HELP - Mail-server-related question

[Shiranui]

Hi.

I came to work yesterday and was told by a member of staff that, over the long weekend, one of our office email addresses have received around 17,000 "delivery failed" messages.

I deleted them from the server, keeping a few for analysis.

After looking at the headers at the headers is was pretty sure that the none of the offending emails had been sent from the two or three machines in the office which used that account.

I changed the password on the account and scanned the machines for malware just to be safe.

Later, I received an email from the email provider, saying that due to the large number of emails being sent from the account, all sending from it had been temporarily suspended. I emailed the support center with my suspicions and asked them to investigate whether the emails had actually originated from our IPs or not.

They got back to me saying that I could check myself from the logs on the admin screen. (never knew you could)

Anyway, I have been looking through the SMTP logs and, sure enough, there are thousand of entries for the account in question.

Here are a few:

date=20130428,time=00:01:50,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=46.158.219.205,rcpt=<SOME-POOR-LOSER>,msgid=6094E9D2.E9146BC1@<OUR-COMPANY-DOMAIN>,size=2557

date=20130428,time=00:02:02,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=61.227.36.1,rcpt=<SOME-POOR-LOSER>,msgid=88B55327.A2C6E130@<OUR-COMPANY-DOMAIN>,size=2022

date=20130428,time=00:07:21,sender=<OUR-COMPANY-EMAIL-ADDRESS>,fromhost=180.215.133.161,rcpt=<SOME-POOR-LOSER>,msgid=D85FF366.19C7B55E@<OUR-COMPANY-DOMAIN>,size=2124

Look at the fromhost, all IPs from spammy countries.

Anyway, I was hoping that some of you mail experts could confirm that our provider's mail server is being used as a relay by spammers, and that it is their negligence that has caused us considerable inconvenience.

Thanks in advance.

The emails are still coming, though at a much slower rate. I expect it will die out by the end of the week.

[Sikh]

Same thing happened to my company about 2 weeks ago. One of the dumbass techs created a test account and ended up giving it mail access when it was created to test some new file shares, next morning we were being used as a relay to email every god damn yahoo account you can manage. What a headache that was. Although this was our fault and we werent really an "open relay", after i fixed the problem, the traffic died down in 2 days.

As far as what your situation is, was it a common user name? or if it was a user, did they have a REALLY easy password to guess?

Only way you can blame your host is if you see there relay configuration and somewhere in their you see a bad entry.

[Shiranui]

Thanks for the response.

Looking at yesterdays logs, the last spam entry was sent around 11:30 am - this is before I changed the password at around 13:20.

Mail. Mails are still coming at a rate of about 1 every 2 or 3 minutes. Looking at the headers of the latest emails, they are in response to emails sent around 10:30 yesterday. I guess I will need to wait until an email refers to one sent after 13:30 to prove that the password was not compromised (it wasn't a dictionary word, but was only 6 characters (letters and numbers) so could have been brute-forced, but the provider would have block multiple fails - for 5 mins after 3 fails).

Next question:

The message IDs for a spam email and a legit email are quite different too:

Spam

msgid=0BD7C5F8.FA955522@<OUR-COMPANY-DOMAIN>,size=2540

Legit

msgid=20130430043329.GYHN21833.<MAIL-PROVIDER-MAIL-SERVER>@<PC-NAME>,size=769

Did the spammer really guess the password and log in (in which case it is my fault for allowing a 6-character password...)

Or, are they just and logging in to our provider's lovely open relay and spoofing the return email address? (in which case I can complain).

[PNWDweller]

i had something like this happen to me but it was due to a script injection on a site i was hosting. (Actually two Joomla based sites). They used a scanner to exploit Joomla and injected the script using the exploit. They in turn forged an email address which was legit on the server and used it to send out spam emails.

If your company is using a web site, i would recommend that they do a deep scan for changed files or odd looking ones with recent dates. This will help eliminate the problem mostly if not completely. It isn't restricted to Joomla btw, rather any server which has incorrect permissions set on the directory can suffer too. Most often, the hackers will MD5 encode the script to prevent casual detection.

[primexx]

uhh... do you not have spf, dkim, and dmarc records that a) authenticate mail and b) gives you reports on (a)?

[Shiranui]

The login name for this account is the email address with a % in place of an @ (don't know how common this is.

The address itself does not appear anywhere on the web and is used mainly to communicate with colleagues, though may sometimes be CCed in mails to clients.

Did the spammers really find this email, figure out the log in name, guess the password and log in from the axis of spam, or did they just pluck the address at random from someones address book and somehow relay the messages through our provider's server. I don't know which is more plausible anymore.

Messages are slowing down - about one every 10 minutes. Until I see today's logs tomorrow I won't know if any were sent after the password changed.

Anyway, I'll take this as a lesson learnt, and just report back to the provider, in a non-accusatory tone. :)

However, isn't it reasonable to expect a provider to detect emails being sent at the rate of about 40 a minute from an overseas IP (we cannot block overseas IPs outright, as several staff are frequently on overseas business trips) as mildly suspicious behaviour??

Thanks for the replies.

[Shiranui]

Update: One of the computers appears to have been infected with trojan.zbot.

Not sure if it was active as the was only a registry entry pointing to a file which was not reported as having being removed and could not be found at the path.

Will be changing the passwords for other accounts on that computer as a precaution.