Back to Community Threads
2
Seems like Solicited Spam
Problem reported by devang - 4/9/2016 at 12:11 AM
Submitted
Hello,
 
All of a sudden many users on our server have started getting marketing mail from one SNEHA sending all sorts of CITIBANK offers, it uses diff IP address with every mail
 
Sender ID's first part "sneha@srv1".[domain changes.com]  remains same but suffix / second part keep changes with every mail, i can't seem to find which ID is compromised to send such mails , my all logs are set on detailed, i've given my SMTP log output of few deliveries  
 

00:28:15 [188.166.14.169][13823647] rsp: 220 mail.ourhostname.com
00:28:15 [188.166.14.169][13823647] connected at 4/9/2016 12:28:15 AM
00:28:15 [188.166.14.169][13823647] cmd: EHLO srv1.biggestsale.in
00:28:15 [188.166.14.169][13823647] rsp: 250-mail.ourhostname.com Hello [188.166.14.169]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:28:15 [188.166.14.169][13823647] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:15 [188.166.14.169][13823647] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:15 [188.166.14.169][13823647] cmd: RCPT TO:<user1@custdomain.com>
00:28:15 [188.166.14.169][13823647] rsp: 452 <user1@custdomain.com> Mailbox size limit exceeded
00:28:15 [188.166.14.169][13823647] cmd: QUIT
00:28:15 [188.166.14.169][13823647] rsp: 221 Service closing transmission channel
00:28:15 [188.166.14.169][13823647] disconnected at 4/9/2016 12:28:15 AM
00:28:20 [107.170.3.199][37206595] rsp: 220 mail.ourhostname.com
00:28:20 [107.170.3.199][37206595] connected at 4/9/2016 12:28:20 AM
00:28:20 [107.170.3.199][37206595] cmd: EHLO srv9.biggestsale.in
00:28:20 [107.170.3.199][37206595] rsp: 250-mail.ourhostname.com Hello [107.170.3.199]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:28:20 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:20 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:21 [107.170.3.199][37206595] cmd: RCPT TO:<user2@custdomain.com>
00:28:21 [107.170.3.199][37206595] rsp: 452 <user2@custdomain.com> Mailbox size limit exceeded
00:28:21 [107.170.3.199][37206595] cmd: RSET
00:28:21 [107.170.3.199][37206595] rsp: 250 OK
00:28:21 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:21 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:21 [107.170.3.199][37206595] cmd: RCPT TO:<user5@custdomain.com>
00:28:21 [107.170.3.199][37206595] rsp: 452 <user5@custdomain.com> Mailbox size limit exceeded
00:28:21 [107.170.3.199][37206595] cmd: RSET
00:28:21 [107.170.3.199][37206595] rsp: 250 OK
00:28:22 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:22 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:22 [107.170.3.199][37206595] cmd: RCPT TO:<jyoti@custdomain.com>
00:28:22 [107.170.3.199][37206595] rsp: 452 <jyoti@custdomain.com> Mailbox size limit exceeded
00:28:22 [107.170.3.199][37206595] cmd: RSET
00:28:22 [107.170.3.199][37206595] rsp: 250 OK
00:28:22 [107.170.3.199][37206595] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:28:22 [107.170.3.199][37206595] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:28:22 [107.170.3.199][37206595] cmd: RCPT TO:<jyoti@custdomain.com>
00:28:22 [107.170.3.199][37206595] rsp: 452 <jyoti@custdomain.com> Mailbox size limit exceeded
00:28:23 [107.170.3.199][37206595] cmd: QUIT
00:28:23 [107.170.3.199][37206595] rsp: 221 Service closing transmission channel
00:28:23 [107.170.3.199][37206595] disconnected at 4/9/2016 12:28:23 AM

00:33:44 [45.55.35.15][57848855] rsp: 220 mail.ourhostname.com
00:33:44 [45.55.35.15][57848855] connected at 4/9/2016 12:33:44 AM
00:33:44 [45.55.35.15][57848855] cmd: EHLO srv5.biggestsale.in
00:33:44 [45.55.35.15][57848855] rsp: 250-mail.ourhostname.com Hello [45.55.35.15]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:33:44 [45.55.35.15][57848855] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:33:44 [45.55.35.15][57848855] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:33:44 [45.55.35.15][57848855] cmd: RCPT TO:<user3@custdomain2.com>
00:33:44 [45.55.35.15][57848855] rsp: 452 <user3@custdomain2.com> Mailbox size limit exceeded
00:33:45 [45.55.35.15][57848855] cmd: QUIT
00:33:45 [45.55.35.15][57848855] rsp: 221 Service closing transmission channel
00:33:45 [45.55.35.15][57848855] disconnected at 4/9/2016 12:33:45 AM

00:49:52 [104.37.184.125][32089619] rsp: 220 mail.ourhostname.com
00:49:52 [104.37.184.125][32089619] connected at 4/9/2016 12:49:52 AM
00:49:52 [104.37.184.125][32089619] cmd: EHLO mta125.vconnectbox.in
00:49:52 [104.37.184.125][32089619] rsp: 250-mail.ourhostname.com Hello [104.37.184.125]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:49:52 [104.37.184.125][32089619] cmd: MAIL FROM:<sneha@srv4.vconnectbox.in>
00:49:52 [104.37.184.125][32089619] rsp: 250 OK <sneha@srv4.vconnectbox.in> Sender ok
00:49:52 [104.37.184.125][32089619] cmd: RCPT TO:<smwrwest@custdomain2.com>
00:49:52 [104.37.184.125][32089619] rsp: 452 <smwrwest@custdomain2.com> Mailbox size limit exceeded
00:49:55 [104.37.184.125][32089619] cmd: RSET
00:49:55 [104.37.184.125][32089619] rsp: 250 OK
00:49:56 [104.37.184.125][32089619] cmd: MAIL FROM:<sneha@srv4.vconnectbox.in>
00:49:56 [104.37.184.125][32089619] rsp: 250 OK <sneha@srv4.vconnectbox.in> Sender ok
00:49:56 [104.37.184.125][32089619] cmd: RCPT TO:<user5@custdomain2.com>
00:49:56 [104.37.184.125][32089619] rsp: 452 <user5@custdomain2.com> Mailbox size limit exceeded
00:49:58 [104.37.184.125][32089619] cmd: QUIT
00:49:58 [104.37.184.125][32089619] rsp: 221 Service closing transmission channel
00:49:58 [104.37.184.125][32089619] disconnected at 4/9/2016 12:49:58 AM

00:50:37 [107.170.3.199][7177866] rsp: 220 mail.ourhostname.com
00:50:37 [107.170.3.199][7177866] connected at 4/9/2016 12:50:37 AM
00:50:37 [107.170.3.199][7177866] cmd: EHLO srv9.biggestsale.in
00:50:37 [107.170.3.199][7177866] rsp: 250-mail.ourhostname.com Hello [107.170.3.199]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:50:38 [107.170.3.199][7177866] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:50:38 [107.170.3.199][7177866] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:50:38 [107.170.3.199][7177866] cmd: RCPT TO:<delhi@custdomain3.com>
00:50:38 [107.170.3.199][7177866] rsp: 452 <delhi@custdomain3.com> Mailbox size limit exceeded
00:50:38 [107.170.3.199][7177866] cmd: RSET
00:50:38 [107.170.3.199][7177866] rsp: 250 OK
00:50:38 [107.170.3.199][7177866] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:50:38 [107.170.3.199][7177866] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:50:38 [107.170.3.199][7177866] cmd: RCPT TO:<delhi@custdomain3.com>
00:50:38 [107.170.3.199][7177866] rsp: 452 <delhi@custdomain3.com> Mailbox size limit exceeded
00:50:39 [107.170.3.199][7177866] cmd: QUIT
00:50:39 [107.170.3.199][7177866] rsp: 221 Service closing transmission channel
00:50:39 [107.170.3.199][7177866] disconnected at 4/9/2016 12:50:39 AM

00:51:22 [159.203.64.23][2063564] rsp: 220 mail.ourhostname.com
00:51:22 [159.203.64.23][2063564] connected at 4/9/2016 12:51:22 AM
00:51:22 [159.203.64.23][2063564] cmd: EHLO srv6.biggestsale.in
00:51:22 [159.203.64.23][2063564] rsp: 250-mail.ourhostname.com Hello [159.203.64.23]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:51:22 [159.203.64.23][2063564] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:51:22 [159.203.64.23][2063564] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:51:22 [159.203.64.23][2063564] cmd: RCPT TO:<user4@custdomain2.com>
00:51:22 [159.203.64.23][2063564] rsp: 452 <user4@custdomain2.com> Mailbox size limit exceeded
00:51:23 [159.203.64.23][2063564] cmd: QUIT
00:51:23 [159.203.64.23][2063564] rsp: 221 Service closing transmission channel
00:51:23 [159.203.64.23][2063564] disconnected at 4/9/2016 12:51:23 AM

00:52:54 [188.166.73.178][28278292] rsp: 220 mail.ourhostname.com
00:52:54 [188.166.73.178][28278292] connected at 4/9/2016 12:52:54 AM
00:52:55 [188.166.73.178][28278292] cmd: EHLO srv4.biggestsale.in
00:52:55 [188.166.73.178][28278292] rsp: 250-mail.ourhostname.com Hello [188.166.73.178]250-SIZE 14680064250-AUTH LOGIN CRAM-MD5250 OK
00:52:55 [188.166.73.178][28278292] cmd: MAIL FROM:<sneha@srv1.biggestsale.in>
00:52:55 [188.166.73.178][28278292] rsp: 250 OK <sneha@srv1.biggestsale.in> Sender ok
00:52:55 [188.166.73.178][28278292] cmd: RCPT TO:<user6@custdomain2.com>
00:52:55 [188.166.73.178][28278292] rsp: 452 <user6@custdomain2.com> Mailbox size limit exceeded
00:52:55 [188.166.73.178][28278292] cmd: QUIT
00:52:55 [188.166.73.178][28278292] rsp: 221 Service closing transmission channel
00:52:55 [188.166.73.178][28278292] disconnected at 4/9/2016 12:52:55 AM
 
 
 

3 Replies

Reply to Thread
0
Lucidio Arruda Neto Replied
4/9/2016 at 3:02 PM
Do a SMTP Block on sneha@srv*
 
>Security>Advanced Settings > SMTP Blocking > New >Blocked Address > sneha@srv*
or sneha@*
0
devang Replied
4/10/2016 at 9:58 PM
Super, i have blocked as your mentioned & will wait for results 
 
I have still not managed to find compromised account used for sending such mails, what if the sender changes complete address everytime instead of just suffix domain name !
0
Linda Pagillo Replied
4/11/2016 at 10:57 AM
Hi Devang. If you feel this is a compromised account that is sending out these emails, we have a free program that can help. It's called Declude Hijack. You can find it and our user's manual on our website at the following link: http://mailsbestfriend.com/downloads . If you have any questions about the program, please ask.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Cannot Send Email MessagesSmarterMail > Troubleshooting
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus
My spool is full of pending messages. What do I do?SmarterMail > Troubleshooting