Comprimised users sending large amount of spam mails

kevindata
Posts: 1
Joined: Mon Jan 16, 2017 2:55 pm

Comprimised users sending large amount of spam mails

Postby kevindata » Mon Jan 16, 2017 2:59 pm

Hi

We have had a problem with some users abusing our mailserver by sending out a large number of emails.

I found a configuration called "Limit number of recipients per hour to <limit> per hour" in SMTP Properties > Security tab.

But I am a little confused, does this limit the outgoing messages a user can send per hour, or does it limit how many emails that can be recieved by the server per hour?

Are there another feature that could help us limit the outgoing spam mails?

Thanks.

MailEnable-Ian
Site Admin
Posts: 8621
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Comprimised users sending large amount of spam mails

Postby MailEnable-Ian » Fri Jan 20, 2017 4:26 am

Hi,

The option is limiting the number of recipients that the server can send to per hour.
Regards,

Ian Margarone
MailEnable Support

stonecutter
Posts: 7
Joined: Mon Oct 06, 2008 2:09 pm

Re: Comprimised users sending large amount of spam mails

Postby stonecutter » Thu Apr 13, 2017 3:04 pm

I recently upgraded from version 6x to version 9.7 and after all these years just had the same problem occur twice. I'm in the midst of trying to solve the cause and really need some help.
Mailenable is sending out huge amounts of spam through one of my own accounts. I changed the password and the spam stopped for a day but it is doing it again. I use a POP3 client and checked my home machine for trojans & viruses and nothing has been detected. I ran multiple AV checks on the server using several different products, checked for rootkits, etc, and the server seems to be clean as well.
Late last month shortly after upgrading to version 9 this happened to another client. We disabled his account for a couple of days and eventually deleted the mailbox, then recreated it a few days later. His account no longer send spam but a week after getting off of the rbl blacklists, my account has started doing it and now we're blacklisted by all of the major lists.
Limiting the number of mails that can be sent is not so much the problem but I need to know why or how this is happening and how to fix it. It never happened before until the upgrade to version 9. If we keep getting listed by CBL they are going to end up banning us from being delisted so I can't request removal until the cause of this is identified and fixed. If we can't send mail I'm going to lose half of my clients if not everyone.

In checking the activity logs, all I see is my account sending and receiving mail but no indication of how my account is sending mail from the system. Another problem is that the log files are becoming HUGE and difficult to analyze. I suggest adding a feature to the log settings where a max size limit can be added to the log files to make them easier to review.

I am desperate now and will do a reinstall of software but don't think this will help for the long term. What I need are some suggestions in figuring out how the accounts are being compromised or used for sending unauthorized spam.

Specs:
The server is running Windows Server 2003 x86 but we will be upgrading to Server 2012 in a couple of months once we can migrate our Frontpage users and custom services to another machine.
I have SPF records for each domain. Relaying is turned off except for users who authenticate. Anti-Spoofing is enabled. Each mailbox requires authentication to send and receive mail.
HijackThis reports no unknown or suspicious processes running. TcpView shows the ME processes but no unknown or suspicious processes or programs using the mail ports.

If anyone can give some insight on this or had a similar problem and fixed it, I could sure use some guidance.
Thanks!

stonecutter
Posts: 7
Joined: Mon Oct 06, 2008 2:09 pm

Re: Comprimised users sending large amount of spam mails

Postby stonecutter » Fri Apr 14, 2017 5:03 pm

Update:
After disabling my mail account that was sending spam, it continued to do so. I deleted the account last night and the smtp log shows that it is still sending from localhost. What would cause MailEnable to send mail from mailboxes that no longer exist?

MailEnable-Ian
Site Admin
Posts: 8621
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Comprimised users sending large amount of spam mails

Postby MailEnable-Ian » Thu Apr 20, 2017 1:10 am

Hi,

If the messages are being relayed from the localhost address (127.0.0.1), you find that the IP is granted relay rights because its present within the SMTP relay option for "Allow relay for privileged IP ranges". Navigate to the SMTP properties "Relay" tab and check to check if the option for "Allow relay fro privileged IP ranges" is checked. If it is then click the button "Privileged IPs..." and remove the 127.0.0.1 IP address from the "Deny all except those in the list" option. Once you have removed the IP address you really need to determine what process is trying to relay spam from your server via the localhost address. Normally this points to a website or form under IIS that has been compromised.
Regards,

Ian Margarone
MailEnable Support

stonecutter
Posts: 7
Joined: Mon Oct 06, 2008 2:09 pm

Re: Comprimised users sending large amount of spam mails

Postby stonecutter » Thu Apr 20, 2017 3:20 pm

I managed to find and fix the problem. This is what I did.....
First, I did limit the number of outgoing emails per hour but it didn't stop the disabled & later deleted account from trying to send outgoing.

Since this was a local account the relaying setting did nothing, even after removing the couple of IP's I had on the list.

So I stopped the ME services and went digging into the config files for any and all references to the offending account. I found the account listed in one long-forgotten account as a redirection and removed it. I found that and other references to the address in the following folders:
Mail Enable/Config/Address-Map
/Config/Audit/Domain name
/Config/Connections/Whitelist
/Config/PostOffices/Domain

I also found tens of thousands of addresses listed in the Whitelist folder and deleted every damn one of them. I can't understand how so many addresses could be in the Whitelist when the Whitelist tab in the SMTP properties of the ME Management Console showed no addresses at all.

Lastly, the Diagnostic utility reported that we had an excessively large number of IP's listed in the Spam Denied list which could cause memory problems with the Auditing so I found the Denied list and deleted over 34k of .tabs that had been there since 2009 when I first started using ME. I only left the IP's which dated back to this time last year.

I admit that we had been hacked & botted but don't understand how the compromised account could still be actively sending outgoing after the account had its password changed, became disabled, and later deleted. That is something that you guys should probably look into.

One other thing I noticed is that even though I have many countries banned from ME, that spam from those countries is still getting through. I figure that maybe the IP's listed in ME's country filter might not be complete or isn't updated regularly. So I purchased a product called IP-Blocker firewall which does the same thing and more. It makes it very easy to add all sorts of blocked lists and stops them at the door, so it protects the entire server and takes a big load off of MailEnable. They charge $69 for a single machine license or $99 for 3 machines. I now have all of my servers protected with their software. Next month we're installing a physical Firewall box to the modem for additional server security.

Who is online

Users browsing this forum: No registered users and 3 guests