Recently our server balcklisted on couple of lists. Analysis of SMTP activity log shows that from various IP addresses connections are made to some accounts. Provided credentials are denied by "504 Invalid Username or Password" messages. However attacker was able to continue with MAIL FROM: RCPT TO: DATA messages and mails are sent from these accounts. One of the accounts seems to be sending mail from our server does not exist on the server.
Part of the actual log (anonimyzed):
01/23/18 00:39:08 SMTP-IN ***.MAI 1096 103.78.180.235 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
01/23/18 00:39:09 SMTP-IN ***.MAI 1096 103.78.180.235 AUTH {blank} 334 UGFzc3dvcmQ6 18 30 user@ourdomain
01/23/18 00:39:09 SMTP-IN ***.MAI 1096 103.78.180.235 AUTH Y2sxNQ== 504 Invalid Username or Password 34 10 user@ourdomain
01/23/18 00:39:10 SMTP-IN ***.MAI 1096 103.78.180.235 MAIL MAIL FROM:<user@ourdomain> SIZE=4926 250 Requested mail action okay, completed 43 44 user@ourdomain
01/23/18 00:39:10 SMTP-IN ***.MAI 1096 103.78.180.235 RCPT RCPT TO:<user@anotherdomain> 250 Requested mail action okay, completed 43 28 user@ourdomain
01/23/18 00:39:11 SMTP-IN ***.MAI 1096 103.78.180.235 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 user@ourdomain
What can we do to fix this problem?? We need urgent help.
Mails Outgoing from nonexisting accounts
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Mails Outgoing from nonexisting accounts
Hi,
What version of MailEnable Enterprise are you running? Would also need to see the associated extract from the SMTP debug log file.
What version of MailEnable Enterprise are you running? Would also need to see the associated extract from the SMTP debug log file.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support