2
7125: Issues with virus related mass emails and handling
Problem reported by Neal Culiner - 7/29/2019 at 7:19 AM
Submitted
Yesterday morning I started getting a mail blast going out and 24 hours later I still don't know the source. Tens of thousands are going out. The top outbound IP's show the IP and I blacklisted it but that doesn't seem to do anything, they are still going out. I use the option on the right side of the top outbound IP's for this single IP address to delete the messages, that also does nothing. 

I go to the waiting to deliver and use the search box at the top right and use a wildcard such as *@if.com and that doesn't filter them, it clears the results. I'm not sure what column it's searching on or even if that search box works.

I remote into the windows server and restart the service. I end up with two MailService instances running and that causes problems trying to stop the service a second time. I have to kill both in the task manager. Often stopping the service or restarting is not actually killing the process.

There is no tool to clean the spool of unwanted email by various options such as IP, from address etc. Handling outbreaks like this is tremendously lacking.

When the spool hits about 30K the entire UI just gets sluggish.

7 Replies

Reply to Thread
0
Linda Pagillo Replied
Hi Neal. Are you using Throttling in SM along with the Internal Spammer Notification? Throttling will help to stop mass emails from leaving your server in the event of a compromise. Also, I'm not sure if you are using Declude, but it has an anti-hijack component which will help with this as well.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Neal Culiner Replied
Hi Linda, I thought Declude didn't work with the latest, I'll look into it. I am using internal spammer notification but not throttling, I'll look at that as well. 

By the way I noticed after restarting the MailService at times CLAMAV is not starting. 

I still don't know the source of this spammer, the IP is blacklisted in SM, at the firewall, etc. so it must be something internal. It also shows it using auth of one of my email accounts of which I changed the passwords on this one and several others. The emails continue to generate. Servers all use Symantec Endpoint Protection and have all been full scanned with nothing found. The sender is "unitednat@if.com" but I can't find anything online related.
0
Neal Culiner Replied
Where do I find Declude, how to install it, how to configure it? Any info would be appreciated. Thanks
0
Linda Pagillo Replied
Neal, if you upgraded from a version prior to SM 17x, Declude will still work if you follow the steps in our KB article... http://know.mailsbestfriend.com/declude_will_not_run_with_smartermail_17x--16718783.shtml

As for restarting the MailService, I have noticed in all versions of SM that sometimes the MailService process does not die completely before restarting so what I always do is pop open the Task Manager on the server, stop the MailService and watch the Task Manager until I see it die then I start up the MailService again. Please give that a try and see if ClamAV starts up with the MailService as it should.

As for the source of the spammer, are you able to use Hijack? If yes, I will show you how to turn it on and it will tell you who the authenticated sender is. Please let me know. Thanks!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Neal Culiner Replied
No, I don't see that file for whatever reason. I've been using SM for years but recently moved it to a different server and I also do uninstalls/reinstalls with each update released per ST's guidance. 

ClamAV seems to be shutdown again, not listed in the processes, must be failing with the high volume of nonsense going on which I still can't track down. Guess I'll need to write an app to find the eml and hdr files with @if.com in them and delete them. Had to do this once before. Sure would be nice if SM had some type of cleaner tool.
0
Linda Pagillo Replied
You know what else you may want to try? Search your SMTP log for "authenticated as" and look to see an excessive amount of authentications by any certain address. Most of the time you can clearly see something fishy.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Neal Culiner Replied
Hopefully the issue is now mitigated. Had to stop the service for about an hour and delete the affected files from the spool folders. I forgot I had a utility https://www.funduc.com/replace_studio_pro.htm  so I didn't have to write my own. Good search/replace product that you can then delete files that are found. No reason SM can't have some type of spool search and cleanup utility to handle this crisis, it's not the first.

Anyhoo, I'll keep an eye on it. As always, you get better from these things, more things locked down, better firewall rules, etc.

Lessons Learned:

1) SM needs a tool to cleanup the spool
2) Blacklist IP and drop down actions don't seem to work from top outbound IP list
3) Stopping the SM service is not killing the process and in some cases you can have two MailService processes running - bad!
4) CLAMAV is super flaky/unstable
5) UI is very sluggish at around 30K+ messages in the spool
6) I need to learn more about "service access" for each email address so only some accounts that are not used by people have better control over what those accounts can do. 
7) Hackers are smart people, they should put their talent to better use, this cost me 7 hours of my day so far.

Reply to Thread