SM 15.7.6508 - Compromised User / Outbound Spam
Question asked by Tim DeMeza - 5/24/2018 at 7:00 AM
I had an interesting problem over night.  I was notified via email by the system indicating "Auto Spam Notification."  
This is fine and the rule worked as expected. The user was throttled and I began remediation.
The first thing I did is go into the user and change the password.  The user was still connected and sending spam at a high rate.  I then went in and turned off SMTP and IMAP access under the specific user.  Again, I saved that and went back to the logs.  I was still getting emails coming through.  
It took an hour or so to see Authentication Failed in the log files.  This should have been immediate.  And how, if I disabled SMTP and IMAP access for the user, were emails being accepted by the mail server?  It seems something is wrong there.  The only thing I found to work 100% and almost immediately was blacklisting the IP addresses.  
Anyway, I just wanted to see if any others have seen similar issues and if I have done something wrong in order to keep the spam flowing.  
On another note, I think we should be able to have a rule that automatically changes a users password, temporarily blacklists IP addresses, or temporarily blocks a user if they make multiple connections within 1 minute from greater than 2 countries or something like that.  Once an account is compromised, the credentials are rapidly shared.  
Thank you.

4 Replies

Reply to Thread
echoDreamz Replied
We've had this same issue with SM 16. Disable the account or Disable outgoing SMTP on the account and emails keep on going.
Linda Pagillo Replied
Hi Tim. I'm sorry to hear that this happened. We see compromised accounts every day. Our process for dealing with them is to first change the password on the offending account and then restart the SM service on our servers to knock the offending user off. It's strange because sometimes simply changing the password is enough to stop them, but other times, we have to restart the SM service, so we have made it a rule to restart the service every time after changing the password. Also, I'm not sure if you are aware, but we offer a free program called Declude Hijack which prevents mass amounts of spam from leaving the server in the event of a compromised account. You can download Declude here: http://mailsbestfriend.com/downloads/ Also, we wrote a very helpful article which will give you an idea of how to handle compromised accounts. Please check it out here if you wish: http://know.mailsbestfriend.com/papers/Handling-Compromised-Accounts.shtml. If you would like to read about how Hijack works, please check out our manual: http://mailsbestfriend.com/downloads/docs/Declude_Hijack_Manual.pdf. Please let me know if you have any questions or need help setting up Declude Hijack if you choose to do that. I hope this info helps. Thanks!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
Ujjaval Patel Replied
I agree Tim. I have had to restart the SM service which is the only way the outbound spam stops. Restarting is not ideal and takes everyone down for 2-3 minutes. Would like to see a better solution.

Reply to Thread