Block Outgoing Mails

By Pedro3
in Smart Home, Network & Security

 Share

Recommended Posts

Community Regular

Pedro3

Posted
Posted

Hello…

 

I've a friend that has a private e-mail, but someone is sending e-mails from that account (spam) to his contacts, since it's a work e-mail, his costumers are receiving that spam from him, which is very bad for his reputation.

 

We already changed the password twice, but the spam continues.

 

We can't cancel that e-mail account because there are a lot of people (many customers) that are using that account.

 

Is there a way to cancel JUST THE OUTGOING e-mails? If that was possible, the problem was practically solved, since his customers wouldn't receive any more spam from his account and he was still able to receive e-mails from the account.

 

Thank you!

Link to comment
https://www.neowin.net/forum/topic/1296762-block-outgoing-mails/
Share on other sites
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

you need to find out root cause of the issue.  Initially I would think that you have malware on the machine (a sniff would be able to determine), this wouldn't matter how many time you have changed the password around.  Another would be that a spammer has gotten a hold of his contact list and is spoofing his address (the recipient would have to look at the headers to determine if it is in fact originating from his mail server). 

 

You have a lot more troubleshooting to do before you blatently disable outgoing, with can be done on the server side if exchange or an exchange type of system...if it is a imap or pop just remove the outgoing server settings of that mail profile/account. 

 

I don't know what you have or what yours or his capabilities are or if you have a support staff that really knows what they are doing, but those are the steps I would take in determining actual root cause vs trying to put a bandaid on a issue esp when you don't know what the issue is...it if is malware you can create a million accounts and it will still do the same thing as he is experiencing on each one of those accounts on that specific machine.

Community Regular

Pedro3

Posted
  • Author
Posted (edited)
30 minutes ago, Southern Patriot said:

Is this on an e-mail server that he controls? If so, then it sounds like there is a virus of some sort on the server itself. 

My friend is just a user, I set up his domain, website, etc in a hosting company.

 

My friend uses outlook in his desktop.

 

There are several e-mails in the same domain, but only his e-mail is being affected.

 

So, the virus in the server could be ruled out?

Community Regular

Pedro3

Posted
  • Author
Posted
23 minutes ago, sc302 said:

you need to find out root cause of the issue.  Initially I would think that you have malware on the machine (a sniff would be able to determine), this wouldn't matter how many time you have changed the password around.  Another would be that a spammer has gotten a hold of his contact list and is spoofing his address (the recipient would have to look at the headers to determine if it is in fact originating from his mail server). 

 

You have a lot more troubleshooting to do before you blatently disable outgoing, with can be done on the server side if exchange or an exchange type of system...if it is a imap or pop just remove the outgoing server settings of that mail profile/account. 

 

I don't know what you have or what yours or his capabilities are or if you have a support staff that really knows what they are doing, but those are the steps I would take in determining actual root cause vs trying to put a bandaid on a issue esp when you don't know what the issue is...it if is malware you can create a million accounts and it will still do the same thing as he is experiencing on each one of those accounts on that specific machine.

I installed malwarebytes and AVG, scan the system and got some virus, but the problem continued.

 

The techs from the hosting company looked at the headers and told me to change the password, but the problem continues.

 

What can I do more to troubleshoot?

 

The IP from the sender is in a location very far from the office and from my friends house.

 

What other ways are to determine if it's malware?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

If you only ran one thing and think it is clean, for sake of ease...format the machine and reinstall everything. 

 

It would take months to get you to the point of having a 90% success rate and even that would only get you to 90%  there would still be a 10 percent chance you missed it.  Fwiw, I run about 7 different scanners then look at a log file that tells me everything that has changed in the past 6 months.  You think avg will grab it by itself,  avg has one of the worst detection rates out there and has one of the highest false positive rates.

 

For sake of time and to be 100%, nuke it from orbit.  

Community Regular

Pedro3

Posted
  • Author
Posted
9 minutes ago, sc302 said:

If you only ran one thing and think it is clean, for sake of ease...format the machine and reinstall everything. 

 

It would take months to get you to the point of having a 90% success rate and even that would only get you to 90%  there would still be a 10 percent chance you missed it.  Fwiw, I run about 7 different scanners then look at a log file that tells me everything that has changed in the past 6 months.  You think avg will grab it by itself,  avg has one of the worst detection rates out there and has one of the highest false positive rates.

 

For sake of time and to be 100%, nuke it from orbit.  

It wasn't "just" AVG, I also did Malwarebytes. But, yes, it wasn't 7 different scanners.

 

Also, there's another point, he uses another account in Outlook, and that account is OK, so if it was malware, most probably would affect the second account, right?

 

I agree to reinstall everything is the best option, but I did the reinstall around 5 months ago, If I've to reinstall everything because malware or virus, he won't be able to work with that machine. Besides, they must pay me to reinstall everything. And that's no solution for them (constantly paying me).

 

I tried to find the cause of it, with no success, that's why I'm trying to "stop" the outgoing. I think it's the best solution (if possible).

6 minutes ago, FiB3R said:

I take it this means the email address is not being spoofed?

Yep, it looks like that.

Community Regular

Pedro3

Posted
  • Author
Posted
6 minutes ago, FiB3R said:

I wonder, If it turned out they were being spoofed, what could somebody do to combat that?

Forgive me, I'm not an expert in this field, but, in the send MailBox of the affected mail account (in the server, using webmail), there were there all the spam mails sent, and that was the way that I was able to see his IP Address (from the hacker), so, this isn't spoofed, am I right or wrong?

 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted
11 minutes ago, FiB3R said:

I wonder, If it turned out they were being spoofed, what could somebody do to combat that?

that would be on the receivers end. 

 

16 minutes ago, Pedro3 said:

It wasn't "just" AVG, I also did Malwarebytes. But, yes, it wasn't 7 different scanners.

 

Also, there's another point, he uses another account in Outlook, and that account is OK, so if it was malware, most probably would affect the second account, right?

 

I agree to reinstall everything is the best option, but I did the reinstall around 5 months ago, If I've to reinstall everything because malware or virus, he won't be able to work with that machine. Besides, they must pay me to reinstall everything. And that's no solution for them (constantly paying me).

 

I tried to find the cause of it, with no success, that's why I'm trying to "stop" the outgoing. I think it's the best solution (if possible).

Yep, it looks like that.

I would be looking at the network hard to verify that the pc is in fact sending out messages.  The network would get put on a spam black list. 

 

If the pc is sending out spam messages that the user isn't sending out, it doesn't matter if it is only one, two, 100 accounts...the user is not sending out the message, so no it wouldn't matter if it did or didn't affect the second account. 

 

You need to verify that the pc is infact sending it out or if another machine on the network is infected which is sending out the messages.    You do this by putting a sniffer on the network, in between his computer and the internet/router and capturing during the time the messages are sent out.  I can't do this for you or set this up...you would do this via a span port on switch (if your switch supports it) or by putting a inline hub and attaching a pc to the hub (it needs to be a hub, not a switch).

 

 

 

 

2 minutes ago, Pedro3 said:

Forgive me, I'm not an expert in this field, but, in the send MailBox of the affected mail account (in the server, using webmail), there were there all the spam mails sent, and that was the way that I was able to see his IP Address (from the hacker), so, this isn't spoofed, am I right or wrong?

 

If you are not an expert, wipe the machine.  If his machine has the chance of being infected, the attacker could get any and all passwords that are entered or stored on the machine...won't matter if he changes his password or how many times his password is changed or how complex the password is.

Community Regular

Pedro3

Posted
  • Author
Posted
Quote

You need to verify that the pc is infact sending it out or if another machine on the network is infected which is sending out the messages.    You do this by putting a sniffer on the network, in between his computer and the internet/router and capturing during the time the messages are sent out.  I can't do this for you or set this up...you would do this via a span port on switch (if your switch supports it) or by putting a inline hub and attaching a pc to the hub (it needs to be a hub, not a switch).

But since the IP of the spam is not from his office or his house, it can't be his Desktop that is sending the spam, right?

Community Regular

Pedro3

Posted
  • Author
Posted
8 minutes ago, sc302 said:

maybe, maybe not.  It could be proxying, if it is it would be coming from that other ip. 

 

You could blacklist the ip if it isn't changing so that it can't send through the mail server for additional measures, on top of wiping the pc.

It's a good idea to blacklist the IP. Unfortunately wiping the PC isn't a good solution for them right now.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

good or not, the pc and any passwords that are entered on that pc are considered compromised in my book if changing the password to the mail account does nothing to stop the attacker from logging on and sending mail.  put it to the end user like this, if he uses that computer for bank accounts the attacker has access to the bank accounts and all passwords/userids/etc that are associated with said bank accounts.  You have no clue what is on that computer or what the attacker has access to..you don't have the skill set currently to figure it out so you must treat that computer like everyone in the world can see what is going on with that computer and has access to everything the users do on it giving them the ability to drain your bank accounts or buy whatever they want or access to your most secret of secrets that could lead to black mail or imprisonment. 

Grand Master

FiB3R

Posted
Posted
5 hours ago, sc302 said:

that would be on the receivers end. 

So as the victim (as opposed to the intended targets/victims), nothing? An attacker/spammer can continue to spam all of your contacts, and there is nothing you can do about it apart from change your own email address?

 

What could the recipients do apart from block emails from that address? Set up filters that inspect the headers? Is that even a thing? You can't expect that of them, so pretty much say goodby to those customers, right?

 

I suppose I'm basing this scenario on something like the contact list being gathered via bulk emails being sent by something like CC as opposed to BCC. Not sure that even makes sense.

If it's a proper breach, then It's a whole 'nother ball game.


Apologies if I am missing the super obvious, I haven't properly read the other replies, and it feels like this post hast taken a week to write. ###### as a fart right now :wacko::woot::beer::hug:

Grand Master

FiB3R

Posted
Posted
5 hours ago, sc302 said:

in the send MailBox of the affected mail account (in the server, using webmail), there were there all the spam mails sent

OK, that puts my line of enquiry to bed :blush:

But out of interest, my questions still stand... I think.

Edit: Hold on. Using webmail? Not an any local machine? That means.... something, right?

 

Edit 2: I need to read more than one reply at a time before I respond. Better yet, I should go to bed. Goodnight. :yes:

Grand Master

PNWDweller

Posted
Posted

Honestly -

 

It sounds like someone got a hold of the address book as part of the breach.  They made a copy, then spoofed the email address.

 

Someone can take my email address right now, set up a low cost/no cost email server and do the same thing.   

 

They could then use the email addresses they got and do their thing.

 

Here's the thing - if the mail headers are showing a different IP other than your friend's IP, then it means that the above happened more than likely. 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted
39 minutes ago, FiB3R said:

So as the victim (as opposed to the intended targets/victims), nothing? An attacker/spammer can continue to spam all of your contacts, and there is nothing you can do about it apart from change your own email address?

 

What could the recipients do apart from block emails from that address? Set up filters that inspect the headers? Is that even a thing? You can't expect that of them, so pretty much say goodby to those customers, right?

 

I suppose I'm basing this scenario on something like the contact list being gathered via bulk emails being sent by something like CC as opposed to BCC. Not sure that even makes sense.

If it's a proper breach, then It's a whole 'nother ball game.


Apologies if I am missing the super obvious, I haven't properly read the other replies, and it feels like this post hast taken a week to write. ###### as a fart right now :wacko::woot::beer::hug:

A mail server accepts mail from anyone anywhere.  The account that has been compromised, in every case, will not know they are compromised or, if they know, to what extent.  Spammers can spoof addresses and have them come from legitimate mail sources to fool anti spam devices/software/services.  You the victim can't really do much unless it is coming from your computer, it really is up to the receiver to modify their spam rules to detect it.  So you as the victim have already been robbed and can do nothing about it. 

 

If the customers have a decent IT staff or know how to contact their mail host, the IT staff or mail host can address the issue.   Hell, the mail client may even have a little button on it to report as spam so the mail host or the IT staff don't have to do anything and it is on the end user. 

 

Spam comes through even the best filters, it is how it is treated by the staff and spam solution.  Spammers are constantly finding new ways to get around anti spam solutions, after all they get paid on the deliveries not on the drops.

 

 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted
21 minutes ago, FiB3R said:

OK, that puts my line of enquiry to bed :blush:

But out of interest, my questions still stand... I think.

Edit: Hold on. Using webmail? Not an any local machine? That means.... something, right?

 

Edit 2: I need to read more than one reply at a time before I respond. Better yet, I should go to bed. Goodnight. :yes:

and you quote says it is me who wrote it.  def not me who wrote it. 

 

I am not convinced it was using webmail...if it were then the account was compromised...but then it would come from the mail host not some other IP.  So something not right there.  This person doesn't really know how to troubleshoot this issue properly or provide accurate information, sorry OP.

Grand Master

FiB3R

Posted
Posted
31 minutes ago, sc302 said:

and you quote says it is me who wrote it.  def not me who wrote it. 

 

I am not convinced it was using webmail...if it were then the account was compromised...but then it would come from the mail host not some other IP.  So something not right there.  This person doesn't really know how to troubleshoot this issue properly or provide accurate information, sorry OP.

Still drunk, but i highlighted that bit of text, and clicked the popup "quote this".

Seems I quoted your quote.

 

3am... I am walking away from this machine :laugh:

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.