We recently had 2 accounts compromised on our server. Each account was from a different client.
We received IDS notification that one of the users had received too many bounces in a given time. While researching that account we discovered another account dropping hundreds of emails in the spool.
Upon further review we discovered their accounts were being used by foreign actors to send spam. The only connection they were making to the server was an authenticated SMTP connection.
We disabled the users accounts, dropped the connections, changed their passwords, then enabled their accounts. Immediately we saw foreign actors authenticating as these users. But how, we just changed their password.
So we went through the process again using the server this time just to eliminate the possibility of a middle man in the SSL stream. Sure enough, we changed the users passwords and as soon as they account were enabled we see foreign actors authenticating.
Can anyone here explain how this is possible. When the accounts are disabled we see authentication failures and as soon as the account is enabled, even after changing the passwords and not using them anywhere, the attackers are able to authenticate.
Is it possible the attackers discovered a universal hash or anything like that? All of our communications are protected with SSL. We haven't deprecated TLS 1.0 yet but we do have our system restricted to secure ciphers. Our server is not an open relay, the attackers are authenticating with the server.
This must be an advanced operation because we are importing ip ranges in to windows firewall to block entire countries. As these ranges are imported we immediately see the attackers moving the attack to other countries almost instantly.
All help and input is appreciated.