Spam from Mailbox: ADMIN

Sepiritz
Posts: 6
Joined: Wed Aug 03, 2016 1:57 pm

Spam from Mailbox: ADMIN

Postby Sepiritz » Wed Dec 06, 2017 1:37 pm

I just checked the SMTP outbound queue and had loads of outbound mail sent from Mailbox: ADMIN (unable to use the Disable button, it did nothing), no Postoffice (field blank), it said it was authenticated and I managed to block the Client IP to stop it.
The subject was the same on all mails, Limited Card Access and the recipients were random public addresses, so clearly spam.

Is there a way to prevent this from happening again?
Is there some hidden user not related to postoffices that I should disable or delete?

MailEnable-Ian
Site Admin
Posts: 8512
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Spam from Mailbox: ADMIN

Postby MailEnable-Ian » Wed Dec 06, 2017 10:50 pm

Hi,

You need to inspect the SMTP activity log files in respect to the message ID in the outbound queue and trace through to see which mailbox was used to authenticate.

Example log snippet:

11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 220 hello there 0 0
11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 EHLO EHLO MEWKS088 250-testmailenable.com.au [192.168.2.26], this server offers 9 extensions 234 15
11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 test
11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 AUTH {blank} 235 Authenticated 19 10 test
11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 MAIL MAIL FROM:<test@Mailenable.com.au> 250 Requested mail action okay, completed 43 36 test
11/16/17 10:26:52 SMTP-IN 938A400D491E40EAAC49E051E646CFE8.MAI 208 192.168.2.26 RCPT RCPT TO:<test@Mailenable.com.au> 250 Requested mail action okay, completed 43 34 test

The user "test" was used to autenticate in the above snippet:

Authenticated 19 10 test
Regards,

Ian Margarone
MailEnable Support

Sepiritz
Posts: 6
Joined: Wed Aug 03, 2016 1:57 pm

Re: Spam from Mailbox: ADMIN

Postby Sepiritz » Thu Dec 07, 2017 8:43 am

Thank you for your reply.
I'm not sure how I'm supposed to identify the compromised account.
The sender spoofed their addresses.

12/06/17 00:00:04 SMTP-OU C91D14872B3D4F6B9FA624F2A2C2F20C.MAI 2488 217.70.37.175 QUIT QUIT 221 2.0.0 Bye 6 15 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 44A84AE6D6A74F01B0E4A60B8C5EE1D3.MAI 2876 217.70.37.175 DATE . 250 2.0.0 Ok: queued as db101fc0-da0f-11e7-86d2-005056811e77 39015 62 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 44A84AE6D6A74F01B0E4A60B8C5EE1D3.MAI 2876 217.70.37.175 QUIT QUIT 221 2.0.0 Bye 6 15 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 39FCDDB97FFE4F3A889F97938C08EAD0.MAI 1152 217.70.37.175 DATE . 250 2.0.0 Ok: queued as ec90c7be-da0f-11e7-86d2-005056811e77 39037 62 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 39FCDDB97FFE4F3A889F97938C08EAD0.MAI 1152 217.70.37.175 QUIT QUIT 221 2.0.0 Bye 6 15 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 4A9C16F19F2042DE82B122E569979AC4.MAI 1860 217.70.37.175 DATE . 250 2.0.0 Ok: queued as ec9bbb17-da0f-11e7-86d2-005056811e77 39021 62 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 62CA0462F96944E984650DD45C512B58.MAI 1260 217.70.37.175 RCPT RCPT TO:<bmorrowmt@yahoo.com> 250 2.1.5 Ok 31 14 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 4A9C16F19F2042DE82B122E569979AC4.MAI 1860 217.70.37.175 QUIT QUIT 221 2.0.0 Bye 6 15 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU B51E8D2CA53D46158F02342648834D6F.MAI 1864 217.70.37.175 RCPT RCPT TO:<bmorrisjr@yahoo.com> 250 2.1.5 Ok 31 14 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 62CA0462F96944E984650DD45C512B58.MAI 1260 217.70.37.175 DATA DATA 354 End data with <CR><LF>.<CR><LF> 6 37 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU B51E8D2CA53D46158F02342648834D6F.MAI 1864 217.70.37.175 DATA DATA 354 End data with <CR><LF>.<CR><LF> 6 37 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU 5FD39F6C75F94105959CCCF67BE045BB.MAI 3020 217.70.37.175 DATE . 250 2.0.0 Ok: queued as ec9f4079-da0f-11e7-86d2-005056811e77 39013 62 admin Limited Card Access
12/06/17 00:00:04 SMTP-OU 5FD39F6C75F94105959CCCF67BE045BB.MAI 3020 217.70.37.175 QUIT QUIT 221 2.0.0 Bye 6 15 admin Limited Card Access
12/06/17 00:00:04 SMTP-OU B0316F2D9371456FA4B456E00D6BE23C.MAI 1876 217.70.37.175 RCPT RCPT TO:<bmorris321@gmail.com> 250 2.1.5 Ok 32 14 ADMIN Limited Card Access
12/06/17 00:00:04 SMTP-OU B0316F2D9371456FA4B456E00D6BE23C.MAI 1876 217.70.37.175 DATA DATA 354 End data with <CR><LF>.<CR><LF> 6 37 ADMIN Limited Card Access
5F4D5.MAI 2772 80.26.92.155 220 w1.imegasystem.se ESMTP MailEnable Service, Version: 9.76-9.76- ready at 12/06/17 00:00:11 0 0
12/06/17 00:00:11 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 EHLO EHLO 70.41.131.228 250-imegasystem.se [80.26.92.155], this server offers 4 extensions 129 20
12/06/17 00:00:12 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
12/06/17 00:00:12 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 ADMIN
12/06/17 00:00:12 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 AUTH {blank} 235 Authenticated 19 10 ADMIN
12/06/17 00:00:12 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 MAIL MAIL FROM:<alerts@notify.T2SVZbofa.com> 250 Requested mail action okay, completed 43 41 ADMIN
12/06/17 00:00:12 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 RCPT RCPT TO:<bobbakerdodgers@yahoo.com> 250 Requested mail action okay, completed 43 37 ADMIN
12/06/17 00:00:12 SMTP-IN 6B1A813430024D7990867B287C55F4D5.MAI 2772 80.26.92.155 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 ADMIN
12/06/17 00:00:12 SMTP-IN 076FAC764B554F1C8DBB5316C42F87EB.MAI 2772 80.26.92.155 MAIL MAIL FROM:<alerts@notify.T2SVZbofa.com> 250 Requested mail action okay, completed 43 41 ADMIN
12/06/17 00:00:12 SMTP-IN 076FAC764B554F1C8DBB5316C42F87EB.MAI 2772 80.26.92.155 RCPT RCPT TO:<bobball1@peoplepc.com> 250 Requested mail action okay, completed 43 33 ADMIN
12/06/17 00:00:12 SMTP-IN 076FAC764B554F1C8DBB5316C42F87EB.MAI 2772 80.26.92.155 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 ADMIN
12/06/17 00:00:13 SMTP-IN 163833F16D5A4D8EBD10A13EEB0E8F28.MAI 2772 80.26.92.155 MAIL MAIL FROM:<alerts@notify.T2SVZbofa.com> 250 Requested mail action okay, completed 43 41 ADMIN
12/06/17 00:00:13 SMTP-IN 163833F16D5A4D8EBD10A13EEB0E8F28.MAI 2772 80.26.92.155 RCPT RCPT TO:<bobball@gmail.com> 250 Requested mail action okay, completed 43 29 ADMIN
12/06/17 00:00:13 SMTP-IN 163833F16D5A4D8EBD10A13EEB0E8F28.MAI 2772 80.26.92.155 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 ADMIN
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 220 w1.imegasystem.se ESMTP MailEnable Service, Version: 9.76-9.76- ready at 12/06/17 00:00:13 0 0
12/06/17 00:00:13 SMTP-IN C61787E81BC345C6A95056804FA2DC0C.MAI 2772 80.26.92.155 MAIL MAIL FROM:<alerts@notify.T2SVZbofa.com> 250 Requested mail action okay, completed 43 41 ADMIN
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 EHLO EHLO 35.52.229.250 250-imegasystem.se [80.26.92.155], this server offers 4 extensions 129 20
12/06/17 00:00:13 SMTP-IN C61787E81BC345C6A95056804FA2DC0C.MAI 2772 80.26.92.155 RCPT RCPT TO:<bobballa7168@yahoo.com> 250 Requested mail action okay, completed 43 34 ADMIN
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 admin
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 AUTH {blank} 235 Authenticated 19 10 admin
12/06/17 00:00:13 SMTP-IN C61787E81BC345C6A95056804FA2DC0C.MAI 2772 80.26.92.155 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 ADMIN
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 MAIL MAIL FROM:<alerts@notify.MZiv0bofa.com> 250 Requested mail action okay, completed 43 41 admin
12/06/17 00:00:13 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 RCPT RCPT TO:<bobbiann@yahoo.com> 250 Requested mail action okay, completed 43 30 admin
12/06/17 00:00:14 SMTP-IN 386FFA4028324AB8ADBC9BC918B25B7D.MAI 2772 80.26.92.155 MAIL MAIL FROM:<alerts@notify.T2SVZbofa.com> 250 Requested mail action okay, completed 43 41 ADMIN
12/06/17 00:00:14 SMTP-IN 86F098A3869C4D478C81B4A457D6ED4F.MAI 1672 80.26.92.155 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 admin
12/06/17 00:00:14 SMTP-IN 386FFA4028324AB8ADBC9BC918B25B7D.MAI 2772 80.26.92.155 RCPT RCPT TO:<bobbaloo1979@yahoo.com> 250 Requested mail action okay, completed 43 34 ADMIN
12/06/17 00:00:14 SMTP-IN 386FFA4028324AB8ADBC9BC918B25B7D.MAI 2772 80.26.92.155 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 ADMIN

MailEnable-Ian
Site Admin
Posts: 8512
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Spam from Mailbox: ADMIN

Postby MailEnable-Ian » Thu Dec 07, 2017 10:59 pm

Hi,

The mailbox that was used to authenticate is "ADMIN". Since only "ADMIN" was used as the username and not the full mailbox@postoffice name it indicates that the user ADMIN resides under the default postoffice. Check within the MailEnable administration console under the "Localhost" properties window what the default postoffice is set to. Then once you know the default postoffice navigate to that postoffice and remove the ADMIN user.

You need to also ensure that you have the following SMTP Security settings enabled to prevent sender address spoofing:

- Authenticated senders must use address from their postoffice: http://www.mailenable.com/documentation/9.0/Enterprise/SMTP_props_-Security.html

- Address Spoofing - Set to Authenticated senders can spoof the address: http://www.mailenable.com/documentation/9.0/Enterprise/SMTP_props_-Security.html
Regards,

Ian Margarone
MailEnable Support

Who is online

Users browsing this forum: Bing [Bot] and 9 guests