Internal Mass Messaging - Spam
Question asked by Alard Thiery - 12/24/2019 at 8:20 AM

I have a problem with a user's mailbox, its sending huge amounts of spam messages.

In the past it was some kind of malware that would be installed on the user's computer, and with cleaning the machine, and changing the password the problem would be fixed.

This time is different, I have changed the password and I had not even given it to the user, in a couple of hours the mailbox sent more than 200 000 messages! 

There must be a way in which the spammer is getting the new password, or it's does not even need the password to send mass mail.

Any recomendations on what to do are more than welcome, at the moment the user's mailbox is disabled, but I don't want this spreading to other users and I need to re-acitivate the account.

Thank you,


1 Reply

Reply to Thread
Douglas Foster Replied
Presumably the attack is not coming from webmail, so I would hope that the logs would indicate which IP address is being used to submit the messages.

Given that the problem occurred after the password was changed, it seems likely that the attack is coming from a source that is exempt from authentication.

Assuming that the attack is continuing while the account is disabled, there should be evidence of the connection attempts in a log file.

But if you know of a PC that was the source of the original attack, I would proceed on the assumption that the malware was not successfully removed and the PC is still the source of the infection.  I recommend removing that PC from your network and replacing it with other hardware.

Reply to Thread