Server been used as spammed machine

Discussion forum for Enterprise Edition.
Post Reply
juniorelnino
Posts: 8
Joined: Sat Dec 29, 2012 5:29 pm

Server been used as spammed machine

Post by juniorelnino » Fri Oct 04, 2013 8:39 am

I think my mail server just send over 500K emails. I manage to see one of the email header
Received: from ([41.215.163.10]) by DOMAIN.asia with MailEnable WebMail; Fri, 4 Oct 2013 14:45:26 +0800
To: undisclosed-recipients
From: "gmeormanu1@yahoo.ca" <>
Subject: This is the last notice..please confirm receipt
Date: Thu, 3 Oct 2013 23:45:26 -0700
Message-ID: <9AC1B2467AFB4961844E823F2F032616.MAI@DOMAIN.asia>
MIME-Version: 1.0
X-Mailer: MailEnable WebMail.NET
X-MimeOLE: Produced By MailEnable WebMail.NET V6.83.0.0
X-Read: 0
Content-Type: multipart/mixed;
boundary="--=_Part_B9AF5025A521414D861F16020981C38D"
X-Priority: 3
X-MSMail-Priority: Medium
I am using MailEnable Enterprise Premium Edition (V6) on Server 2008 (6.83)

How do I block this spammer ?
I dont see him authenticating as one of my mailbox users.

Please help.

gxavier.bh
Posts: 138
Joined: Thu Nov 04, 2010 2:04 pm
Location: Belo Horizonte / Brazil

Re: Server been used as spammed machine

Post by gxavier.bh » Fri Oct 04, 2013 2:08 pm

Hi,

Go to SMTP properties, relay tab and check pop before SMTP. This will force user to check e-mail before send.
On security tab, select "Reject mail if sender address is from a invalid domain" and "Authenticated senders must use a valid sender address".

rfwilliams777
Posts: 1323
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Server been used as spammed machine

Post by rfwilliams777 » Sun Oct 06, 2013 1:46 am

I agree with the recommendation. All users should authenticate. If they don't, then they cannot send e-mail through your server. Hopefully no blacklist damage has been done.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

juniorelnino
Posts: 8
Joined: Sat Dec 29, 2012 5:29 pm

Re: Server been used as spammed machine

Post by juniorelnino » Wed Oct 09, 2013 5:37 am

Blacklist damage done, but I have alternate sendmail server.

I have followed all the above recommendations, in addition, I have also block this IP: 41.215.163.10 under [SMTP] -> [Inbound] -> [Access Control]

Am I doing it right?

juniorelnino
Posts: 8
Joined: Sat Dec 29, 2012 5:29 pm

Re: Server been used as spammed machine

Post by juniorelnino » Mon Oct 28, 2013 5:33 pm

After doing all the necessary, my email server is still been used as spam machine, any idea how to get rid ?

Return-Path
Received from mail.mydomain.asia (xmail.mydomain.asia [000.000.000.000] (may be forged))by smtp7.mydomain.asia (8.13.8/8.13.8) with ESMTP id r9SCBhAp014826for <blossoms@alfalah.com>; Mon, 28 Oct 2013 20:11:44 +0800
Received from ([41.215.160.202]) by mydomain.asia with MailEnable WebMail; Mon, 28 Oct 2013 20:27:13 +0800
To undisclosed-recipients
From "James Blanco" <>
Subject Compliment of the day to you.
Date Mon, 28 Oct 2013 12:27:13 -0000
Message-ID <42D214A72F7E4725BF18980D92C183C7.MAI@appcogroup.asia>

rfwilliams777
Posts: 1323
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Server been used as spammed machine

Post by rfwilliams777 » Mon Oct 28, 2013 7:42 pm

If you wish to pay for some troubleshooting, I will be happy to work on your server to help resolve the spamming issue. I can also provide you a number of recommendations and/or changes implemented so you will know how to respond to these issues. My rate is $65 USD/hr.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

gxavier.bh
Posts: 138
Joined: Thu Nov 04, 2010 2:04 pm
Location: Belo Horizonte / Brazil

Re: Server been used as spammed machine

Post by gxavier.bh » Tue Oct 29, 2013 2:31 pm

Have you discovery the account used for Spam to be blocked?
Take a look at relay options and block IP.
You can limit the amount of e-mail can be sent per hour by post office.
As last option, send e-mail to the post office saying that it will disable for few minutes.

juniorelnino
Posts: 8
Joined: Sat Dec 29, 2012 5:29 pm

Re: Server been used as spammed machine

Post by juniorelnino » Mon Feb 17, 2014 4:45 am

Yes, I follow your suggestion and it works.

Go to SMTP properties, relay tab and check pop before SMTP. This will force user to check e-mail before send.
On security tab, select "Reject mail if sender address is from a invalid domain" and "Authenticated senders must use a valid sender address".

aram
Posts: 26
Joined: Mon Aug 01, 2011 4:43 pm

Re: Server been used as spammed machine

Post by aram » Thu Feb 20, 2014 9:45 pm

Does "check pop before SMTP" apply if the account does not use POP but only Webmail or Outlook with the Connector (IMAP)?

And does "Reject mail if sender address is from a invalid domain" mean not a configured domain within the ME server Postoffice ?

rfwilliams777
Posts: 1323
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Server been used as spammed machine

Post by rfwilliams777 » Thu Feb 20, 2014 10:54 pm

The first option does not necessarily need to be checked. The second option is your mail server checks to make sure DNS, SPF, etc. is properly set up to accept messages from sender accounts. If sender does not pass, the message is spam.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

MailEnable-Ian
Site Admin
Posts: 9275
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Server been used as spammed machine

Post by MailEnable-Ian » Fri Feb 21, 2014 12:44 am

Hi,

You need to inspect the SMTP outbound queue for spam messages and then open up the SMTP activity log file and search for the message ID. You need to locate SMTP-IN conversations for the sender/recipient of that message. You will find that most likely the spammer is authenticating using valid mailbox details.

Example log snippet:

Code: Select all

SMTP-IN
10/22/13 15:07:15	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	AUTH	{blank}	334 PDY5MTYuMzQ4NTU4ODY4QElBTi1QQz4=	38	15		
10/22/13 15:07:16	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	AUTH	{blank}	235 Authenticated CRAM-MD5	28	66	test	
10/22/13 15:07:16	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	MAIL	MAIL FROM:<test@mail.exampledomain.com>	250 Requested mail action okay, completed	43	36	test	
10/22/13 15:07:16	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	RCPT	RCPT TO:<test@mail.exampledomain.com>	250 Requested mail action okay, completed	43	30	test	
10/22/13 15:07:17	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	46	6	test	
10/22/13 15:08:17	SMTP-IN	434AA6762FEC412E922381DD8D8DF017.MAI	184	*.*.*.*	QUIT	QUIT	221 Service closing transmission channel	42	6	test

SMTP-OU
10/22/13 15:07:19	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	CONN		220 mail.exampledomain.com ESMTP MailEnable Service, Version: 8.00--8.00 ready at 10/22/13 00:07:32	0	98	test	Test
10/22/13 15:07:19	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	EHLO	EHLO mail.exampledomain.com	250-mailenable.com [*.*.*.*], this server offers 5 extensions	24	158	test	Test
10/22/13 15:07:20	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	MAIL	MAIL FROM:<test@mail.exampledomain.com> SIZE=484	250 Requested mail action okay, completed	45	43	test	Test
10/22/13 15:07:20	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	RCPT	RCPT TO:<test@mail.exampledomain.com>	250 Requested mail action okay, completed	30	43	test	Test
10/22/13 15:07:20	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	6	46	test	Test
10/22/13 15:07:21	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	DATE		250 Requested mail action okay, completed	495	43	test	Test
10/22/13 15:07:22	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	QUIT	QUIT	221 Service closing transmission channel	6	42	test	Test
You might also want to run the Check passwords option within the "localhost" properties window under the "Policies" tab to check existing mailbox passwords to see which ones are using simple passwords and change them to something more complex.

Here is an article to help locate the source of server abuse:

http://www.mailenable.com/kb/viewarticl ... 020339.htm
Regards,

Ian Margarone
MailEnable Support

cfdynamics
Posts: 136
Joined: Mon May 24, 2010 2:27 pm

Re: Server been used as spammed machine

Post by cfdynamics » Fri Feb 21, 2014 12:53 pm

Possible the 8.x version has a security flaw? (Running version 8.02 Premium) Any way to decrypt the password being used from the log files? dozens of accounts being compromised... No evidence in logs of any password hurling attempts.
Kent Runyan
CFDynamics.com
Providing World Class Hosting Solutions for over two decades.

Post Reply