Hi Neal. Are you using Throttling in SM along with the Internal Spammer Notification? Throttling will help to stop mass emails from leaving your server in the event of a compromise. Also, I'm not sure if you are using Declude, but it has an anti-hijack component which will help with this as well.

Hi Linda, I thought Declude didn't work with the latest, I'll look into it. I am using internal spammer notification but not throttling, I'll look at that as well. 

By the way I noticed after restarting the MailService at times CLAMAV is not starting. 

I still don't know the source of this spammer, the IP is blacklisted in SM, at the firewall, etc. so it must be something internal. It also shows it using auth of one of my email accounts of which I changed the passwords on this one and several others. The emails continue to generate. Servers all use Symantec Endpoint Protection and have all been full scanned with nothing found. The sender is "unitednat@if.com" but I can't find anything online related.

Where do I find Declude, how to install it, how to configure it? Any info would be appreciated. Thanks

Neal, if you upgraded from a version prior to SM 17x, Declude will still work if you follow the steps in our KB article... http://know.mailsbestfriend.com/declude_will_not_run_with_smartermail_17x--16718783.shtml

As for restarting the MailService, I have noticed in all versions of SM that sometimes the MailService process does not die completely before restarting so what I always do is pop open the Task Manager on the server, stop the MailService and watch the Task Manager until I see it die then I start up the MailService again. Please give that a try and see if ClamAV starts up with the MailService as it should.

As for the source of the spammer, are you able to use Hijack? If yes, I will show you how to turn it on and it will tell you who the authenticated sender is. Please let me know. Thanks!

No, I don't see that file for whatever reason. I've been using SM for years but recently moved it to a different server and I also do uninstalls/reinstalls with each update released per ST's guidance. 

ClamAV seems to be shutdown again, not listed in the processes, must be failing with the high volume of nonsense going on which I still can't track down. Guess I'll need to write an app to find the eml and hdr files with @if.com in them and delete them. Had to do this once before. Sure would be nice if SM had some type of cleaner tool.

You know what else you may want to try? Search your SMTP log for "authenticated as" and look to see an excessive amount of authentications by any certain address. Most of the time you can clearly see something fishy.

Hopefully the issue is now mitigated. Had to stop the service for about an hour and delete the affected files from the spool folders. I forgot I had a utility https://www.funduc.com/replace_studio_pro.htm  so I didn't have to write my own. Good search/replace product that you can then delete files that are found. No reason SM can't have some type of spool search and cleanup utility to handle this crisis, it's not the first.

Anyhoo, I'll keep an eye on it. As always, you get better from these things, more things locked down, better firewall rules, etc.

Lessons Learned:

1) SM needs a tool to cleanup the spool

2) Blacklist IP and drop down actions don't seem to work from top outbound IP list

3) Stopping the SM service is not killing the process and in some cases you can have two MailService processes running - bad!

4) CLAMAV is super flaky/unstable

5) UI is very sluggish at around 30K+ messages in the spool

6) I need to learn more about "service access" for each email address so only some accounts that are not used by people have better control over what those accounts can do. 

7) Hackers are smart people, they should put their talent to better use, this cost me 7 hours of my day so far.