Jump to content



Photo

Security questions, email related.

security email malware malicious failed logins fake email

  • Please log in to reply
4 replies to this topic

#1 Zarathuztra

Zarathuztra

    Neowinian

  • Joined: 03-July 14

Posted 03 July 2014 - 16:11

I'm not sure if this is the best place to post for this, so if I should be posting in a different place, please point me in the right direction... The problem that has been encountered is as follows. It appears is attempting to access/login to the email at my job. There is a threshold that when reached will shut down the emails after a certain number of failed login attempts. Since this threshold is quickly reached, the emails are consistently becoming inaccessable. I would like to correct or find whatever is causing the problem. Scans have failed to reveal any harmful software, and the admin mentioned that the access was occurring from our IP address so I assume that is indicative of something malicious on one or several machines in office. The email that attempts the login is usually some non-existing email.

 

How can I go about hunting down the cause for this? Is there anyone that has had a familiar issue and was able to solve it? Again, if there is a different site/forum I should be making this post in, please point me in the right direction. Thanks.

 

WIN 7 SP1

MS Office 2013

I believe the scan software is Trend Micro Client/Server Security Agent

 




#2 fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX 10.9\Elementary OS
  • Phone: iPhone 5S 64GB

Posted 03 July 2014 - 16:19

I had this happen before.. When this happened, it was a virus trying to brute force AD passwords.. causing email accounts to lock up.. 



#3 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 18:32

where exactly is the login attempts happening? You say its some nonexisting email?

do you access your email on some website, or you point your email client to some mail server?

Lets call your email account Zarathuztra@domain.tld -- why would attempting to login to billy@domain.tld lock out your account? Or are you saying this email server sees too many logins from your IP, so locks out all email access to @domain.tld?

#4 OP Zarathuztra

Zarathuztra

    Neowinian

  • Joined: 03-July 14

Posted 03 July 2014 - 19:23

where exactly is the login attempts happening? You say its some nonexisting email?

do you access your email on some website, or you point your email client to some mail server?

Lets call your email account Zarathuztra@domain.tld -- why would attempting to login to billy@domain.tld lock out your account? Or are you saying this email server sees too many logins from your IP, so locks out all email access to @domain.tld?

The logins are from the office's IP to the mail server. We use Outlook to point to the mail server.

 

The email server sees too many logins over a time period, assumes it is an attack and shuts down or disconnects, thus locking out email access and forcing us to call the guy that handles the mail server.



#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 04 July 2014 - 10:23

Well what I would do is sniff at your exit point and look for the logins so you know what machine its coming from. Can the guy tell you what email address is being tried, is it just random stuff?

Could be something as simple as someone has a misconfigured outlook that keeps trying to login.

Your going to need to sniff the traffic leaving your connection to see which IP in your office is doing it.