Compromised user able circumvent domain limits and send 200K emails in 24 hours
Problem reported by josh levine - March 2, 2017 at 8:51 AM
Submitted
Woke up this morning to thousands of abuse reports. A user account had been compromised and had been sending emails at full blast all night. The total number of remote deliveries for this user was more than 200,000.
 
I disabled the user, but the spool kept filling with emails from the account even several minutes after it was disabled. It took a server restart to stop the flow. 
 
After the restart these outbound emails are not showing up at all in the Dashboard...
 
Compare this to the Traffic Report for the last 12 hours...
 
I also verified in the logs that these emails were in fact delivered to remote hosts over SMTP.
 
Why are these messages not reflected in the Dashboard? 
 
Is there anything that I can do to ensure that the Dashboard reflects *all* emails in the future so I can see problems like this?
 
Thanks you.
 
-josh
 

16 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
The dashboard loses its data on server restart. Could this be the reason it's not showing that number? Did you restart before checking the dashboard? If so then unfortunately that data gets lost. 
 
If this is what occurred I can see us possibly dumping this data to a file that can be read back in when the server gets restarted, persisting this information.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matthew Leyda Replied
I've seen the data being lost on server restart. It happens with IDS Blocks. Now we unplug the Network Cable first and do a restart as a last resort.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
josh levine Replied
Yes, the server was restarted so this would make sense. It would probably be better to show "NA"s in, say, the "Last 24 Hours" row when data only represents the past 5 minutes. Might also be good to add a "This data only reflects traffic for the past X:XX;XX since last restart." when the sever has been restarted in the past 24 hours.
0
That works if you are standing in front of the server. Ours is 5 miles away in a data center.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

0
Matthew Leyda Replied
Curtis,
That's a good point. Years ago, in a place far far away ... We used imail and you could force it to drop all SMTP connections without a reboot.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
User Replied
Hi Josh. Have you considered using Declude Hijack to prevent mass amounts of email from being sent out of your server in the case of a compromise like this? Declude Hijack is very easy to set up and implement into SM. If you are interested, we offer Declude 100% free from our website. I know a lot of SM users are using it, including myself. If you would like to check it out, visit our downloads page at http://mailsbestfriend.com/downloads. There is also a user manual there which explains how it works. If you have any question on how to set up and implement, please feel free to ask. I will be happy to help. Again, Declude is 100% FREE. We only charge for support which you probably won't need if you are only going to use the Hijack component. I hope this is helpful. Thanks.
1
Paul Blank Replied
SM already has throttling built-in, but it should have a Declude-like 2nd threshold as well that stops ALL outgoing email if desired.
0
josh levine Replied
Agreed. It looks like the built-in throttling changed at some point during version upgrades and did not port the previous settings conservatively? Previously, I had everything set to "reject" when limits reached, but under the new settings everything was set to "alert". Argh, very bad failure mode. Sadly now many of my server's emails are getting rejected due to bad reputation after !5 years without a single issue. :(

There should be a 2nd safety net like "Max server-wide outbound messages/ per hour" is it should be preconfigured to a reasonable level.
0
Paul Blank Replied
Alas, sounds like a good time to implement Declude.  Will take some work, but you can probably clear all or most of those bad RBL reports.
0
Paul Blank Replied
Linda, where can I find the installation instructions for Declude Hijack with SM? We are currently using Ultimate Spool Manager from mightyblue.com (for other filtering-redirect purposes). Will Declude Hijack interfere with that product (as far as you know)? Thanks!
0
User Replied
Hi Paul. I don't think we have instructions available on our site. I will create a set of instructions this week. It is very easy to install. Download the Declude 4.12.11 new install for SmarterMail from our website. Run the installer as admin on your server and Declude will install in the correct place. Once installed, if you only want to use the Hijack component of Declude, go to the Declude directory which will be located at SmarterMail\Declude and rename the global.cfg to global.cfg.off and rename the virus.cfg to virus.cfg.off. Next, open up the hijack.cfg and configure the two thresholds how you would like them. The definitions of each threshold are in the hijack.cfg file so you will understand what happens when each threshold is exceeded. Next, open the HijackNotify.eml and set the TO address to an address where you would like to be notified when outbound mail is held permanently by Hijack. Lastly, log into your SM admin interface and enable Declude there. It's a simple checkbox. That's all you need to do to make it work. As for Ultimate Spool Manager, I do not think you will have any conflicts. Thanks.
0
Matthew Leyda Replied
linda,
how are mailing lists handled/exempted?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
1
Paul Blank Replied
Looks like delude may be able to replace the filtering that ultimate spool manager is doing for me as well.
0
Paul Blank Replied
Looks like Delude may be able to replace the filtering that ultimate spool manager is doing for me as well. 
 
Declude's features are disabled upon installation, until you enable them yourself, according to your response. Works for me.
0
User Replied
Hi Matthew. If you need Hijack to bypass and IP address or an authenticated email address, open the Hijack.cfg file and add the following lines:

ALLOWIP xxx.xxx.xxx.xxx

or

ALLOWADDR authenticateduser@domain.com
0
User Replied
Please let me know if you have any questions or problems getting it set up. Thanks.

Reply to Thread