339 - INF: How to determine the source of server abuse


SUMMARY

This article outlines ways to determine the source of spammers abusing the server.

DETAIL

If someone abuses the server by relaying spam through it, whether they have guessed a users password, or the relay configuration allows it, the following will likely give an indication of this:

  • SMTP and MTA log sizes will be a lot larger than usual
  • SMTP outgoing mail queue full of messages waiting for delivery
  • Valid emails are delayed
  • Valid emails to remote domains are being blocked

In the majority of cases where the server has been relayed through you can find out the sender by the SMTP logs. This will indicate whether the sender authenticated or has been permitted to relay due to server configuration policies. If the user has authenticated you will see the mailbox name in the SMTP Activity log as it is the last item on each log file line. So open the log earliest log file where the size has suddenly increased and look for log lines with the SMTP-IN string in them. If there is a large amount of log lines with SMTP-IN, check the last item written to the lines as it will be the mailbox name. You can also check the SMTP Debug log to see if there is a large amount of lines indicating a user has authenticated.

If the SMTP service is allowing a user to relay without authentication, then you will see a lot of items in the SMTP Debug log as "relay granted". Once the source IP address or the mailbox has been determined, you can then block appropriately.

Another tool that can be used to diagnose messages in the SMTP outbound queue is using the "Message Information" window. The "Message Information" window can be accessed by navigating within the administration console to: Servers > localhost > Services and Connectors > SMTP > Queues > Outbound. In the right hand pane window you will see the list of messages that will be sitting in the queue being retried with an "Unsent" status. Locate one of the spam messages and double click the message to open the "Message Information" window. It will report all the message envelope details (message command file). The fields that will help here are the "mailbox" and "client IP". The "mailbox" field is the mailbox that was used by the spammer to authenticate. Click the "Disable" button to disable the mailbox and prevent any further authentications from the mailbox and prevent the spammer from being granted relay rights (You will need to advise the mailbox of this and change their password before enabling the mailbox again). The "Client IP" field will report the IP address of the inbound connection that the spammer has used. There is a button to automatically add the IP address to the SMTP Access Control deny list. Most spammers will not originate from the same IP address but if a reported client IP address is consistent throughout most of the queued messages it can easily be blocked by the "block" button option.

To help reduce the chance and effect of abuse, you should enable the SMTP Security options Limit number of recipients per hour to and Authenticated senders must use valid sender address. It is also recommended that under your localhost server policies that you enable the Enforce password policy option to require complex passwords. You can also use the Check existing passwords button to see if you have easy passwords. You can also help reduce the chance of someone guessing a password through a dictionary attack by enabling the abuse prevention option. This is also set under your localhost server policies settings, and is labelled Enable abuse detection and prevention.

MORE INFORMATION

How to test if my server is secured from abuse (Open Relay Test)?: Article ME020168

How to determine whether spammers are relaying through the server?: Article ME020280

Spam FAQ: Article ME020391



Product:MailEnable (All Versions)
Module:General
Keywords:spammed open relay spammer compromised
Class:INF: Product Information
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable