Usernme and pass of sender

Discussions on webmail and the Professional version.
Post Reply
fcastro
Posts: 1
Joined: Thu Apr 29, 2010 2:20 pm

Usernme and pass of sender

Post by fcastro »

Hi,

A spammer used a mail server to send spam using valid username and password stolen from a customer.

Does someone know a way to see which user is sending this thousands of emails?

The server is closed to open relaying, i have desactivated the domain and spam stops. But now I need to know the username compromised to change the password.

Thanks a lot for your help!

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne

Re: Usernme and pass of sender

Post by MailEnable-Ben »

If you check the SMTP activity logs at the time of the spammer authenticating to send you will see the mailbox name used to authenticate is at the end of the line. Here is an example where I sent a forged email with the address test@test.com but authenticated as the mailbox test2. You see the test2 at the end of each line:

04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 EHLO EHLO test 250-test.com [192.168.2.1], this server offers 4 extensions 121 14
04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 test2
04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 AUTH cGFzcw== 235 Authenticated 19 10 test2
04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 MAIL MAIL FROM: <test@test.com> 250 Requested mail action okay, completed 43 28 test2
04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 RCPT RCPT TO: <ben@me.com> 250 Requested mail action okay, completed 43 31 test2
04/30/10 15:30:10 SMTP-IN 30B62F893D294CA3902E6D8031F12533.MAI 620 192.168.2.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 test2
04/30/10 15:30:12 SMTP-IN 612287EB14824912844096F19B3CCC02.MAI 620 192.168.2.1 QUIT QUIT 221 Service closing transmission channel 42 6 test2 Test
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

trusnock
Posts: 132
Joined: Tue Jan 31, 2006 8:42 pm

Re: Usernme and pass of sender

Post by trusnock »

Is there a similar workaround for the POP logs? When a user authenticates with NTLM, the username does not appear in the pop-activity log. It does appear in the pop-debug log, but that entry doesn't have the IP address or session number, so it's impossible to correlate accurately.

This makes POP troubleshooting very difficult. As more and more users upgrade to newer versions of Outlook (which always try NTLM first), the pop-activity log is becoming less and less useful for user-specific troubleshooting.

Is there some trick or setting I'm not aware of, or would it be possible to add the (full) username in the pop-activity log along with the IP address and session ID in a future release?

-Tom R.

Post Reply