Smartermail does not block a spammer when disabling it.

Problem reported by Jaime - 9/10/2015 at 4:50 AM

Submitted

I guess there is a bug with Smartermail 14.x

I did notice this issue a few versions ago.

In the past, if an external spammer "guessed" a local user's password, they started sending email from our server, authenticating with that specific user account.

So we did a couple of things:

- An alert that was triggered if spool levels went above the "normal" load.

- A throttling of every user in the system so even when the spammer was trying to send thousands of mails in minutes, they were "throttled" and therefore, the negative impact was minimum

- The email in the From has to be the same email when authenticating, so its easier to block a spammer when knowing what accout to block.

With these in place, whenever we spotted a spammer:

- Searched for its local domain, found the email account and selected "Disable and do not allow mail" and then changed the password to a secure one.

- Went to spool, searched for that email account and deleted the thousands of mails

- And it worked great!!!!

NOW... Smartermail DOES NOT WORK AT ALL.

We have the same config, but when we try to stop the spammer, it doesnt get stopped. We have tried a lot of things, but at the end, we have to restart Smartermail service, which is annoying and should not be the case.

- We disable the account, as before

- Change the password

- Go to spool, delete the mails coming from that account...

AND

- The mails keep appearing in the spool over and over and over.

- We tried blacklisting the IPs listed in SMTP connections from where the messages are coming, but they are too many and its a never ending process

- We went to the email account config, deselected all accesses (POP, IMAP, SMTP, etc.)

- Spam keeps coming

- Reloaded the domain where the spammer account is located

- Same story... spam keeps coming

- Disabled SMTP

And now it stopped, but we dont want to have SMTP disabled.

- A few minutes later we started SMTP service again and it seems to have stopped.

Anyway, ST people, please look into this... Blocking a spammer should be a simple task.

Oh, and if I am doing anything wrong or there is another easier process, please let me know.

Thanks.

15 Replies

Reply to Thread

Bruce Barnes Replied

9/10/2015 at 5:34 AM

That probably means they are not using the user's account, but that your SmarterMail server has been compromised in some other manner. You will need to open a support ticket or engaged a,tech to get in and look at you server to resolve this because it's impossible to troubleshoot your issue with the information you have provided.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Jaime Replied

9/10/2015 at 6:27 AM

Hi Bruce. Thanks for the reply. I believe it IS the user's account, because if I disable the account (as I had always done) and then restart Smartemail mail service, it works and blocks all other incoming mail from that user and spamming stops... The issue is that a few versions back (I think 12.x and below) it didnt need a restart....

Bruce Barnes Replied

9/10/2015 at 8:16 AM

There are many reasons a message could appear to be coming from someone's e-mail address when, in fact, the message is being sent through your SmarterMail server via some other method.

Do you have any IP ADDRESSES which are whitelisted? - very dangerous.
Do you have any DOMAINS which are whitelisted? - very dangerous.
Do you have anything listed in SMTP BYPASS? - very dangerous.
Do you enforce SMTP AUTHENTICATION for every domain?
Is ALLOW RELAY in SMTP IN set to NOBODY? That's the ONLY safe setting.
What do the SMTP LOGS say?

Check for the both the user's e-mail address and the address to which the message is being sent and see what account is authenticating.

Unless an MX server is fully locked down, spammers will, not might, but will, find a way to send e-mail through the server.

Jaime Replied

9/10/2015 at 8:59 AM

Thanks Bruce... reponses below:

Do you have any IP ADDRESSES which are whitelisted? - very dangerous.
No.

Do you have any DOMAINS which are whitelisted? - very dangerous.
No.

Do you have anything listed in SMTP BYPASS? - very dangerous.
No

Do you enforce SMTP AUTHENTICATION for every domain?
Yes, and we do it as every email account has to authenticate with the same user:
Require Auth Match = Email address
In this way it would seem that it is imperative for someone to send emails to authenticate with the account that we see in the spool, right?

Is ALLOW RELAY in SMTP IN set to NOBODY? That's the ONLY safe setting.
YES it is.
(We actually have used your document to secure the server and configure antispam) :)

What do the SMTP LOGS say?

Here are a few:

Part of the initial spamming attack logs...
[2015.09.10] 06:27:19 [179.197.223.19][24492664] cmd: MAIL FROM: <email@localdomain.com>
[2015.09.10] 06:27:19 [179.197.223.19][24492664] rsp: 250 OK <email@localdomain.com> Sender ok
[2015.09.10] 06:27:20 [179.197.223.19][24492664] cmd: RCPT TO: <nonstopgetit@yahoo.com>
[2015.09.10] 06:27:20 [179.197.223.19][24492664] rsp: 250 OK <nonstopgetit@yahoo.com> Recipient ok
[2015.09.10] 06:27:20 [179.197.223.19][24492664] cmd: RCPT TO: <nonstp247@yahoo.com>
[2015.09.10] 06:27:20 [179.197.223.19][24492664] rsp: 250 OK <nonstp247@yahoo.com> Recipient ok
[2015.09.10] 06:27:20 [179.197.223.19][24492664] cmd: RCPT TO: <nont21@hotmail.com>
[2015.09.10] 06:27:20 [179.197.223.19][24492664] rsp: 250 OK <nont21@hotmail.com> Recipient ok
[2015.09.10] 06:27:22 [179.197.223.19][24492664] cmd: DATA
[2015.09.10] 06:27:22 [179.197.223.19][24492664] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.10] 06:27:22 [179.197.223.19][24492664] rsp: 250 OK
[2015.09.10] 06:27:22 [179.197.223.19][24492664] Data transfer succeeded, writing mail to 336217250886.eml
[2015.09.10] 06:27:23 [179.197.223.19][24492664] cmd: MAIL FROM: <email@localdomain.com>
[2015.09.10] 06:27:23 [179.197.223.19][24492664] rsp: 250 OK <email@localdomain.com> Sender ok

[2015.09.10] 06:27:27 [78.177.103.215][1008352] rsp: 220 mail.ourserver Thu, 10 Sep 2015 11:27:27 +0000 UTC - Smartermail
[2015.09.10] 06:27:27 [78.177.103.215][1008352] connected at 9/10/2015 6:27:27 AM
[2015.09.10] 06:27:28 [78.177.103.215][1008352] cmd: EHLO [10.0.1.171]
[2015.09.10] 06:27:28 [78.177.103.215][1008352] rsp: 250-mail.ourserver Hello [78.177.103.215]250-SIZE 36700160250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.09.10] 06:27:28 [78.177.103.215][1008352] cmd: AUTH LOGIN
[2015.09.10] 06:27:28 [78.177.103.215][1008352] rsp: 334 VXNlcm5hbWU6
[2015.09.10] 06:27:28 [78.177.103.215][1008352] Authenticating as email@localdomain.com
[2015.09.10] 06:27:28 [78.177.103.215][1008352] rsp: 334 UGFzc3dvcmQ6

Disabled it and Changed password

Seems that it still logs but fails authentication, but mails kept appearing on spool
[2015.09.10] 06:32:30 [123.25.77.254][38879811] rsp: 220 mail.ourserver Thu, 10 Sep 2015 11:32:30 +0000 UTC - Smartermail
[2015.09.10] 06:32:30 [123.25.77.254][38879811] connected at 9/10/2015 6:32:30 AM
[2015.09.10] 06:32:31 [123.25.77.254][38879811] cmd: EHLO kulupyl
[2015.09.10] 06:32:31 [123.25.77.254][38879811] rsp: 250-mail.ourserver Hello [123.25.77.254]250-SIZE 36700160250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.09.10] 06:32:31 [123.25.77.254][38879811] cmd: AUTH LOGIN
[2015.09.10] 06:32:31 [123.25.77.254][38879811] rsp: 334 VXNlcm5hbWU6
[2015.09.10] 06:32:32 [123.25.77.254][38879811] Authenticating as email@localdomain.com
[2015.09.10] 06:32:32 [123.25.77.254][38879811] rsp: 334 UGFzc3dvcmQ6
[2015.09.10] 06:32:33 [123.25.77.254][38879811] rsp: 535 Authentication failed
[2015.09.10] 06:32:33 [123.25.77.254][38879811] disconnected at 9/10/2015 6:32:33 AM

Blocked SMTP service for that account
Mails kept appearing on spool

[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carol-campbell-58@my56k.net has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carolcamrn@aol.com has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carolcannon_2@dslextreme.com has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carol@carolmarah.com has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carol@carolprobyn.orangehome.co.uk has completed (Bounced)
[2015.09.10] 06:30:57 [51319] Delivery finished for email@localdomain.com at 6:30:57 AM [id:336217251319]
[2015.09.10] 06:30:57 [51318] Delivery finished for email@localdomain.com at 6:30:57 AM [id:336217251318]
[2015.09.10] 06:30:57 [51331] Skipping spam checks: No local recipients
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargochest@hotmail.com has completed (Bounced)
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargochi@yahoo.com.mx has completed (Bounced)
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargo.club@wanadoo.fr has completed (Bounced)
[2015.09.10] 06:30:57 [51314] Sending remote mail for email@localdomain.com
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargod@cwie.net has completed (Bounced)
[2015.09.10] 06:30:57 [51314] Outgoing SMTP is not allowed
[2015.09.10] 06:30:57 [51314] Outgoing SMTP is not allowed
[2015.09.10] 06:30:57 [51314] Outgoing SMTP is not allowed

I had to stop SMTP service for the whole server and then restart and it finally made all the emails from that account to stop... :(

Any suggestions?

Jaime Replied

9/10/2015 at 9:01 AM

Bruce, I just noticed a new option in SMTP in...

Max Messages Per Session

(at least new for me)

This might also help to minimize the problem... Wonder what a good value should be

Paul Blank Replied

9/10/2015 at 9:11 AM

It might be that the spammer stays logged in, and that login survives the password change, until they are logged off OR the service is stopped/restarted at the server. Is that possible?

Jaime Replied

9/10/2015 at 10:35 AM

I think that might be the case Paul... but it didnt happen in previous SM versions. I guess the spammer keeps many open connections and even when disabling user / changing password, the open sessions keep sending emails... I am going to begin using "max messages per session" option to see if it helps.

Paul Blank Replied

9/10/2015 at 10:49 AM

The next question along that line is - can you kill a particular session, maybe by IP address? Would be at the IIS level if it's a web session, no?

Jaime Replied

9/10/2015 at 11:08 AM

It was not at IIS level... It was SMTP sessions, I did blacklisted all the IPs that I saw that were sending those emails, but there were like 20 different ones... I guess the best solution would be to completeley block the user and its sessions as soon as we select the Disable account option. :) Hopefully ST will solve it.

Scott Hendrickson Replied

2/17/2016 at 5:12 PM

Hi Guys!

Occasionally I have the same problem as Jorge, just today in fact. All precautions in place, yet spam keeps appearing in the spool even after the user is completely disabled and password changed. Seems like it would have to be the session(s) persisting through the disabling and password change.

Hey SmarterTools, if you're listening, you could terminate all sessions for the user as soon as they're disabled, could you not???

Scott Hendrickson SOS4Net, Inc. Centennial, CO. U.S.A.

Brett Garrett Replied

2/24/2016 at 12:50 AM

Confirmed as of SmarterMail 14, an existing HTTP session is NOT terminated when the account password is changed. But it should be, since I have seen spam incidents via HTTP. (I didn't test SMTP sessions, but they need to be terminated as well.)

How I tested: used MSIE to log in as email user, used Chrome to log in as admin and change user's password, then used MSIE to send message to an outside email address. Message was received.

Scarab Replied

2/24/2016 at 3:47 PM

Until this is fixed by SmarterTools, here are some simple work-around for the interim:

Go to SECURITY > ADVANCED SETTINGS > SMTP BLOCKING and add the compromised email address. That will prevent any outgoing email immediately even though their session is still active. Obviously the legitimate user won't be able to send either until the spammer's session has expired and you've removed them from this list.

Although a better option might be going to MANAGE > USER ACTIVITY > ONLINE USERS and end the session(s) of that account after the password had been changed.

Jaime Alvarez Replied

2/24/2016 at 4:05 PM

This issue has been out there for 6 months... no real solution yet :(

Jaime Alvarez Replied

2/24/2016 at 4:05 PM

This issue has been out there for 6 months... no real solution yet :(

Brett Garrett Replied

2/26/2016 at 8:26 AM

And today I confirmed related issue: As Jorge and Scott both described above, mail that has been deleted (using SmarterMail interface) keeps reappearing in spool list. In the case I observed, it was the SAME messages that I had already deleted, not a lingering session issue. My delivery log filled with "Could not find file" exceptions. This is a BUG and I have submitted a ticket.

Back to Community Threads

Please leave this box unchecked

15 Replies

Reply to Thread

Tags

Related Knowledge Base Articles