Seems like Solicited Spam
Problem reported by devang - April 9, 2016 at 12:11 AM
Submitted
Hello,
 
All of a sudden many users on our server have started getting marketing mail from one SNEHA sending all sorts of CITIBANK offers, it uses diff IP address with every mail
 
Sender ID's first part "sneha@srv1".[domain changes.com]  remains same but suffix / second part keep changes with every mail, i can't seem to find which ID is compromised to send such mails , my all logs are set on detailed, i've given my SMTP log output of few deliveries  
 

00:28:15 [188.166.14.169][13823647] rsp: 220 mail.ourhostname.com
00:28:15 [188.166.14.169][13823647] connected at 4/9/2016 12:28:15 AM
00:28:15 [188.166.14.169][13823647] cmd: EHLO srv1.biggestsale.in
00:28:15 [188.166.14.169][13823647] rsp: 250-mail.ourhostname.com Hello [188.166.14.169]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:28:15 [188.166.14.169][13823647] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:15 [188.166.14.169][13823647] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:15 [188.166.14.169][13823647] cmd: RCPT TO:<user1@custdomain.com>
00:28:15 [188.166.14.169][13823647] rsp: 452 <user1@custdomain.com> Mailbox size limit exceeded
00:28:15 [188.166.14.169][13823647] cmd: QUIT
00:28:15 [188.166.14.169][13823647] rsp: 221 Service closing transmission channel
00:28:15 [188.166.14.169][13823647] disconnected at 4/9/2016 12:28:15 AM
00:28:20 [107.170.3.199][37206595] rsp: 220 mail.ourhostname.com
00:28:20 [107.170.3.199][37206595] connected at 4/9/2016 12:28:20 AM
00:28:20 [107.170.3.199][37206595] cmd: EHLO srv9.biggestsale.in
00:28:20 [107.170.3.199][37206595] rsp: 250-mail.ourhostname.com Hello [107.170.3.199]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:28:20 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:20 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:21 [107.170.3.199][37206595] cmd: RCPT TO:<user2@custdomain.com>
00:28:21 [107.170.3.199][37206595] rsp: 452 <user2@custdomain.com> Mailbox size limit exceeded
00:28:21 [107.170.3.199][37206595] cmd: RSET
00:28:21 [107.170.3.199][37206595] rsp: 250 OK
00:28:21 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:21 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:21 [107.170.3.199][37206595] cmd: RCPT TO:<user5@custdomain.com>
00:28:21 [107.170.3.199][37206595] rsp: 452 <user5@custdomain.com> Mailbox size limit exceeded
00:28:21 [107.170.3.199][37206595] cmd: RSET
00:28:21 [107.170.3.199][37206595] rsp: 250 OK
00:28:22 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:22 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:22 [107.170.3.199][37206595] cmd: RCPT TO:<jyoti@custdomain.com>
00:28:22 [107.170.3.199][37206595] rsp: 452 <jyoti@custdomain.com> Mailbox size limit exceeded
00:28:22 [107.170.3.199][37206595] cmd: RSET
00:28:22 [107.170.3.199][37206595] rsp: 250 OK
00:28:22 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:22 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:22 [107.170.3.199][37206595] cmd: RCPT TO:<jyoti@custdomain.com>
00:28:22 [107.170.3.199][37206595] rsp: 452 <jyoti@custdomain.com> Mailbox size limit exceeded
00:28:23 [107.170.3.199][37206595] cmd: QUIT
00:28:23 [107.170.3.199][37206595] rsp: 221 Service closing transmission channel
00:28:23 [107.170.3.199][37206595] disconnected at 4/9/2016 12:28:23 AM

00:33:44 [45.55.35.15][57848855] rsp: 220 mail.ourhostname.com
00:33:44 [45.55.35.15][57848855] connected at 4/9/2016 12:33:44 AM
00:33:44 [45.55.35.15][57848855] cmd: EHLO srv5.biggestsale.in
00:33:44 [45.55.35.15][57848855] rsp: 250-mail.ourhostname.com Hello [45.55.35.15]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:33:44 [45.55.35.15][57848855] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:33:44 [45.55.35.15][57848855] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:33:44 [45.55.35.15][57848855] cmd: RCPT TO:<user3@custdomain2.com>
00:33:44 [45.55.35.15][57848855] rsp: 452 <user3@custdomain2.com> Mailbox size limit exceeded
00:33:45 [45.55.35.15][57848855] cmd: QUIT
00:33:45 [45.55.35.15][57848855] rsp: 221 Service closing transmission channel
00:33:45 [45.55.35.15][57848855] disconnected at 4/9/2016 12:33:45 AM

00:49:52 [104.37.184.125][32089619] rsp: 220 mail.ourhostname.com
00:49:52 [104.37.184.125][32089619] connected at 4/9/2016 12:49:52 AM
00:49:52 [104.37.184.125][32089619] cmd: EHLO mta125.vconnectbox.in
00:49:52 [104.37.184.125][32089619] rsp: 250-mail.ourhostname.com Hello [104.37.184.125]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:49:52 [104.37.184.125][32089619] cmd: MAIL FROM:<sneha@srv4.vconnectbox.in>
00:49:52 [104.37.184.125][32089619] rsp: 250 OK <sneha@srv4.vconnectbox.in> Sender ok
00:49:52 [104.37.184.125][32089619] cmd: RCPT TO:<smwrwest@custdomain2.com>
00:49:52 [104.37.184.125][32089619] rsp: 452 <smwrwest@custdomain2.com> Mailbox size limit exceeded
00:49:55 [104.37.184.125][32089619] cmd: RSET
00:49:55 [104.37.184.125][32089619] rsp: 250 OK
00:49:56 [104.37.184.125][32089619] cmd: MAIL FROM:<sneha@srv4.vconnectbox.in>
00:49:56 [104.37.184.125][32089619] rsp: 250 OK <sneha@srv4.vconnectbox.in> Sender ok
00:49:56 [104.37.184.125][32089619] cmd: RCPT TO:<user5@custdomain2.com>
00:49:56 [104.37.184.125][32089619] rsp: 452 <user5@custdomain2.com> Mailbox size limit exceeded
00:49:58 [104.37.184.125][32089619] cmd: QUIT
00:49:58 [104.37.184.125][32089619] rsp: 221 Service closing transmission channel
00:49:58 [104.37.184.125][32089619] disconnected at 4/9/2016 12:49:58 AM

00:50:37 [107.170.3.199][7177866] rsp: 220 mail.ourhostname.com
00:50:37 [107.170.3.199][7177866] connected at 4/9/2016 12:50:37 AM
00:50:37 [107.170.3.199][7177866] cmd: EHLO srv9.biggestsale.in
00:50:37 [107.170.3.199][7177866] rsp: 250-mail.ourhostname.com Hello [107.170.3.199]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:50:38 [107.170.3.199][7177866] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:50:38 [107.170.3.199][7177866] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:50:38 [107.170.3.199][7177866] cmd: RCPT TO:<delhi@custdomain3.com>
00:50:38 [107.170.3.199][7177866] rsp: 452 <delhi@custdomain3.com> Mailbox size limit exceeded
00:50:38 [107.170.3.199][7177866] cmd: RSET
00:50:38 [107.170.3.199][7177866] rsp: 250 OK
00:50:38 [107.170.3.199][7177866] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:50:38 [107.170.3.199][7177866] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:50:38 [107.170.3.199][7177866] cmd: RCPT TO:<delhi@custdomain3.com>
00:50:38 [107.170.3.199][7177866] rsp: 452 <delhi@custdomain3.com> Mailbox size limit exceeded
00:50:39 [107.170.3.199][7177866] cmd: QUIT
00:50:39 [107.170.3.199][7177866] rsp: 221 Service closing transmission channel
00:50:39 [107.170.3.199][7177866] disconnected at 4/9/2016 12:50:39 AM

00:51:22 [159.203.64.23][2063564] rsp: 220 mail.ourhostname.com
00:51:22 [159.203.64.23][2063564] connected at 4/9/2016 12:51:22 AM
00:51:22 [159.203.64.23][2063564] cmd: EHLO srv6.biggestsale.in
00:51:22 [159.203.64.23][2063564] rsp: 250-mail.ourhostname.com Hello [159.203.64.23]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:51:22 [159.203.64.23][2063564] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:51:22 [159.203.64.23][2063564] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:51:22 [159.203.64.23][2063564] cmd: RCPT TO:<user4@custdomain2.com>
00:51:22 [159.203.64.23][2063564] rsp: 452 <user4@custdomain2.com> Mailbox size limit exceeded
00:51:23 [159.203.64.23][2063564] cmd: QUIT
00:51:23 [159.203.64.23][2063564] rsp: 221 Service closing transmission channel
00:51:23 [159.203.64.23][2063564] disconnected at 4/9/2016 12:51:23 AM

00:52:54 [188.166.73.178][28278292] rsp: 220 mail.ourhostname.com
00:52:54 [188.166.73.178][28278292] connected at 4/9/2016 12:52:54 AM
00:52:55 [188.166.73.178][28278292] cmd: EHLO srv4.biggestsale.in
00:52:55 [188.166.73.178][28278292] rsp: 250-mail.ourhostname.com Hello [188.166.73.178]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:52:55 [188.166.73.178][28278292] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:52:55 [188.166.73.178][28278292] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:52:55 [188.166.73.178][28278292] cmd: RCPT TO:<user6@custdomain2.com>
00:52:55 [188.166.73.178][28278292] rsp: 452 <user6@custdomain2.com> Mailbox size limit exceeded
00:52:55 [188.166.73.178][28278292] cmd: QUIT
00:52:55 [188.166.73.178][28278292] rsp: 221 Service closing transmission channel
00:52:55 [188.166.73.178][28278292] disconnected at 4/9/2016 12:52:55 AM
 
 
 

3 Replies

Reply to Thread
0
Lucidio Arruda Neto Replied
Do a SMTP Block on sneha@srv*
 
>Security>Advanced Settings > SMTP Blocking > New >Blocked Address > sneha@srv*
or sneha@*
0
devang Replied
Super, i have blocked as your mentioned & will wait for results 
 
I have still not managed to find compromised account used for sending such mails, what if the sender changes complete address everytime instead of just suffix domain name !
0
Linda Pagillo Replied
Hi Devang. If you feel this is a compromised account that is sending out these emails, we have a free program that can help. It's called Declude Hijack. You can find it and our user's manual on our website at the following link: http://mailsbestfriend.com/downloads . If you have any questions about the program, please ask.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread