Spam problem, need help ME 7.5

Discussion regarding the Standard version.
Post Reply
Duo
Posts: 4
Joined: Fri Jan 23, 2015 3:05 am

Spam problem, need help ME 7.5

Post by Duo »

I have Mailenable 7.5 running on a Plesk install on Win server 2012. My IP has been blacklisted due to thousands of spam emails being sent out through the server but I cannot find how.

In the SMTP logs there is an IP 118.98.66.56 sending all the emails which I have blocked but I can't see how they were relaying in the first place.

The mail server is used only to send email from locally hosted websites which can relay through 127.0.0.1

The server has only 2 email accounts set up on it one is admin@thedomain.tdl

Here is what is in the smtp activity log:
01/23/15 00:00:55 SMTP-IN DA76ABF38F0C404FB3621B1531ED1154.MAI 1012 118.98.66.56 AUTH {blank} 235 Authenticated 19 6 admin

And then followed by dozens of these:
01/23/15 00:00:56 SMTP-IN DA76ABF38F0C404FB3621B1531ED1154.MAI 1012 118.98.66.56 MAIL MAIL FROM: some@emailaddress.com 250 Requested mail action okay, completed 43 30 admin

So I thought from that they had hacked the admin@ email address above, I have reset the password for that account but the spam continues.

In the SMTP debug log I get this:
01/23/15 00:00:55 ME-I0135: Authenticating User:admin using Authentication Provider Credentials
01/23/15 00:00:56 ME-I0108: [1012] Relay Granted: Sender has authenticated.
01/23/15 00:00:57 ME-I0108: [1012] Relay Granted: Sender has authenticated.
01/23/15 00:00:57 ME-I0108: [1012] Relay Granted: Sender has authenticated.
01/23/15 00:00:58 ME-I0108: [1012] Relay Granted: Sender has authenticated.
01/23/15 00:00:58 ME-I0108: [1012] Relay Granted: Sender has authenticated.
01/23/15 00:00:59 ME-I0108: [1012] Relay Granted: Sender has authenticated.
(continues like this then repeats)

Doesn't this mean they are authenticating without having to log in with correct credentials?

I'm really stuck as to how they are relaying. My relaying settings are locked down as follows:
Allow relay for authenticated senders IS CHECKED
Authentication method MAILENABLE/INTEGRATED
Allow relay for privileged IP ranges IS CHECKED
This is set to DENY RELAY RIGHTS EXCEPT 120.0.0.1

So I thought this would mean that only local accounts would be able to send such as my locally hosted websites. I only use the email server to relay the emails submitted from the websites hosted onthe server and the Plesk panel. I don't actually need to host any email accounts.

If anyone can help put some light on how this is happening I'd be very grateful.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Spam problem, need help ME 7.5

Post by MailEnable-Ian »

Hi,

The spammer is definitely authenticating using the "Admin" account. Open up the AUTH.tab file within the MailEnable "BIN" folder within Windows Notepad and ensure there are no duplicate entries in there for the admin mailbox with old passwords that you have changed.
Regards,

Ian Margarone
MailEnable Support

Duo
Posts: 4
Joined: Fri Jan 23, 2015 3:05 am

Re: Spam problem, need help ME 7.5

Post by Duo »

Thanks for the reply, there are no old entries in the Auth.tab file. I notice there is a Post Office set up called home with a postmaster@home account set up in it, is this a default account set up during install? That account has SYSADMIN rights and no password set?

If they are authenticating as admin it's very strange they were still able to relay through even after a password reset.

As I only need to send email from the server mailenable is installed on I've blocked all computers except my own so logs are filled with access denied entries now but at least they can no longer use it to send spam.

arijit
Posts: 2
Joined: Fri Apr 24, 2020 5:45 pm

Re: Spam problem, need help ME 7.5

Post by arijit »

I am using ME Standard 10.43 in 2023 and having the same problem.
How can someone authenticate even after I change passwords.

I have checked auth.tab file in bin folder there ae no issues.

01/27/23 22:26:58 SMTP-IN ABFC7583F3974666A55E58F881B28D8F.MAI 2796 3.137.160.82 AUTH {blank} 235 Authenticated 19 18 farhan@domain.com
01/27/23 22:26:58 SMTP-IN E66C5C88483841C0AC5708373C9EE740.MAI 2748 3.137.160.82 220 mail.xxserver.in.in ESMTP MailEnable Service, Version: 10.43-- ready at 01/27/23 22:26:58 91 0
01/27/23 22:26:58 SMTP-IN 360F758540F241D1ACF483359B1445B0.MAI 2920 3.137.160.82 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/27/23 22:26:58 SMTP-IN A6E163C3FDEE492A80EB9F76C45982FD.MAI 3032 3.137.160.82 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/27/23 22:26:58 SMTP-IN AFC2350B3A074760B57E418E19983FEA.MAI 2892 3.137.160.82 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Spam problem, need help ME 7.5

Post by Admin »

Hi,

The logs entry don't show a complete authentication attempt. And each of those lines is a separate connection. You need to check the SMTP Debug log to see if they authenticate, or see whether the Activity log continues with the authentication and they have a sender/recipient.

Post Reply