Server used for sending spam ... again...

jglazer
Posts: 229
Joined: Thu Mar 17, 2005 5:48 pm

Server used for sending spam ... again...

Postby jglazer » Tue May 23, 2017 12:33 pm

Well somehow, one of my customer's accounts was hacked. I assume the brute-forced the password. Anyhow, I need help here.

Stopping the current blast

I've changed the user's password and reset the smtp service yet there are still hundreds of emails going out under her name. I don't see any attempt at login. My conclusion is that they are in the queue somewhere. I checked under queues/smtp and there's very little there. Where else can these be housed? MTA? Where's that queue?

Stopping it from happening in the future
This is a real problem. I have the option turned on to block the IP after 6 failed commands (assuming a password/login combination qualifies as a failed command) thinking that if they could not guess it in 6 tries it will block the IP for an hour. Maybe I did this wrong but it obviously didn't stop the guessing.

Is there any way to get notified if a user is sending out an unusually large amount of email so I could stop this when it starts? It appears this user sent out nearly 500,000 emails before I noticed it or she complained about the thousands of bounced email messages she was receiving.

Anything else anyone can offer would be greatly appreciated. Please be sure to include the exact path to get to whatever options you suggest as MailEnable has trillions of options and trying to blindly find one is becoming very difficult.

Thanks!

MailEnable-Ian
Site Admin
Posts: 8721
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Server used for sending spam ... again...

Postby MailEnable-Ian » Thu May 25, 2017 12:13 am

Hi,

Stopping the current blast

I've changed the user's password and reset the smtp service yet there are still hundreds of emails going out under her name. I don't see any attempt at login. My conclusion is that they are in the queue somewhere. I checked under queues/smtp and there's very little there. Where else can these be housed? MTA? Where's that queue?


Firstly are you certain that you have located the correct mailbox the spammer is using to authenticate to relay the spam in the SMTP log files? If you don't have the SMTP security option for "Sender email domain must be local or resolvable through DNS" then the spammer will be able to authenticate using a mailbox that is not associated with the senders address. Therefore you need to inspect the SMTP log files for something similar to this:

03/28/17 10:20:47 SMTP-IN 0F16217DFFA44384BF822F4B9EE87A6D.MAI 620 192.168.2.26 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
03/28/17 10:20:47 SMTP-IN 0F16217DFFA44384BF822F4B9EE87A6D.MAI 620 192.168.2.26 AUTH {blank} 334 Ugkfhddhfrew 18 34 test@mailenable.com.au
03/28/17 10:20:47 SMTP-IN 0F16217DFFA44384BF822F4B9EE87A6D.MAI 620 192.168.2.26 AUTH {blank} 235 Authenticated 19 10 test2222@mailenable.com.au
03/28/17 10:20:47 SMTP-IN 0F16217DFFA44384BF822F4B9EE87A6D.MAI 620 192.168.2.26 MAIL MAIL FROM: <test@mailenable.com.au> 250 Requested mail action okay, completed 43 37 test@mailenable.com.au
03/28/17 10:20:47 SMTP-IN 0F16217DFFA44384BF822F4B9EE87A6D.MAI 620 192.168.2.26 RCPT RCPT TO: <test@gmail.com> 250 Requested mail action okay, completed 43 35 test@gmail.com

Notice the mailbox ID that authenticated "test2222@mailenable.com.au" but the FROM was from test@mailenable.com.au

Once you are certain you have found the correct source of abuse you will most likely need to inspect all queues. The main queue where the messages will be spawning from are the "SMTP inbound" (Servers > Localhost > Services and connectors > SMTP > Queues > Inbound) and "Postoffice connector inbound/outbound" (Servers > Localhost > Services and connectors > Postoffice > Queues > Inbound and Servers > Localhost > Services and connectors > Postoffice > Queues > Outbound) Therefore check those and clear them. A good way to to do this is to review the following article: http://www.mailenable.com/kb/content/article.asp?ID=me020250

Stopping it from happening in the future
This is a real problem. I have the option turned on to block the IP after 6 failed commands (assuming a password/login combination qualifies as a failed command) thinking that if they could not guess it in 6 tries it will block the IP for an hour. Maybe I did this wrong but it obviously didn't stop the guessing.


I presume you are referring to the "Localhost > Policies" option for "Lock out user for one hour after". This option will only lockout user the and will not ban the IP address. The option you are looking for is the "Abuse detection and prevention" option under the same "Policies" tab. This will automatically ban the IP address for one hour after 10 invalid commands.

http://www.mailenable.com/documentation/9.0/Enterprise/Localhost_-_Policies.html

Is there any way to get notified if a user is sending out an unusually large amount of email so I could stop this when it starts? It appears this user sent out nearly 500,000 emails before I noticed it or she complained about the thousands of bounced email messages she was receiving.


You can enable the "Alerts" within the "Metray" utility located in the Windows task bar. Double click the Metray icon and navigate to the "Alerts" tab. It does not have the ability to alert for a specific mailbox though. What it will alert for, is if the services process large amounts of messages in their queues.

You order to prevent spammers from being able to send large amounts of messages if a mailbox is compromised you really need to enable the option under the SMTP security tab for "Limit number of recipients per hour to". This will limit the amount of messages that can be sent per hour by your server.

http://www.mailenable.com/documentation/9.0/Enterprise/SMTP_props_-Security.html

Anything else anyone can offer would be greatly appreciated. Please be sure to include the exact path to get to whatever options you suggest as MailEnable has trillions of options and trying to blindly find one is becoming very difficult.


Ensure your mailboxes all use complex passwords and not simple passwords to prevent brute force attacks. Enable password polices under the "Localhost > Policies" tab and then hit the button for "Check existing passwords" to see which mailboxes don't meet the policies and have them change their passwords via the web mail client.
Regards,

Ian Margarone
MailEnable Support

jglazer
Posts: 229
Joined: Thu Mar 17, 2005 5:48 pm

Re: Server used for sending spam ... again...

Postby jglazer » Thu May 25, 2017 12:10 pm

You order to prevent spammers from being able to send large amounts of messages if a mailbox is compromised you really need to enable the option under the SMTP security tab for "Limit number of recipients per hour to". This will limit the amount of messages that can be sent per hour by your server.


If I do this, I foresee issues if I get attacked I think. Say we typically send out 300-500 messages an hour. If I set this to, say, 750 and we get hit, the spam will fill up the queue and back it up pretty drastically. My customers won't be able to send out their email as it will all be mixed in with the spam. At that point I don't know how to differentiate the good email from the bad in a queue that contains, potentially, thousands of backed up emails. It would be nice if I could throttle a specific mailbox/domain. And also get warnings if a single user starts sending 300 messages an hour or something. The current alerts are ok but do not really cover this. Couldn't putting in a bit a mailbox-by-mailbox statistics be fairly easy?

It would be great to see that Tom is sending a ton of email between the hours of 2am and 6am and he has never done that before.

I suppose I could write my own log analyzer to generate these stats. Would there be any interest in this?

Jon

maxel91
Posts: 61
Joined: Sat Dec 10, 2016 1:10 am

Re: Server used for sending spam ... again...

Postby maxel91 » Thu May 25, 2017 1:39 pm

For Log you can use Samwill

jglazer
Posts: 229
Joined: Thu Mar 17, 2005 5:48 pm

Re: Server used for sending spam ... again...

Postby jglazer » Thu May 25, 2017 2:05 pm

Expensive. I'd rather make my own. Simple enough to do.

Who is online

Users browsing this forum: No registered users and 25 guests