1
Infected accounts where spam content filtering where created
Question asked by Webio - 5/29/2023 at 11:02 AM
Unanswered
Hello,

today I had few support tickets that customer emails are not being delivered to their accounts. After some investigation I've discovered that those accounts had content filtering rules which where forwarding messages to some spamish gmail account with message deletion.

Examples:




Does someone of you encountered similar situation maybe in past? Most interesting thing here is that this issues had been reported today (when I upgraded SmarterMail over weekend from build 8251 (or similar) to 8545. Just to be clear here: I'm not reporting anything wrong with latest version in this matter BUT maybe something has been fixed in forwardings which made those forwarding rules to be operational or MAYBE during some upgrade actions of settings.json file checking those forwardings where fixed and started to be operational.

So bottom line: does anyone encountered similar issues? Most of the time when account gets corrupted some SMTP connections are being made with spam sending but this is something new (or old?).

From affected email accounts only for one I was able to find in administrative logs entry:

2023.05.22 08:46:35.596 [156.146.62.201] User EMAILADDRESSAFFECTED calling set content filters
2023.05.22 08:47:23.185 [156.146.62.201] User EMAILADDRESSAFFECTED calling set content filters
For other accounts I didn't find anything in logs I have (1 year in past).

Thanks

EDIT: I was able to find those accounts using Total Commander search for settings.json files with regex content search:

"argument":"[a-z]+@gmail.com

2 Replies

Reply to Thread
0
MGWallace Replied
I've seen this in our clients Microsoft365 and other accounts... it is when the USER is hacked and the hacker then setups up the forwards so They get all the emails going to them. The users in our case THOUGHT that they needed to reset a password or something on a site looking to be same, giving access to the account for the hacker to login and make changes. 90% of the time this has all to do with money scams. I bet, if you were to check the sent emails, in the accounts, you will find nothing sent from the hackers... but if you were to check the sent emails in the log files you will see they sent lots of emails.

I once caught the hackers off guard as I had another way to access a clients M365 account, logged them all off, change the passwords, etc. When I logged into those accounts I saw drafts of emails and sent emails (they hadn't deleted yet) all about adding themselves to banking accounts as signers!

I don't think SmarterTools would do this kind of thing. I've updated 2 mail servers to the newest build and haven't see rules built into those updates. 

I would advise your clients to change ALL their passwords to all their accounts... if it is not to late!
0
Reto Replied
We had it only once on one account that had the password leaked. Someone did setup this by using the webmail. In this case the delete was not active, so it was a long time this way. Only when the gmail account was full, the senders did receive a NDR and we where asked to check what is happening. 

Reply to Thread