Hello,

 

I recently had very weird situations where in the same time more than one email account (on the samem server) was used as a mailbox for sending SPAM. Today I had the same situation and it was very interesting because the same IP address (there was a lot of other IP addresses this is just one of them) which was connecting to mail server was sending spam from email accounts of totally not related customers. Have you experienced similar issue? Is this some kind of botnet which collects (how?) info about email accounts and then use this data some time later?

 

Regards

 

Log:

 

[2014.12.01] 05:15:37 [50.62.176.33][42837426] rsp: 220 MAILSERVERNAME
[2014.12.01] 05:15:37 [50.62.176.33][42837426] connected at 2014-12-01 05:15:37
[2014.12.01] 05:15:37 [50.62.176.33][42837426] cmd: EHLO MAILDOMAIN1
[2014.12.01] 05:15:37 [50.62.176.33][42837426] rsp: 250-MAILSERVERNAME Hello [50.62.176.33]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2014.12.01] 05:15:37 [50.62.176.33][42837426] cmd: AUTH LOGIN
[2014.12.01] 05:15:37 [50.62.176.33][42837426] rsp: 334 VXNlcm5hbWU6
[2014.12.01] 05:15:37 [50.62.176.33][42837426] Authenticating as MAILACCOUNT1
[2014.12.01] 05:15:37 [50.62.176.33][42837426] rsp: 334 UGFzc3dvcmQ6
[2014.12.01] 05:15:37 [50.62.176.33][42837426] rsp: 235 Authentication successful
[2014.12.01] 05:15:37 [50.62.176.33][42837426] Authenticated as MAILACCOUNT1
[2014.12.01] 05:15:37 [50.62.176.33][42837426] cmd: MAIL FROM:<MAILACCOUNT1> SIZE=458
[2014.12.01] 05:15:37 [50.62.176.33][42837426] rsp: 250 OK <MAILACCOUNT1> Sender ok
[2014.12.01] 05:15:38 [50.62.176.33][42837426] cmd: RCPT TO:<pablov38@hotmail.com>
[2014.12.01] 05:15:38 [50.62.176.33][42837426] rsp: 250 OK <pablov38@hotmail.com> Recipient ok
[2014.12.01] 05:15:38 [50.62.176.33][42837426] cmd: DATA
[2014.12.01] 05:15:38 [50.62.176.33][42837426] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2014.12.01] 05:15:38 [50.62.176.33][42837426] rsp: 250 OK
[2014.12.01] 05:15:38 [50.62.176.33][42837426] Data transfer succeeded, writing mail to 332689780379.eml
[2014.12.01] 05:15:38 [50.62.176.33][42837426] cmd: QUIT
[2014.12.01] 05:15:38 [50.62.176.33][42837426] rsp: 221 Service closing transmission channel
[2014.12.01] 05:15:38 [50.62.176.33][42837426] disconnected at 2014-12-01 05:15:38
[2014.12.01] 05:16:03 [50.62.176.33][4236059] rsp: 220 MAILSERVERNAME
[2014.12.01] 05:16:03 [50.62.176.33][4236059] connected at 2014-12-01 05:16:03
[2014.12.01] 05:16:03 [50.62.176.33][4236059] cmd: EHLO MAILDOMAIN2
[2014.12.01] 05:16:03 [50.62.176.33][4236059] rsp: 250-MAILSERVERNAME Hello [50.62.176.33]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2014.12.01] 05:16:03 [50.62.176.33][4236059] cmd: AUTH LOGIN
[2014.12.01] 05:16:03 [50.62.176.33][4236059] rsp: 334 VXNlcm5hbWU6
[2014.12.01] 05:16:03 [50.62.176.33][4236059] Authenticating as MAILACCOUNT2
[2014.12.01] 05:16:03 [50.62.176.33][4236059] rsp: 334 UGFzc3dvcmQ6
[2014.12.01] 05:16:03 [50.62.176.33][4236059] rsp: 235 Authentication successful
[2014.12.01] 05:16:03 [50.62.176.33][4236059] Authenticated as MAILACCOUNT2
[2014.12.01] 05:16:04 [50.62.176.33][4236059] cmd: MAIL FROM:<MAILACCOUNT2> SIZE=444
[2014.12.01] 05:16:04 [50.62.176.33][4236059] rsp: 250 OK <MAILACCOUNT2> Sender ok
[2014.12.01] 05:16:04 [50.62.176.33][4236059] cmd: RCPT TO:<thar331@yahoo.com>
[2014.12.01] 05:16:04 [50.62.176.33][4236059] rsp: 250 OK <thar331@yahoo.com> Recipient ok
[2014.12.01] 05:16:04 [50.62.176.33][4236059] cmd: DATA
[2014.12.01] 05:16:04 [50.62.176.33][4236059] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2014.12.01] 05:16:04 [50.62.176.33][4236059] rsp: 250 OK
[2014.12.01] 05:16:04 [50.62.176.33][4236059] Data transfer succeeded, writing mail to 332689780399.eml
[2014.12.01] 05:16:04 [50.62.176.33][4236059] cmd: QUIT
[2014.12.01] 05:16:04 [50.62.176.33][4236059] rsp: 221 Service closing transmission channel
[2014.12.01] 05:16:04 [50.62.176.33][4236059] disconnected at 2014-12-01 05:16:04