Find a Compromised Account

When an account has been compromised, the spammer will try to send as much spam as possible though the server. This can cause a number of issues, including getting a domain or IP address blacklisted. Accounts can get compromised a number of ways, the most common of which is when the account is using a weak, insecure password.
 
There are a few ways administrators can become aware of when an account has been compromised, including by noticing the mail server spool filling up, causing both incoming and outgoing messages to be delayed. When this happens, administrators can review the Spool Dashboard or traffic reports in order to find the compromised domain and account being used to send the large amount of email.

 

Applies to SmarterMail 15.x

Follow these steps to find the compromised account by reviewing the Spool Dashboard:
 
  1. Log into SmarterMail as a system administrator.
  2. Click on the Manage icon.
  3. Expand the Spool folder in the navigation pane and click Spool Dashboard.
  4. Look at the Top Outbound Senders section to find any anomalies in outbound deliveries. If an account has been compromised, it will likely be the first in the list with the most deliveries. (The spool dashboard updates every 20 seconds for a real-time look at the spool.)
  5. Determine whether the messages are valid emails or spam. This can be done in two ways. a.) Click on All Messages in the navigation pane to view the messages currently in the spool. Use the search bar to find messages sent by the suspected user account. b.) Click on the Actions menu in the spool dashboard to Move Messages sent by the user (that are currently held in the spool) to their own folder on the server. Review the messages.
  6. If the messages are found to be spam, use the Delete Messages action to delete the remaining messages in the spool sent by that user. 
  7. If the account is determined to be compromised, you can also temporarily disable the account, preventing future email from being sent out. Use the Disable User action to disable the user's account but still allow it to receive mail. Alternatively, you can use the Manage User option to navigate to the user's settings to change the User Status to 'Disable and don't allow mail'.
  8. Look at the Top Outbound IP Addresses section to find any anomalies in outbound deliveries. Spammers may send messages through just one user account; however, they may authenticate using various IP addresses. 
  9. Repeat steps 5 and 6 to determine the legitimacy of the messages and take actions against them, if necessary.
  10. If an IP Address is in violation, use the Blacklist IP action to add the IP address to the STMP Blocked list. (The IP will be blocked on SMTP only.)
 
Follow these steps to find the compromised account by reviewing reports:
 
  1. Login to SmarterMail as the system administrator.
  2. Click on Reports.
  3. Expand System Summary Report and then Traffic Reports, and click on Message Traffic.
  4. This report will list all domains on the server and display the number of incoming and outgoing messages for each. The domain with the compromised account will generally be the one with the most outgoing messages.
  5. Clicking on the domain will display its users. From here, the system administrator can narrow down the one (or more) users sending the largest amount of email.
The next steps are generally up to the administrator. They can either Manage the domain and change the user's password, disable the user or delete the account entirely to stop the spammer from relaying though the server.
 

Applies to SmarterMail 8.x-14.x

Follow these steps to determine the compromised account by reviewing reports:
 
  1. Login to SmarterMail as the system administrator.
  2. Click on Reports.
  3. Expand System Summary Report and then Traffic Reports, and click on Message Traffic.
  4. This report will list all domains on the server and display the number of incoming and outgoing messages for each. The domain with the compromised account will generally be the one with the most outgoing messages.
  5. Clicking on the domain will display its users. From here, the system administrator can narrow down the one (or more) users sending the largest amount of email.

The next steps are generally up to the administrator. They can either Manage the domain and change the user's password, disable the user or delete the account entirely to stop the spammer from relaying though the server.

 

Learn more about SmarterMail's enterprise email features and benefits.

Feedback

Add Feedback
This article seems incomplete because it doesn't mention checking the SMTP logs (for authenticated user) nor checking the actual messages in the spool. Thanks!
Brett Garrett (September 22, 2014 at 8:01 AM)

Add Feedback