HELP - Mail-server-related question

By Shiranui
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

Shiranui

Posted
Posted

Hi.

I came to work yesterday and was told by a member of staff that, over the long weekend, one of our office email addresses have received around 17,000 "delivery failed" messages.

I deleted them from the server, keeping a few for analysis.

After looking at the headers at the headers is was pretty sure that the none of the offending emails had been sent from the two or three machines in the office which used that account.

I changed the password on the account and scanned the machines for malware just to be safe.

Later, I received an email from the email provider, saying that due to the large number of emails being sent from the account, all sending from it had been temporarily suspended. I emailed the support center with my suspicions and asked them to investigate whether the emails had actually originated from our IPs or not.

They got back to me saying that I could check myself from the logs on the admin screen. (never knew you could)

Anyway, I have been looking through the SMTP logs and, sure enough, there are thousand of entries for the account in question.

Here are a few:

date=20130428,time=00:01:50,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=46.158.219.205,rcpt=<SOME-POOR-LOSER>,msgid=6094E9D2.E9146BC1@<OUR-COMPANY-DOMAIN>,size=2557

date=20130428,time=00:02:02,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=61.227.36.1,rcpt=<SOME-POOR-LOSER>,msgid=88B55327.A2C6E130@<OUR-COMPANY-DOMAIN>,size=2022

date=20130428,time=00:07:21,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=180.215.133.161,rcpt=<SOME-POOR-LOSER>,msgid=D85FF366.19C7B55E@<OUR-COMPANY-DOMAIN>,size=2124

Look at the fromhost, all IPs from spammy countries.

Anyway, I was hoping that some of you mail experts could confirm that our provider's mail server is being used as a relay by spammers, and that it is their negligence that has caused us considerable inconvenience.

Thanks in advance.

The emails are still coming, though at a much slower rate. I expect it will die out by the end of the week.

Link to comment
https://www.neowin.net/forum/topic/1149824-help-mail-server-related-question/
Share on other sites
Grand Master

Sikh

Posted
Posted

Same thing happened to my company about 2 weeks ago. One of the dumbass techs created a test account and ended up giving it mail access when it was created to test some new file shares, next morning we were being used as a relay to email every god damn yahoo account you can manage. What a headache that was. Although this was our fault and we werent really an "open relay", after i fixed the problem, the traffic died down in 2 days.

As far as what your situation is, was it a common user name? or if it was a user, did they have a REALLY easy password to guess?

Only way you can blame your host is if you see there relay configuration and somewhere in their you see a bad entry.

Grand Master

Shiranui

Posted
  • Author
Posted

Thanks for the response.

Looking at yesterdays logs, the last spam entry was sent around 11:30 am - this is before I changed the password at around 13:20.

Mail. Mails are still coming at a rate of about 1 every 2 or 3 minutes. Looking at the headers of the latest emails, they are in response to emails sent around 10:30 yesterday. I guess I will need to wait until an email refers to one sent after 13:30 to prove that the password was not compromised (it wasn't a dictionary word, but was only 6 characters (letters and numbers) so could have been brute-forced, but the provider would have block multiple fails - for 5 mins after 3 fails).

Next question:

The message IDs for a spam email and a legit email are quite different too:

Spam

msgid=0BD7C5F8.FA955522@<OUR-COMPANY-DOMAIN>,size=2540

Legit

msgid=20130430043329.GYHN21833.<MAIL-PROVIDER-MAIL-SERVER>@<PC-NAME>,size=769

Did the spammer really guess the password and log in (in which case it is my fault for allowing a 6-character password...)

Or, are they just and logging in to our provider's lovely open relay and spoofing the return email address? (in which case I can complain).

Grand Master

PNWDweller

Posted
Posted

i had something like this happen to me but it was due to a script injection on a site i was hosting. (Actually two Joomla based sites). They used a scanner to exploit Joomla and injected the script using the exploit. They in turn forged an email address which was legit on the server and used it to send out spam emails.

If your company is using a web site, i would recommend that they do a deep scan for changed files or odd looking ones with recent dates. This will help eliminate the problem mostly if not completely. It isn't restricted to Joomla btw, rather any server which has incorrect permissions set on the directory can suffer too. Most often, the hackers will MD5 encode the script to prevent casual detection.

Grand Master

Shiranui

Posted
  • Author
Posted

The login name for this account is the email address with a % in place of an @ (don't know how common this is.

The address itself does not appear anywhere on the web and is used mainly to communicate with colleagues, though may sometimes be CCed in mails to clients.

Did the spammers really find this email, figure out the log in name, guess the password and log in from the axis of spam, or did they just pluck the address at random from someones address book and somehow relay the messages through our provider's server. I don't know which is more plausible anymore.

Messages are slowing down - about one every 10 minutes. Until I see today's logs tomorrow I won't know if any were sent after the password changed.

Anyway, I'll take this as a lesson learnt, and just report back to the provider, in a non-accusatory tone. :)

However, isn't it reasonable to expect a provider to detect emails being sent at the rate of about 40 a minute from an overseas IP (we cannot block overseas IPs outright, as several staff are frequently on overseas business trips) as mildly suspicious behaviour??

Thanks for the replies.

Grand Master

Shiranui

Posted
  • Author
Posted

Update: One of the computers appears to have been infected with trojan.zbot.

Not sure if it was active as the was only a registry entry pointing to a file which was not reported as having being removed and could not be found at the path.

Will be changing the passwords for other accounts on that computer as a precaution.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By TsarNikky · Posted

      While LibreOffice is not pleased to see a new competitor, they are absolutely correct in stating that Euro-Office using a MS file standard as a default is not being truly "European." Using a MS standard just means Euro-Office is just a "bastardized MS Office Suite." (Wasn't a major purpose of Euro-Office was to get away from being captive and enslaved to MS's Office Suite??)
    • Microsoft Teams is getting a controversial location tracking feature that users may hate

      By TsarNikky · Posted

      Microsoft continues its long-term policy of spying on their users--despite vehement denials. That feature will be disabled (or removed) either "elegantly" with MS providing a true way to disable it, or "quick and dirty" via a third-party who WILL come up with a way to disable it. Your choice MS...
    • Helium Browser 0.13.3.1

      By Copernic · Posted

      Helium Browser 0.13.3.1 by Razvan Serea Helium is a private, fast, and honest Chromium-based web browser — built for people, with love. It offers the best privacy by default, unbiased ad-blocking, and a clean experience free from bloat and noise. Proudly based on Ungoogled-Chromium, Helium removes Google’s clutter while keeping a fast, efficient development pipeline. With thoughtful touches like native !bangs and split view, Helium is a people-first, fully open-source browser that puts control back in your hands. Privacy, security, and control come first. Ads, trackers, and third-party cookies are blocked automatically, HTTPS is enforced everywhere, and all Chromium extensions work seamlessly — while Google can’t track your activity. Helium’s 13,000+ offline-ready !bangs let you jump straight to sites or AI tools like ChatGPT instantly. Open-source, people-first, and unbiased, Helium delivers a browsing experience that’s fast, secure, and free from noise, ads, and compromises. Helium Browser key features: Performance Fast, efficient, and lightweight — built on Chromium’s optimized engine. Energy-saving and consistent — stays fast over time without slowing down. No bloat — stripped of unnecessary components for maximum speed. Minimalist interface — compact, clean, and distraction-free. Customizable toolbar — hide elements you don’t need. Smooth and stable — no flicker, lag, or animation glitches. Comfort-focused experience — intuitive and unobtrusive. Privacy & Security Best privacy by default — blocks ads, trackers, phishing, and third-party cookies. Unbiased ad-blocking — powered by community filters and uBlock Origin. No telemetry or analytics — zero background web requests on first launch. Strict HTTPS enforcement — warns for insecure sites. Passkeys supported — modern authentication made simple. No built-in password manager or cloud sync — your data stays yours. Extension Compatibility Full Chromium extension support — including MV2 extensions. Anonymized Chrome Web Store requests — Google can’t track extension installs. Extended MV2 support — maintained for as long as possible. Smart Features Native !bangs — browse faster using 13,000+ offline-ready shortcuts. AI integration — use !chatgpt and others directly from the address bar. Offline functionality — bangs work without an Internet connection. Philosophy People-first design — open source, transparent, and community-driven. No ads, no noise, no bias — privacy and honesty over profit. Helium Browser 0.13.3.1 changelog: f53b28d update: helium 0.13.3.1 (#292) b3cbb2ba revision: bump to 3 (#1925) bcacb8c7 chromium: update to 149.0.7827.114 (#1924) Download: Helium 64-bit | Portable 64-bit |~100.0 MB (Open Source) Download: Helium ARM64 | Portable ARM64 Links: Helium Home Page | macOS | Linux | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Microsoft Weekly: Xbox exclusives are back, big Windows app updates, and more

      By TarasBuria · Posted

      Microsoft Weekly: Xbox exclusives are back, big Windows app updates, and more by Taras Buria This week's news recap is here. Microsoft is returning to XBOX exclusives, Windows 11 gets new preview builds, the Low-latency Profile is here, big updates for inbox Windows apps, Patch Tuesday updates, and more. Quick links: Windows 10 and 11 Windows Insider Program Updates are available Reviews are in Gaming news Great deals to check Windows 11 and Windows 10 Here, we talk about everything happening around Microsoft's latest operating system in the Stable channel and preview builds: new features, removed features, controversies, bugs, interesting findings, and more. And, of course, you may find a word or two about older versions. The June 2026 Patch Tuesday updates are now publicly available. Windows 11 users can download KB5094126, which introduces plenty of new features and security updates, including the Low-latency Profile for better performance, shared Bluetooth audio support, and more. Windows 10 users with PCs enrolled in the Extended Security Update program can download KB5094127. In addition, Microsoft released new Defender updates for its operating systems. Speaking of Defender, Microsoft will now deliver EDR updates via Microsoft Update for faster security improvements independent of Patch Tuesday updates. Following the release of this month's Patch Tuesday updates, Microsoft also published new Windows 11 images available in the Media Creation Tool app. Now, you can create bootable USB media for clean Windows 11 installations with the latest releases. Some unfortunate stuff is going on with certain PCs from Dell and HP. Dell acknowledged that the SupportAssist bug causes black screens of death, while HP systems are suffering from Secure Boot update issues and boot loops. Both companies issued official advisories. Windows Insider Program Here is what Microsoft released for Windows Insiders this week: Builds Canary Channel Builds 29610.1000 and 28120.2302 This week's "Canary" builds only contain performance improvements and fixes, including the Low-latency mode, which is now available in the Stable channel for all Windows 11 24H2 and 25H2 users. Dev Channel Build 26300.8687 Microsoft brought some useful File Explorer changes with this build. You can now open folders in a new tab by middle-clicking them in the address bar. Beta Channel Build 26220.8680 and 28020.2298 Screen Tint, improved Windows Widgets, and other enhancements are included in this week's Beta releases. Release Preview Channel Builds 26200.8728 and 26100.8728 These builds also feature better widgets, new Windows Update controls, point-in-time restore, File Explorer improvements, and more. In addition to new Windows 11 preview builds, Microsoft announced that inbox Windows 11 apps now have their dedicated release notes in the official documentation. Also, Microsoft dropped massive feature updates for six apps, including Paint, Clock, Calculator, Camera, Media Player, Photos, and more. Updates are available This section covers software, firmware, and other notable updates (released and coming soon) delivering new features, security fixes, improvements, patches, and more from Microsoft and third parties. Google has some bad news for those still using MV2-based extensions in Chromium-based browsers, particularly Chrome. The company is now removing flags responsible for Manifest V2-based extensions (uBlock Origin is one of the most popular). However, some browsers resist this change, and Opera issued a statement that it will allow users to continue using MV2 extensions for as long as possible. While Microsoft is still not ready to share new details about MV2 extensions in Microsoft Edge, the company shared important details about the way it will be updating the browser going forward. Now, Microsoft wants to update Edge every two weeks across all platforms instead of the current four-week schedule (only the Extended Stable is exempt from this change). This week, Microsoft confirmed a useful new Teams feature that is coming to the messenger soon. It also detailed all the improvements that made the platform better for users in 2026. However, not all changes are great, as the company is moving ahead with the check-in feature, which many believe will lead to employee monitoring. PowerToys received a feature update this week. Version 0.100 arrived with a big rework for the Shortcut Guide, a new extension gallery for Command Palette, new Dock features, and plenty of other changes. Here are other updates and releases you may find interesting: Microsoft is bringing big performance improvements to OneDrive on Mac Popular Windows 11 file manager Files gets improved tags, layouts, and a new OneDrive icon New Outlook for Windows and Web is getting a simple but very useful email feature Microsoft had to shut down 70+ GitHub repos after getting hacked, bringing back some Microsoft AI boss no longer believes that AI will replace human workers Microsoft wants to end printer driver headaches with Windows Ready Print SQL Server Management Studio 22.7 brings "What's New" page, T-SQL formatting, and lots more Microsoft releases Visual Studio Code 1.124 with smarter autonomous AI agents Windows Server gets DNS over HTTPS (DoH) support Here are the latest drivers and firmware updates released this week: NVIDIA 610.52 Hotfix with multiple fixes for black screens of death, sleep issues, G-SYNC, and more. Reviews are in Here is the hardware and software we reviewed this week Steven Parker reviewed a rather unorthodox device here on Neowin this week. He took for a spin the DWARF mini, the world's smallest smart telescope for night and day sky captures. It tracks objects in the sky, has a sun filter, and has a low learning curve. There is also nice build quality and a quite affordable price. Pulasthi Ariyasinghe reviewed 007 First Light. The game turned out to be a satisfying spy adventure in the James Bond universe with great gunplay and combat, impressive crowds, over-the-top action sequences, and more. There are a few quirks here and there, but overall, the game scored high on our scale. On the gaming side Learn about upcoming game releases, Xbox rumors, new hardware, software updates, freebies, deals, discounts, and more. Microsoft held the latest XBOX Games Showcase this week. There, the company announced plenty of cool stuff, including a remake of Halo: Combat Evolved, a special 25th anniversary XBOX Series X with a classic translucent green design (coming in November 2026), details about Gears of War: E-Day, Spyro: A Realm Beyond after nearly 20 years since the last release, a new Hellblade game from Ninja Theory, a new expansion for DOOM: The Dark Ages, fresh details about State of Decay 3, and even a new entry in the Crazy Taxi series. More improtantly for XBOX fans, Microsoft announced the return of XBOX exclusives, with Gears of War: E-Day and Clockwork Revolution kicking it off. Microsoft also has some good news for Nintendo Switch 2 owners. Minecraft is coming natively to the second-gen Switch, offering better performance and new features, including the visual overhaul called "Vibrant Visuals." Playground Games revealed a 30-minute gameplay video of the upcoming Fable, showcasing combat, action, NPC simulation, relationships, and player choices. Additionally, the studio confirmed a bug with Forza Horizon 6 wiping saves for some gamers. It also had to shut down one of the game's online modes after users discovered an infinite money glitch. NVIDIA announced new games for the GeForce NOW streaming service and a big Summer sale that lets you get 12 months of GeForce NOW for $35 or $70 less, depending on the tier. Speaking of discounts, check out this week's Weekend PC Game Deals article, full of discounts and the latest freebies from the Epic Games Store. Great deals to check Every week, we cover many deals on different hardware and software. The following discounts are still available, so check them out. You might find something you want or need. GIGABYTE Radeon RX 9070 XT Gaming OC ICE 16G - $649.99 | 13% off 1TB Samsung T7 Portable SSD - $189.98 | 31% off AirPods Pro 3 - $179 | $50 off Edifier R1280Ts Powered Bookshelf Speakers - $129.99 | 24% off This link will take you to other issues of the Microsoft Weekly series. You can also support Neowin by registering for a free member account or subscribing for extra member benefits, along with an ad-free tier option.
    • Microsoft Flight Simulator's City Update 15 enhances Midwest cities

      By LoneWolfSL · Posted

      Microsoft Flight Simulator's City Update 15 enhances Midwest cities by Pulasthi Ariyasinghe The third major city update of the year has landed for the original Microsoft Flight Simulator and the 2024 release. The latest drop is upgrading the visuals and regional accuracy of three metropolitan regions in the American states of Illinois, Minnesota, and Wisconsin. The 15th city update is adding eight new areas of interest that have been enhanced with high-fidelity TIN (triangulated irregular network) surface texturing in the mentioned regions. The free update highlights Chicago, Elgin, Cicero, and Arlington Heights in Illinois, as well as Minneapolis, St. Paul, Bloomington, Duluth, Brooklyn Park, Woodbury, Lakeville, Plymouth, and Blaine in Minnesota. In Wisconsin, the development has also upgraded the lands and buildings of Milwaukee, Madison, and Racine. The update lands just as one of the world's largest enthusiast flight simulation conventions, FlightSimExpo, kicks off in downtown St. Paul, Minnesota, on June 14. The Flight Sim development team's 40-minute keynote at the event can be watched here. At the same time, Microsoft is bringing the 6-seat, single-engine, multi-use light civil airplane Piper M600 into the game as a part of its Expert Series 2 program. This premium plane can be purchased from the in-game marketplace for $24.99. City Update 15: The United States Midwest is now available in Microsoft Flight Simulator, as well as the newer Microsoft Flight Simulator 2024, as an optional download. It can be accessed across Steam and the Microsoft Store for PC, Xbox Series X|S, and PlayStation 5, as well as Xbox and PC Game Pass subscriptions. Xbox One, mobile, and PC players can also jump into the new content using Xbox Cloud Gaming if they have a Game Pass Ultimate membership. The game must be updated to the latest version to download this free update from the in-game marketplace.

  • Recent Achievements

    • Week One Done
      ssd21345 earned a badge
      Week One Done
    • Contributor
      MarkHughes4096 went up a rank
      Contributor
    • Dedicated
      jordanspringer earned a badge
      Dedicated
    • Rookie
      Rimplesnort went up a rank
      Rookie
    • One Year In
      Markus94287 earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      507
    2. 2
      +Edouard
      179
    3. 3
      PsYcHoKiLLa
      140
    4. 4
      ATLien_0
      91
    5. 5
      Steven P.
      78
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!