SurgeMail Archive: Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay

Subject:	Re: [SurgeMail List] Fwd: Compromised mailbox allowing spam relay
From:	Lyle Giese
Date:	25-Nov-2010
On my system, the msg.rec file has the from and to fields and not the authenication. The sws.rec file has the auth information. Lyle Giese LCR Computer Services, Inc. dward@nccumc.org wrote: Thanks for this information! Listed below are some of the entries from today's msg101124.rec file: 24 19:15:47 [140563] Received 59.112.81.3 <peter@gmail.com> <w852@ymail.com> 693 <q183611$$4o06$2$v4ii-aHIDDEN@jkxdv> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" 24 19:50:47 [140567] Received 59.112.81.3 <peter@gmail.com> <w852@ymail.com> 679 <2tv64j$j$2-j--$se4h$v74@kz1e.r0wrxg> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" 24 19:59:58 [140568] Received 114.36.46.72 <z2007tw@yahoo.com.tw> <gk49fawn@yahoo.com.tw> 706 <b1l54k5mb-6$92--r1ep7$4u258HIDDEN@obg> "Body has arrived, Relay=forward_rcpt, nrcpt=1, s=[BC_12.54.6.101]" Douglas Ward IT Director NC Methodist Conference On Wed, Nov 24, 2010 at 10:36 PM, Support ChrisP <surgemail-support@netwinsite.com> wrote: The msg.rec log entry always contains the account name used to authenticate an email just find the 'Received' entry for the outgoing spam and then look for the 'relay=' string... `Received 60.234.149.210 .... "Body has arrived, Relay=smtpauth=USER@DOMAIN.NAME,` `ChrisP.` On Thursday 25/11/2010 at 4:16 pm, surgemail-list@netwinsite.com wrote: I've looked at this as well. Nothing in the status advanced view shows me which user accounts are authenticating when these spam messages are slipping through. The only thing I can think to do now is to manually reset the passwords for all of the accounts on this box. It's a few hundred addresses across about 40-50 domains... Douglas Ward IT Director NC Methodist Conference On Wed, Nov 24, 2010 at 9:28 PM, Lyle Giese <lyle@lcrcomputer.info> wrote: The headers should show the orginating IP address. Use that to track down connections under the advanced view in Status. Should help narrow it down. Lyle Giese dward@nccumc.org* <dward@nccumc.org> Date: Wed, Nov 24, 2010 at 4:54 PM Subject: Compromised mailbox allowing spam relay To: surgemail-list@netwinsite.com Happy Thanksgiving! I have discovered today that one of the accounts on my surgemail server has been compromised. It appears that a spammer has brute forced a password to relay authenticated mail through our mail server. Unfortunately, I cannot find any trace within the surgemail logs which account is compromised. I have checked all of the log files and all I see is the spoofed to/from fields. The account used to authenticate to the surgemail server is nowhere to be found. How can I find this? Once I change this password all is well and I can go back to my vacation. Any help you might offer would be most appreciated. Thank you in advance! Douglas Ward IT Director NC Methodist Conference

archive-list@netwin_co_nz mailing list Archive Index

Previous Message | Next Message


Search website: