Account compromised, Senderbase reputation
Question asked by Alexander Weinandt - 7/7/2017 at 9:09 AM
Hi all
I recently had an account that was compromised from an outside hack somewhere.
A lot of servers started authenticating successfully and would send out a lot of messages.
Than another IP would login and do the same.
This happened over the 4th when I like most people were not near my office.
THe server stayed up and tried to process all  3 million messages.
I turned off the account on the morning of the 5th, and removed all the messages from the spool.
But now I have had to deal with removing the server's IP address from all the RBL's.
I seem to be only having a problem with one company, Senderbase.
It show my IP as having a poor reputation for the one day.
Citrix is not allowing mail to be received from my server because of said reputation.
Also, How could I have prevented this from happening?  I have the message limit set. But hundreds of IP's were 
accessing this account to send out mail.

3 Replies

Reply to Thread
Roman Buzinov Replied
While it will not solve your immediate issue. Declude's hijack is great to prevent said issue from occurring, would highly recommend it.
Ron Raley Replied
When an account gets comprised, things get messy quickly.
Passwords should be STRONG.  Also, you can use IDS rules to prevent this from occurring in the future.
Linda Pagillo Replied
Hi Alexander. There is nothing you can manually do to improve your server's reputation on Senderbase.
In general, once all issues have been addressed (fixed), reputation recovery can take anywhere from a few hours to just over one week to improve, depending on the specifics of the situation, and how much email volume the IP sends. Complaint ratios determine the amount of risk for receiving mail from an IP, so logically, reputation improves as the ratio of legitimate mails increases with respect to the number of complaints. Speeding up the process is not really possible. SenderBase Reputation is an automated system in which the Senderbase support team has very little manual influence.
In the meantime, if there are recipients whom you cannot contact, I would recommend contacting the ISP involved to request temporary whitelisting or you can always arrange to contact the recipient via alternative means.
Going forward to prevent compromised accounts from sending spam out of your server, you should set up throttling in SmarterMail and also, like Roman suggested above, use Declude Hijack. It is a free program which we offer on our website at the following link: http://mailsbestfriend.com/downloads. If you have any questions about how to set it up, you can ask here or feel free to contact me directly at the email address in my signature. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606

Authorized Reseller of SmarterTools Products
Authorized Reseller of Message Sniffer

Reply to Thread