Security questions, email related.

[Zarathuztra]

I'm not sure if this is the best place to post for this, so if I should be posting in a different place, please point me in the right direction... The problem that has been encountered is as follows. It appears is attempting to access/login to the email at my job. There is a threshold that when reached will shut down the emails after a certain number of failed login attempts. Since this threshold is quickly reached, the emails are consistently becoming inaccessable. I would like to correct or find whatever is causing the problem. Scans have failed to reveal any harmful software, and the admin mentioned that the access was occurring from our IP address so I assume that is indicative of something malicious on one or several machines in office. The email that attempts the login is usually some non-existing email.

 

How can I go about hunting down the cause for this? Is there anyone that has had a familiar issue and was able to solve it? Again, if there is a different site/forum I should be making this post in, please point me in the right direction. Thanks.

 

WIN 7 SP1

MS Office 2013

I believe the scan software is Trend Micro Client/Server Security Agent

 

[fusi0n]

I had this happen before.. When this happened, it was a virus trying to brute force AD passwords.. causing email accounts to lock up.. 

[+BudMan MVC]

where exactly is the login attempts happening? You say its some nonexisting email?

do you access your email on some website, or you point your email client to some mail server?

Lets call your email account Zarathuztra@domain.tld -- why would attempting to login to billy@domain.tld lock out your account? Or are you saying this email server sees too many logins from your IP, so locks out all email access to @domain.tld?

[Zarathuztra]

where exactly is the login attempts happening? You say its some nonexisting email?

do you access your email on some website, or you point your email client to some mail server?

Lets call your email account Zarathuztra@domain.tld -- why would attempting to login to billy@domain.tld lock out your account? Or are you saying this email server sees too many logins from your IP, so locks out all email access to @domain.tld?

The logins are from the office's IP to the mail server. We use Outlook to point to the mail server.

 

The email server sees too many logins over a time period, assumes it is an attack and shuts down or disconnects, thus locking out email access and forcing us to call the guy that handles the mail server.

[+BudMan MVC]

Well what I would do is sniff at your exit point and look for the logins so you know what machine its coming from. Can the guy tell you what email address is being tried, is it just random stuff?

Could be something as simple as someone has a misconfigured outlook that keeps trying to login.

Your going to need to sniff the traffic leaving your connection to see which IP in your office is doing it.