Recommended Posts

Hi.

I came to work yesterday and was told by a member of staff that, over the long weekend, one of our office email addresses have received around 17,000 "delivery failed" messages.

I deleted them from the server, keeping a few for analysis.

After looking at the headers at the headers is was pretty sure that the none of the offending emails had been sent from the two or three machines in the office which used that account.

I changed the password on the account and scanned the machines for malware just to be safe.

Later, I received an email from the email provider, saying that due to the large number of emails being sent from the account, all sending from it had been temporarily suspended. I emailed the support center with my suspicions and asked them to investigate whether the emails had actually originated from our IPs or not.

They got back to me saying that I could check myself from the logs on the admin screen. (never knew you could)

Anyway, I have been looking through the SMTP logs and, sure enough, there are thousand of entries for the account in question.

Here are a few:

  Quote

date=20130428,time=00:01:50,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=46.158.219.205,rcpt=<SOME-POOR-LOSER>,msgid=6094E9D2.E9146BC1@<OUR-COMPANY-DOMAIN>,size=2557

date=20130428,time=00:02:02,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=61.227.36.1,rcpt=<SOME-POOR-LOSER>,msgid=88B55327.A2C6E130@<OUR-COMPANY-DOMAIN>,size=2022

date=20130428,time=00:07:21,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=180.215.133.161,rcpt=<SOME-POOR-LOSER>,msgid=D85FF366.19C7B55E@<OUR-COMPANY-DOMAIN>,size=2124

Look at the fromhost, all IPs from spammy countries.

Anyway, I was hoping that some of you mail experts could confirm that our provider's mail server is being used as a relay by spammers, and that it is their negligence that has caused us considerable inconvenience.

Thanks in advance.

The emails are still coming, though at a much slower rate. I expect it will die out by the end of the week.

Link to comment
https://www.neowin.net/forum/topic/1149824-help-mail-server-related-question/
Share on other sites

Same thing happened to my company about 2 weeks ago. One of the dumbass techs created a test account and ended up giving it mail access when it was created to test some new file shares, next morning we were being used as a relay to email every god damn yahoo account you can manage. What a headache that was. Although this was our fault and we werent really an "open relay", after i fixed the problem, the traffic died down in 2 days.

As far as what your situation is, was it a common user name? or if it was a user, did they have a REALLY easy password to guess?

Only way you can blame your host is if you see there relay configuration and somewhere in their you see a bad entry.

Thanks for the response.

Looking at yesterdays logs, the last spam entry was sent around 11:30 am - this is before I changed the password at around 13:20.

Mail. Mails are still coming at a rate of about 1 every 2 or 3 minutes. Looking at the headers of the latest emails, they are in response to emails sent around 10:30 yesterday. I guess I will need to wait until an email refers to one sent after 13:30 to prove that the password was not compromised (it wasn't a dictionary word, but was only 6 characters (letters and numbers) so could have been brute-forced, but the provider would have block multiple fails - for 5 mins after 3 fails).

Next question:

The message IDs for a spam email and a legit email are quite different too:

Spam

  Quote
msgid=0BD7C5F8.FA955522@<OUR-COMPANY-DOMAIN>,size=2540

Legit

  Quote
msgid=20130430043329.GYHN21833.<MAIL-PROVIDER-MAIL-SERVER>@<PC-NAME>,size=769

Did the spammer really guess the password and log in (in which case it is my fault for allowing a 6-character password...)

Or, are they just and logging in to our provider's lovely open relay and spoofing the return email address? (in which case I can complain).

i had something like this happen to me but it was due to a script injection on a site i was hosting. (Actually two Joomla based sites). They used a scanner to exploit Joomla and injected the script using the exploit. They in turn forged an email address which was legit on the server and used it to send out spam emails.

If your company is using a web site, i would recommend that they do a deep scan for changed files or odd looking ones with recent dates. This will help eliminate the problem mostly if not completely. It isn't restricted to Joomla btw, rather any server which has incorrect permissions set on the directory can suffer too. Most often, the hackers will MD5 encode the script to prevent casual detection.

The login name for this account is the email address with a % in place of an @ (don't know how common this is.

The address itself does not appear anywhere on the web and is used mainly to communicate with colleagues, though may sometimes be CCed in mails to clients.

Did the spammers really find this email, figure out the log in name, guess the password and log in from the axis of spam, or did they just pluck the address at random from someones address book and somehow relay the messages through our provider's server. I don't know which is more plausible anymore.

Messages are slowing down - about one every 10 minutes. Until I see today's logs tomorrow I won't know if any were sent after the password changed.

Anyway, I'll take this as a lesson learnt, and just report back to the provider, in a non-accusatory tone. :)

However, isn't it reasonable to expect a provider to detect emails being sent at the rate of about 40 a minute from an overseas IP (we cannot block overseas IPs outright, as several staff are frequently on overseas business trips) as mildly suspicious behaviour??

Thanks for the replies.

Update: One of the computers appears to have been infected with trojan.zbot.

Not sure if it was active as the was only a registry entry pointing to a file which was not reported as having being removed and could not be found at the path.

Will be changing the passwords for other accounts on that computer as a precaution.

This topic is now closed to further replies.
  • Posts

    • Become a PDF Expert on your Mac — One-time purchase now at 42% off by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where for only a limited time you can save 42% on PDF Expert One-Time Purchase. PDFs remain the best way to transmit documents, but editing them isn't possible with standard Mac software. PDF Expert changes that, allowing you to edit PDF text, images, links, and outlines quickly and easily. Typo in a contract? Easy fix. Need to rework a complete section of a document? No problem. PDF Expert provides a series of essential functions that will transform the way you work with documents on your Mac. It recognizes text and OCR, makes edits, and fills out forms. And with the “Enhance” feature powered by AI, it will fix distortions, remove shadows and improve contrast so that even difficult-to-read documents look great. EDIT Change the text. Easily fix typos, update numbers, or add entire paragraphs Insert images. Update logos in a contract or add a new graph to a report Add links. Enrich your PDFs by linking to other pages or external websites ANNOTATE Highlight the important. Make the most valuable content stand out at a glance Comment on PDFs. Add text to PDFs, insert pop-up notes & write your thoughts in the margins Add stamps. Review documents with our set of stamps or create custom stamps for any workflow ORGANIZE Merge PDFs. Combine multiple files into one PDF document Manage pages. Add, delete, rearrange, or rotate PDF pages with ease Split PDFs. Extract pages from PDFs & save them as separate files CONVERT Convert to PDF. Turn JPG, PNG, Word, PPT, and Excel to PDF PDF to Word. Convert PDFs into editable Word documents PDF to image. Turn PDFs into JPG or PNG images PDF to Excel. Convert PDFs into Excel spreadsheets PDF to PPT. Save PDFs as PowerPoint presentations PDF to text. Convert PDFs into editable TXT files FILL OUT Fill out PDF forms. Easily fill out PDF forms by just clicking on them Sign documents. Add your signature to a PDF in a few clicks. Let customers sign documents with handy one-time signatures Redact PDFs. Blackout or erase confidential information from your documents RECOGNIZE TEXT OCR text in PDF. Recognize the text, so you can search, highlight & copy it Enhance scans. Fix distortions, remove shadows & improve contrast Crop & split pages. Split double-page scans into separate pages & remove undesired margins Good to know: Length of access: Lifetime Redemption deadline: redeem your code within 30 days of purchase Access options: Mac Max number of device(s): Unlimited usage on personal macOS devices Version: PDF Expert 3 for Mac (macOS) Updates: Get continuous support and bug fixes. Additional new features may come at an extra cost. PDF Expert One-Time Purchase normally costs $139.99, but you can pick it up for just $79.97 for a limited time, that represents a saving of $60 (42% off). For a full description, specs, and license info, click the link below. Get PDF Expert for just $79.97, or learn more Although priced in U.S. dollars, this deal is available for digital purchase worldwide. We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • It all went down hill after he retired from the ring, nothing really to do with him being a trumpster (as are most wrestlers). Hulk in general was a bad person after his retirement.
    • Debian switches to 64-bit time completely to avoid Y2K38 disaster by Usama Jawad Some of you may remember the Y2K problem, where the world expected airplanes to fall from the sky as soon as we reached the year 2000, primarily because many software applications at that time typically just used the final two digits of each year to store calendar year data, which meant that the year 2000 was indistinguishable from the year 1900. Fortunately, we were able to avoid the 2K problem, thanks to the tireless efforts of many software vendors and engineers. Now, we are a few years away from a similar issue, and it looks like the Linux distro Debian wants to solve that problem right now in its own operating system. Basically, older 32-bit architectures will face the Y2K38 problem in the year 2038. This is because the signed representation of Unix datetime values will overflow the 32-bit space, which would cause bugs in associated software. Debian is a pretty old distro with its first release dating back to 1993, so the maintainers say that a lot of sensitive computing is still happening on 32-bit architecture. Although there are still roughly 13 years to go before we reach 2038, developers want to proactively tackle the problem rather than having to scramble at the last minute like with Y2K, according to The Register. Another name for Y2K38 is the Unix Epochalypse, since it impacts systems that store datetime values in the Unix format within a signed 32-bit space. On January 19, 2038, 03:14:07 UTC, this space will overflow. As such, Debian maintainers will use 64-bit time_t formats even on 32-bit architectures starting with the release of Debian 13 "Trixie". This is not a small change, as maintainers found the use of the time_t variable in random places across 6,429 packages. The maintainers went on to say that: This may be a breaking change for some applications, so it is important to test your program's response to the time_t variable switch by leveraging the Debian wiki. Interestingly, Y2K38 may also impact certain older Windows programs and out-of-support Windows operating systems.
    • I hope they programed its eyes to turn red when it becomes evil, that is an important feature for any AI representation.
    • Microsoft gives Copilot visual appearance with real-time expressions and emotions by Taras Buria Several months ago, during its 50th anniversary event, Microsoft teased a visual upgrade for Copilot (then called "Copilot Avatar") that would give the chatbot a visual character with expressions, reactions, and emotions. Now, users in the US, UK, and Canada can try Copilot Appearance, "a new, visual way to chat." Conversational mode has been available in Copilot for a while, but it lacked any visual cues or non-verbal communications. All users see on their screens is some abstract animation. With Copilot Appearance, Microsoft is improving voice conversations with real-time visual expressions. Sadly, Copilot Appearance is not a Clippy 2.0. In its current form, it is an abstract blob with a face that can morph into different shapes, express emotions, nod in agreement, etc. The concept is similar to what xAI offers with Grok AI companions that cost $300 per month, but Microsoft's approach is much more toned down (and you cannot undress it). On the official Copilot Labs website, Microsoft describes Copilot Appearance as "an experiment to incorporate a more visual, engaging experience into Copilot." Copilot Appearance is rolling out to a limited set of users in just three countries as Microsoft takes a cautious approach to a more personified AI. If you have a lucky ticket, you can try Copilot Appearance by launching Voice Mode (click the microphone button in the composer) and toggling the feature in Voice Mode settings. Microsoft says that the initial release is experimental, and it is working on refining the experience.
  • Recent Achievements

    • Week One Done
      CyberCeps666 earned a badge
      Week One Done
    • Very Popular
      d4l3d earned a badge
      Very Popular
    • Dedicated
      Stephen Leibowitz earned a badge
      Dedicated
    • Dedicated
      Snake Doc earned a badge
      Dedicated
    • One Month Later
      Philsl earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      627
    2. 2
      ATLien_0
      240
    3. 3
      Xenon
      163
    4. 4
      +FloatingFatMan
      124
    5. 5
      neufuse
      123
  • Tell a friend

    Love Neowin? Tell a friend!