Find a Compromised Account

This article applies to recent versions of SmarterMail. View articles for SmarterMail 15.x and earlier.
When an account has been compromised, the spammer will try to send as much spam as possible though the server. This can cause a number of issues, including getting a domain or IP address blacklisted. Accounts can get compromised a number of ways, the most common of which is when the account is using a weak, insecure password.
 
There are a few ways administrators can become aware of when an account has been compromised, including by noticing the mail server spool filling up, causing both incoming and outgoing messages to be delayed. When this happens, administrators can review the Spool Dashboard or traffic reports in order to find the compromised domain and account being used to send the large amount of email.
 
Follow these steps to find the compromised account by reviewing the Spool Dashboard:
 
  1. Log into SmarterMail as an Administrator.
  2. Within the Manage section, click on Spool in the navigation pane.
  3. In the Overview tab, look at the Top Outbound Senders section to find any anomalies in outbound deliveries. If an account has been compromised, it will likely be the first in the list with the most deliveries. (The spool dashboard updates every 20 seconds for a real-time look at the spool.)
  4. Determine whether the messages are valid emails or spam. This can be done in two ways. a.) Click on the Spool tab and use the search bar to find messages sent by the suspected user account. b.) Click on the Actions menu in the spool overview to Move Messages sent by the user (that are currently held in the spool) to their own folder on the server. Review the messages.
  5. If the messages are found to be spam, use the Delete Messages action to delete the remaining messages in the spool sent by that user. 
  6. If the account is determined to be compromised, you can also temporarily disable the account, preventing future email from being sent out. Use the Disable User action to disable the user's account but still allow it to receive mail. Alternatively, you can navigate to the user's settings to change the User Status to 'Disable and don't allow mail'.
  7. Look at the Top Outbound IP Addresses section to find any anomalies in outbound deliveries. Spammers may send messages through just one user account; however, they may authenticate using various IP addresses. 
  8. Repeat steps 5 and 6 to determine the legitimacy of the messages and take actions against them, if necessary.
  9. If an IP Address is in violation, use the Blacklist IP action to add the IP address to the STMP Blocked list. (The IP will be blocked on SMTP only.)
 
Follow these steps to find the compromised account by reviewing reports:
 
  1. Login to SmarterMail as an Administrator.
  2. Click on the Reports icon.
  3. Select Message Traffic and change the mode from Trend to Domains.
  4. This report will list all domains on the server and display the number of incoming and outgoing messages for each. The domain with the compromised account will generally be the one with the most outgoing messages.
  5. Clicking on the domain will display the Message Traffic report for users on that domain. From here, make sure the report Mode is set to Users (not Trend), and you can narrow down the one (or more) users sending the largest amount of email.
The next steps are generally up to the administrator. They can either Manage the domain and change the user's password, disable the user or delete the account entirely to stop the spammer from relaying though the server.
 
 
Learn more about SmarterMail's enterprise email features and benefits.

Feedback

This article seems incomplete because it doesn't mention checking the SMTP logs (for authenticated user) nor checking the actual messages in the spool. Thanks!
Brett Garrett (9/22/2014 at 8:01 AM)
Also the mentioned areas don't exist in the latest version (16)...
Steve Guluk (11/9/2018 at 7:53 AM)
Hi Steve. Which areas are you referencing? These can be found if you log in as the system administrator. Click on the Manage icon, click on Spool in the navigation pane, then click on the Overview tab. For the reports, you'll click on the Reports icon.
Andrea Free (11/9/2018 at 8:09 AM)