Server been used as spammed machine

[juniorelnino]

I think my mail server just send over 500K emails. I manage to see one of the email header

Received: from ([41.215.163.10]) by DOMAIN.asia with MailEnable WebMail; Fri, 4 Oct 2013 14:45:26 +0800
To: undisclosed-recipients
From: "gmeormanu1@yahoo.ca" <>
Subject: This is the last notice..please confirm receipt
Date: Thu, 3 Oct 2013 23:45:26 -0700
Message-ID: <9AC1B2467AFB4961844E823F2F032616.MAI@DOMAIN.asia>
MIME-Version: 1.0
X-Mailer: MailEnable WebMail.NET
X-MimeOLE: Produced By MailEnable WebMail.NET V6.83.0.0
X-Read: 0
Content-Type: multipart/mixed;
boundary="--=_Part_B9AF5025A521414D861F16020981C38D"
X-Priority: 3
X-MSMail-Priority: Medium

I am using MailEnable Enterprise Premium Edition (V6) on Server 2008 (6.83)

How do I block this spammer ?
I dont see him authenticating as one of my mailbox users.

Please help.

[gxavier.bh]

Hi,

Go to SMTP properties, relay tab and check pop before SMTP. This will force user to check e-mail before send.
On security tab, select "Reject mail if sender address is from a invalid domain" and "Authenticated senders must use a valid sender address".

[rfwilliams777]

I agree with the recommendation. All users should authenticate. If they don't, then they cannot send e-mail through your server. Hopefully no blacklist damage has been done.

[juniorelnino]

Blacklist damage done, but I have alternate sendmail server.

I have followed all the above recommendations, in addition, I have also block this IP: 41.215.163.10 under [SMTP] -> [Inbound] -> [Access Control]

Am I doing it right?

[juniorelnino]

After doing all the necessary, my email server is still been used as spam machine, any idea how to get rid ?

Return-Path
Received from mail.mydomain.asia (xmail.mydomain.asia [000.000.000.000] (may be forged))by smtp7.mydomain.asia (8.13.8/8.13. with ESMTP id r9SCBhAp014826for <blossoms@alfalah.com>; Mon, 28 Oct 2013 20:11:44 +0800
Received from ([41.215.160.202]) by mydomain.asia with MailEnable WebMail; Mon, 28 Oct 2013 20:27:13 +0800
To undisclosed-recipients
From "James Blanco" <>
Subject Compliment of the day to you.
Date Mon, 28 Oct 2013 12:27:13 -0000
Message-ID <42D214A72F7E4725BF18980D92C183C7.MAI@appcogroup.asia>

[rfwilliams777]

If you wish to pay for some troubleshooting, I will be happy to work on your server to help resolve the spamming issue. I can also provide you a number of recommendations and/or changes implemented so you will know how to respond to these issues. My rate is $65 USD/hr.

[gxavier.bh]

Have you discovery the account used for Spam to be blocked?
Take a look at relay options and block IP.
You can limit the amount of e-mail can be sent per hour by post office.
As last option, send e-mail to the post office saying that it will disable for few minutes.

[juniorelnino]

Yes, I follow your suggestion and it works.

Go to SMTP properties, relay tab and check pop before SMTP. This will force user to check e-mail before send.
On security tab, select "Reject mail if sender address is from a invalid domain" and "Authenticated senders must use a valid sender address".

[aram]

Does "check pop before SMTP" apply if the account does not use POP but only Webmail or Outlook with the Connector (IMAP)?

And does "Reject mail if sender address is from a invalid domain" mean not a configured domain within the ME server Postoffice ?

[rfwilliams777]

The first option does not necessarily need to be checked. The second option is your mail server checks to make sure DNS, SPF, etc. is properly set up to accept messages from sender accounts. If sender does not pass, the message is spam.

[MailEnable-Ian]

Hi,

You need to inspect the SMTP outbound queue for spam messages and then open up the SMTP activity log file and search for the message ID. You need to locate SMTP-IN conversations for the sender/recipient of that message. You will find that most likely the spammer is authenticating using valid mailbox details.

Example log snippet:

Code: Select all

SMTP-IN
10/22/13 15:07:15	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	AUTH	{blank}	334 PDY5MTYuMzQ4NTU4ODY4QElBTi1QQz4=	38	15		
10/22/13 15:07:16	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	AUTH	{blank}	235 Authenticated CRAM-MD5	28	66	test	
10/22/13 15:07:16	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	MAIL	MAIL FROM:<test@mail.exampledomain.com>	250 Requested mail action okay, completed	43	36	test	
10/22/13 15:07:16	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	RCPT	RCPT TO:<test@mail.exampledomain.com>	250 Requested mail action okay, completed	43	30	test	
10/22/13 15:07:17	SMTP-IN	80A905DA0E6943B18C7BD0EC0D717F92.MAI	184	*.*.*.*	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	46	6	test	
10/22/13 15:08:17	SMTP-IN	434AA6762FEC412E922381DD8D8DF017.MAI	184	*.*.*.*	QUIT	QUIT	221 Service closing transmission channel	42	6	test

SMTP-OU
10/22/13 15:07:19	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	CONN		220 mail.exampledomain.com ESMTP MailEnable Service, Version: 8.00--8.00 ready at 10/22/13 00:07:32	0	98	test	Test
10/22/13 15:07:19	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	EHLO	EHLO mail.exampledomain.com	250-mailenable.com [*.*.*.*], this server offers 5 extensions	24	158	test	Test
10/22/13 15:07:20	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	MAIL	MAIL FROM:<test@mail.exampledomain.com> SIZE=484	250 Requested mail action okay, completed	45	43	test	Test
10/22/13 15:07:20	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	RCPT	RCPT TO:<test@mail.exampledomain.com>	250 Requested mail action okay, completed	30	43	test	Test
10/22/13 15:07:20	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	6	46	test	Test
10/22/13 15:07:21	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	DATE		250 Requested mail action okay, completed	495	43	test	Test
10/22/13 15:07:22	SMTP-OU	5282A96E351B4862B73B13BA3143223E.MAI	1796	*.*.*.*	QUIT	QUIT	221 Service closing transmission channel	6	42	test	Test

You might also want to run the Check passwords option within the "localhost" properties window under the "Policies" tab to check existing mailbox passwords to see which ones are using simple passwords and change them to something more complex.

Here is an article to help locate the source of server abuse:

http://www.mailenable.com/kb/viewarticl ... 020339.htm

[cfdynamics]

Possible the 8.x version has a security flaw? (Running version 8.02 Premium) Any way to decrypt the password being used from the log files? dozens of accounts being compromised... No evidence in logs of any password hurling attempts.