Mails Outgoing from nonexisting accounts

Discussion forum for Enterprise Edition.
Post Reply
iokumus
Posts: 4
Joined: Mon Jun 29, 2015 8:28 am

Mails Outgoing from nonexisting accounts

Post by iokumus »

Recently our server balcklisted on couple of lists. Analysis of SMTP activity log shows that from various IP addresses connections are made to some accounts. Provided credentials are denied by "504 Invalid Username or Password" messages. However attacker was able to continue with MAIL FROM: RCPT TO: DATA messages and mails are sent from these accounts. One of the accounts seems to be sending mail from our server does not exist on the server.
Part of the actual log (anonimyzed):
01/23/18 00:39:08 SMTP-IN ***.MAI 1096 103.78.180.235 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/23/18 00:39:09 SMTP-IN ***.MAI 1096 103.78.180.235 AUTH {blank} 334 UGFzc3dvcmQ6 18 30 user@ourdomain
01/23/18 00:39:09 SMTP-IN ***.MAI 1096 103.78.180.235 AUTH Y2sxNQ== 504 Invalid Username or Password 34 10 user@ourdomain
01/23/18 00:39:10 SMTP-IN ***.MAI 1096 103.78.180.235 MAIL MAIL FROM:<user@ourdomain> SIZE=4926 250 Requested mail action okay, completed 43 44 user@ourdomain
01/23/18 00:39:10 SMTP-IN ***.MAI 1096 103.78.180.235 RCPT RCPT TO:<user@anotherdomain> 250 Requested mail action okay, completed 43 28 user@ourdomain
01/23/18 00:39:11 SMTP-IN ***.MAI 1096 103.78.180.235 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 user@ourdomain

What can we do to fix this problem?? We need urgent help.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Mails Outgoing from nonexisting accounts

Post by MailEnable-Ian »

Hi,

What version of MailEnable Enterprise are you running? Would also need to see the associated extract from the SMTP debug log file.
Regards,

Ian Margarone
MailEnable Support

Post Reply