Smartermail does not block a spammer when disabling it.
Problem reported by Jorge Euran Graham - September 10, 2015 at 4:50 AM
Submitted
I guess there is a bug with Smartermail 14.x   
I did notice this issue a few versions ago.
 
In the past, if an external spammer "guessed" a local user's password, they started sending email from our server, authenticating with that specific user account.
 
So we did a couple of things:
- An alert that was triggered if spool levels went above the "normal" load.
- A throttling of every user in the system so even when the spammer was trying to send thousands of mails in minutes, they were "throttled" and therefore, the negative impact was minimum
- The email in the From has to be the same email when authenticating, so its easier to block a spammer when knowing what accout to block.
 
With these in place, whenever we spotted a spammer:
- Searched for its local domain, found the email account and selected "Disable and do not allow mail" and then changed the password to a secure one.
- Went to spool, searched for that email account and deleted the thousands of mails
- And it worked great!!!!
 
NOW... Smartermail DOES NOT WORK AT ALL.
 
We have the same config, but when we try to stop the spammer, it doesnt get stopped. We have tried a lot of things, but at the end, we have to restart Smartermail service, which is annoying and should not be the case.
 
- We disable the account, as before
- Change the password
- Go to spool, delete the mails coming from that account... 
AND
- The mails keep appearing in the spool over and over and over.
- We tried blacklisting the IPs listed in SMTP connections from where the messages are coming, but they are too many and its a never ending process
- We went to the email account config, deselected all accesses (POP, IMAP, SMTP, etc.)
- Spam keeps coming
- Reloaded the domain where the spammer account is located
- Same story... spam keeps coming
- Disabled SMTP 
And now it stopped, but we dont want to have SMTP disabled.
- A few minutes later we started SMTP service again and it seems to have stopped.
 
Anyway, ST people, please look into this... Blocking a spammer should be a simple task.
 
Oh, and if I am doing anything wrong or there is another easier process, please let me know.
 
Thanks.
 

8 Replies

Reply to Thread
0
That probably means they are not using the user's account, but that your SmarterMail server has been compromised in some other manner. You will need to open a support ticket or engaged a,tech to get in and look at you server to resolve this because it's impossible to troubleshoot your issue with the information you have provided.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
There are many reasons a message could appear to be coming from someone's e-mail address when, in fact, the message is being sent through your SmarterMail server via some other method.
 
  • Do you have any IP ADDRESSES which are whitelisted? - very dangerous.
     
  • Do you have any DOMAINS which are whitelisted? - very dangerous.
     
  • Do you have anything listed in SMTP BYPASS? - very dangerous.
     
  • Do you enforce SMTP AUTHENTICATION for every domain?
     
  • Is ALLOW RELAY in SMTP IN set to NOBODY?  That's the ONLY safe setting.
     
  • What do the SMTP LOGS say?
 
Check for the both the user's e-mail address and the address to which the message is being sent and see what account is authenticating.
 
Unless an MX server is fully locked down, spammers will, not might, but will, find a way to send e-mail through the server.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks Bruce... reponses below:
Do you have any IP ADDRESSES which are whitelisted? - very dangerous.
No.
 
Do you have any DOMAINS which are whitelisted? - very dangerous.
No.
 
Do you have anything listed in SMTP BYPASS? - very dangerous.
No
 
Do you enforce SMTP AUTHENTICATION for every domain?
Yes, and we do it as every email account has to authenticate with the same user:
Require Auth Match = Email address
In this way it would seem that it is imperative for someone to send emails to authenticate with the account that we see in the spool, right?
 
Is ALLOW RELAY in SMTP IN set to NOBODY?  That's the ONLY safe setting.
YES it is. 
(We actually have used your document to secure the server and configure antispam)  :)
 
What do the SMTP LOGS say?
 
Here are a few:
 
 
Part of the initial spamming attack logs... 
[2015.09.10] 06:27:19 [179.197.223.19][24492664] cmd: MAIL FROM: <email@localdomain.com>
[2015.09.10] 06:27:19 [179.197.223.19][24492664] rsp: 250 OK <email@localdomain.com> Sender ok
[2015.09.10] 06:27:20 [179.197.223.19][24492664] cmd: RCPT TO: <nonstopgetit@yahoo.com>
[2015.09.10] 06:27:20 [179.197.223.19][24492664] rsp: 250 OK <nonstopgetit@yahoo.com> Recipient ok
[2015.09.10] 06:27:20 [179.197.223.19][24492664] cmd: RCPT TO: <nonstp247@yahoo.com>
[2015.09.10] 06:27:20 [179.197.223.19][24492664] rsp: 250 OK <nonstp247@yahoo.com> Recipient ok
[2015.09.10] 06:27:20 [179.197.223.19][24492664] cmd: RCPT TO: <nont21@hotmail.com>
[2015.09.10] 06:27:20 [179.197.223.19][24492664] rsp: 250 OK <nont21@hotmail.com> Recipient ok
[2015.09.10] 06:27:22 [179.197.223.19][24492664] cmd: DATA
[2015.09.10] 06:27:22 [179.197.223.19][24492664] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.10] 06:27:22 [179.197.223.19][24492664] rsp: 250 OK
[2015.09.10] 06:27:22 [179.197.223.19][24492664] Data transfer succeeded, writing mail to 336217250886.eml
[2015.09.10] 06:27:23 [179.197.223.19][24492664] cmd: MAIL FROM: <email@localdomain.com>
[2015.09.10] 06:27:23 [179.197.223.19][24492664] rsp: 250 OK <email@localdomain.com> Sender ok

[2015.09.10] 06:27:27 [78.177.103.215][1008352] rsp: 220 mail.ourserver Thu, 10 Sep 2015 11:27:27 +0000 UTC - Smartermail
[2015.09.10] 06:27:27 [78.177.103.215][1008352] connected at 9/10/2015 6:27:27 AM
[2015.09.10] 06:27:28 [78.177.103.215][1008352] cmd: EHLO [10.0.1.171]
[2015.09.10] 06:27:28 [78.177.103.215][1008352] rsp: 250-mail.ourserver Hello [78.177.103.215]250-SIZE 36700160250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.09.10] 06:27:28 [78.177.103.215][1008352] cmd: AUTH LOGIN
[2015.09.10] 06:27:28 [78.177.103.215][1008352] rsp: 334 VXNlcm5hbWU6
[2015.09.10] 06:27:28 [78.177.103.215][1008352] Authenticating as email@localdomain.com
[2015.09.10] 06:27:28 [78.177.103.215][1008352] rsp: 334 UGFzc3dvcmQ6
 
 
Disabled it and Changed password
Seems that it still logs but fails authentication, but mails kept appearing on spool
[2015.09.10] 06:32:30 [123.25.77.254][38879811] rsp: 220 mail.ourserver Thu, 10 Sep 2015 11:32:30 +0000 UTC - Smartermail
[2015.09.10] 06:32:30 [123.25.77.254][38879811] connected at 9/10/2015 6:32:30 AM
[2015.09.10] 06:32:31 [123.25.77.254][38879811] cmd: EHLO kulupyl
[2015.09.10] 06:32:31 [123.25.77.254][38879811] rsp: 250-mail.ourserver Hello [123.25.77.254]250-SIZE 36700160250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.09.10] 06:32:31 [123.25.77.254][38879811] cmd: AUTH LOGIN
[2015.09.10] 06:32:31 [123.25.77.254][38879811] rsp: 334 VXNlcm5hbWU6
[2015.09.10] 06:32:32 [123.25.77.254][38879811] Authenticating as email@localdomain.com
[2015.09.10] 06:32:32 [123.25.77.254][38879811] rsp: 334 UGFzc3dvcmQ6
[2015.09.10] 06:32:33 [123.25.77.254][38879811] rsp: 535 Authentication failed
[2015.09.10] 06:32:33 [123.25.77.254][38879811] disconnected at 9/10/2015 6:32:33 AM
 
 
Blocked SMTP service for that account
Mails kept appearing on spool
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carol-campbell-58@my56k.net has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carolcamrn@aol.com has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carolcannon_2@dslextreme.com has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carol@carolmarah.com has completed (Bounced)
[2015.09.10] 06:30:57 [51326] Delivery for email@localdomain.com to carol@carolprobyn.orangehome.co.uk has completed (Bounced)
[2015.09.10] 06:30:57 [51319] Delivery finished for email@localdomain.com at 6:30:57 AM    [id:336217251319]
[2015.09.10] 06:30:57 [51318] Delivery finished for email@localdomain.com at 6:30:57 AM    [id:336217251318]
[2015.09.10] 06:30:57 [51331] Skipping spam checks: No local recipients
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargochest@hotmail.com has completed (Bounced)
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargochi@yahoo.com.mx has completed (Bounced)
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargo.club@wanadoo.fr has completed (Bounced)
[2015.09.10] 06:30:57 [51314] Sending remote mail for email@localdomain.com
[2015.09.10] 06:30:57 [51321] Delivery for email@localdomain.com to cargod@cwie.net has completed (Bounced)
[2015.09.10] 06:30:57 [51314] Outgoing SMTP is not allowed
[2015.09.10] 06:30:57 [51314] Outgoing SMTP is not allowed
[2015.09.10] 06:30:57 [51314] Outgoing SMTP is not allowed
 
I had to stop SMTP service for the whole server and then restart and it finally made all the emails from that account to stop... :(
 
Any suggestions?
0
Bruce, I just noticed a new option in SMTP in... 
 
Max Messages Per Session
 
(at least new for me)
 
This might also help to minimize the problem... Wonder what a good value should be
0
It might be that the spammer stays logged in, and that login survives the password change, until they are logged off OR the service is stopped/restarted at the server.  Is that possible?
 
 
4
Hi Guys! 
 
Occasionally I have the same problem as Jorge, just today in fact.  All precautions in place, yet spam keeps appearing in the spool even after the user is completely disabled and password changed.  Seems like it would have to be the session(s) persisting through the disabling and password change. 
 
Hey SmarterTools, if you're listening, you could terminate all sessions for the user as soon as they're disabled, could you not??? 
 
Scott Hendrickson
SOS4Net, Inc.
Centennial, CO. U.S.A.
2
Confirmed as of SmarterMail 14, an existing HTTP session is NOT terminated when the account password is changed. But it should be, since I have seen spam incidents via HTTP. (I didn't test SMTP sessions, but they need to be terminated as well.)
 
How I tested: used MSIE to log in as email user, used Chrome to log in as admin and change user's password, then used MSIE to send message to an outside email address. Message was received.
1
Until this is fixed by SmarterTools, here are some simple work-around for the interim:
 
Go to SECURITY > ADVANCED SETTINGS > SMTP BLOCKING and add the compromised email address. That will prevent any outgoing email immediately even though their session is still active. Obviously the legitimate user won't be able to send either until the spammer's session has expired and you've removed them from this list.
 
Although a better option might be going to MANAGE > USER ACTIVITY > ONLINE USERS and end the session(s) of that account after the password had been changed.

Reply to Thread