Back to Community Threads
New User on google.abc.com
Problem reported by Montague WebWorks - 1/17/2026 at 11:45 AM
Submitted
Weirdness. I just received two of these emails (below). It is the exact language and headers generated by SM, despite the fact that I do not host google.abc.com, let alone abc.com. Any ideas? Doesn't look like it came from off-server, based on the lack of IP info and HELO. ST should expand the headers to include IP and other standard records for just this reason.

X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: ; Sat, 17 Jan 2026 10:52:03 -0500
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)
X-Forwarded-To: [me]@montaguewebworks.com
X-OriginalSender: [alias]@montaguewebworks.com
X-ForwardingAddress: [alias]@montaguewebworks.com
From: [alias]@montaguewebworks.com
Date: Sat, 17 Jan 2026 10:52:03 -0500
Subject: New User on google.abc.com
Message-Id: <0405988503204eccb18cddf223ea1ec3@fd62b604f6234e1187cf7d085934fd84>
To: [alias]@montaguewebworks.com
X-SmarterMail-Event: true
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-9wIrcXajfB5t+IeNAK8nDQ=="

--=-9wIrcXajfB5t+IeNAK8nDQ==
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

A new user has been added: admin@google.abc.com.=

--=-9wIrcXajfB5t+IeNAK8nDQ==
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

A new user has been added: admin@google.abc.com.=

--=-9wIrcXajfB5t+IeNAK8nDQ==--
I took a look through my Administrative logs and found this:

[2026.01.17] 10:51:58.673 [142.111.152.149] Webmail Attempting to login user: admin
[2026.01.17] 10:51:58.673 [142.111.152.149] Webmail Login successful: With user admin
[2026.01.17] 10:52:00.062 [142.111.152.222] User admin@ calling add event, name: Test Event
[2026.01.17] 10:52:02.073 [142.111.152.49] User admin@ calling add domain, name: google.abc.com
[2026.01.17] 10:52:04.345 [142.111.152.49] User admin@ successfully created domain google.abc.com
[2026.01.17] 10:52:05.116 [142.111.152.154] User admin@ calling delete domain, domain: google.abc.com, deleteFiles: True
[2026.01.17] 10:52:08.136 [142.111.152.154] User admin@ successfully deleted domain google.abc.com
[2026.01.17] 10:52:08.880 [142.111.152.154] User admin@ calling remove events, count: 1
[2026.01.17] 11:49:02.033 [142.111.152.164] User @ successfully force-reset-password
[2026.01.17] 11:49:03.634 [142.111.152.229] Webmail Attempting to login user: admin
[2026.01.17] 11:49:03.634 [142.111.152.229] Webmail Login successful: With user admin
[2026.01.17] 11:49:04.004 [142.111.152.47] User admin@ calling add event, name: Test Event
[2026.01.17] 11:49:08.213 [142.111.152.155] User admin@ calling remove events, count: 1
I tried to reset the admin password, but apparently it's been changed (see force-reset-password above), so I restricted the admin account to my own IP number, and blacklisted 142.111.152.*

Looking up how to change my SM admin password without knowing it. Ugh. I'm glad I caught this!
Mik MullerMontague WebWorks
Montague WebWorks Replied
1/17/2026 at 12:07 PM
Wow. Go to view your Administrative logs and search for "from country China"

yeah.
Mik MullerMontague WebWorks
N
Nick Jansen Replied
1/19/2026 at 8:27 AM
J
Jack. Replied
1/22/2026 at 5:50 AM
[2026.01.22] [146.70.199.170] User @ successfully force-reset-password 
[2026.01.22] [23.234.107.185] User @ successfully force-reset-password 
[2026.01.22] [144.172.97.227] User @ successfully force-reset-password 05:53:01.900
[2026.01.22] 05:53:01.900 [144.172.97.227] User @ successfully force-reset-password
[2026.01.22] [144.172.97.227] User @ successfully force-reset-password 05:57:47.062
[2026.01.22] 05:57:47.078 [144.172.97.227] User @ successfully force-reset-password
[2026.01.22] [144.172.97.227] User @ successfully force-reset-password 06:00:02.975
[2026.01.22] 06:00:02.975 [144.172.97.227] User @ successfully force-reset-password
Jade B Replied
1/22/2026 at 8:34 PM
As per the email that was sent out by ST there is another exploit in the wild allowing unauthenticated smartermail administrator password resets


Check your smartermail configuration for additional smartermail administrators.

This boggles the mind, how was this allowed without any assumption that this could be exploited. It's time for Smartertools to have a code audit by a third party as there seem to be some questionable decisions and lack of security concern.
C
Colton Morrison Replied
1/23/2026 at 7:40 AM
So when Administrative logs say this - we're not concerned because they didn't reset a real user account?
User @ successfully force-reset-password
But if it says this we are concerned because they found one to reset?
User <someadmin>@ successfully force-reset-password
Is that a safe assumption?
Oliver Replied
1/26/2026 at 4:52 AM
I would also be interested to know what it means when 
User @ successfully force-reset-password
is in the log.

I have some of these entries, but I was able to log in normally with my password, so nothing was changed.
There were also no additional admin accounts.

This probably won't affect me anyway, as I have had 2FA and access via a specific IP address enabled since the beginning.
Jade B Replied
1/26/2026 at 5:29 AM
On the latest patched version that means that the reset was not successful. ST is aware of this and is going to provide a fix in one of the next patches.
Oliver Replied
1/26/2026 at 2:55 PM
@Jade, thanks for the info. It would have been nice if someone from ST had made an official statement, as this announcement seems to be unsettling more people, as can be seen in the other forum posts.
Oliver Replied
1/27/2026 at 4:58 PM
I've now looked through my IIS logs and all requests with force-reset-password return errors 302, 400, or 405. Hopefully, ST will adjust the protocol soon.
Montague WebWorks Replied
1/28/2026 at 2:30 PM
And then.... today happened. How many servers were taken out?
Mik MullerMontague WebWorks
M
Mark Johnson Replied
1/28/2026 at 3:35 PM
can you elaborate please? what happened today?
Montague WebWorks Replied
1/30/2026 at 11:42 AM
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Integrating Google Apps with SmarterMailSmarterMail > Domain/User Configuration and Management
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Key Feature and Version Milestones in SmarterMailSmarterMail
SmarterMail and OAuth 2.0SmarterMail > Server Configuration and Management
Remote Server returned: '602' errorSmarterMail > Troubleshooting