SM 15.7.6508 - Compromised User / Outbound Spam

Question asked by Tim DeMeza - 5/24/2018 at 7:00 AM

Unanswered

I had an interesting problem over night. I was notified via email by the system indicating "Auto Spam Notification."

This is fine and the rule worked as expected. The user was throttled and I began remediation.

The first thing I did is go into the user and change the password. The user was still connected and sending spam at a high rate. I then went in and turned off SMTP and IMAP access under the specific user. Again, I saved that and went back to the logs. I was still getting emails coming through.

It took an hour or so to see Authentication Failed in the log files. This should have been immediate. And how, if I disabled SMTP and IMAP access for the user, were emails being accepted by the mail server? It seems something is wrong there. The only thing I found to work 100% and almost immediately was blacklisting the IP addresses.

Anyway, I just wanted to see if any others have seen similar issues and if I have done something wrong in order to keep the spam flowing.

On another note, I think we should be able to have a rule that automatically changes a users password, temporarily blacklists IP addresses, or temporarily blocks a user if they make multiple connections within 1 minute from greater than 2 countries or something like that. Once an account is compromised, the credentials are rapidly shared.

Thank you.

4 Replies

Reply to Thread

echoDreamz Replied

5/24/2018 at 8:01 AM

We've had this same issue with SM 16. Disable the account or Disable outgoing SMTP on the account and emails keep on going.

Linda Pagillo Replied

5/24/2018 at 8:01 AM

Hi Tim. I'm sorry to hear that this happened. We see compromised accounts every day. Our process for dealing with them is to first change the password on the offending account and then restart the SM service on our servers to knock the offending user off. It's strange because sometimes simply changing the password is enough to stop them, but other times, we have to restart the SM service, so we have made it a rule to restart the service every time after changing the password. Also, I'm not sure if you are aware, but we offer a free program called Declude Hijack which prevents mass amounts of spam from leaving the server in the event of a compromised account. You can download Declude here: http://mailsbestfriend.com/downloads/ Also, we wrote a very helpful article which will give you an idea of how to handle compromised accounts. Please check it out here if you wish: http://know.mailsbestfriend.com/papers/Handling-Compromised-Accounts.shtml. If you would like to read about how Hijack works, please check out our manual: http://mailsbestfriend.com/downloads/docs/Declude_Hijack_Manual.pdf. Please let me know if you have any questions or need help setting up Declude Hijack if you choose to do that. I hope this info helps. Thanks!

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Tim DeMeza Replied

5/24/2018 at 8:52 AM

echoDreamz and Linda, I appreciate your information. I think this is a serious problem that needs to be dealt with by the folks at SmarterTools. When you change a password or stop SMTP for a user, that should be immediate. No service restarts, etc. The problem is that we have many active users, I cannot afford to take down services at will just because of a single compromised account. Completely unreasonable in the server management / hosting space. Hopefully ST will see this and provide some insight on what is going on here.

Ujjaval Patel Replied

5/29/2018 at 7:27 AM

I agree Tim. I have had to restart the SM service which is the only way the outbound spam stops. Restarting is not ideal and takes everyone down for 2-3 minutes. Would like to see a better solution.

Back to Community Threads

Please leave this box unchecked

4 Replies

Reply to Thread

Tags

Related Knowledge Base Articles