Help me catch SPAMMER -- PLEASE!

Discussion forum for Enterprise Edition.

Help me catch SPAMMER -- PLEASE!

Postby hostbreak » Thu Mar 22, 2007 6:54 am

Someone is spamming through our ME server but we are unable to catch the account. We have SMTP AUTH enabled so no one can send email without using valid login/password. Authentication type is "MailEnable Integrated".

In the SMTP Activity log file I see the spammer like this:
Code: Select all
03/21/07 00:00:06   SMTP-IN   28F06D90274848BD91629D348F325150.MAI   2200   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   4ECB2D2758164F18BFE79BA9FDD54C95.MAI   2560   66.15.28.65   AUTH   {blank}   334 UGFzc3dvcmQ6   18   18   postmaster   
03/21/07 00:00:06   SMTP-IN   49416ABB89DF4D5EB68FE08DD54B6F73.MAI   1872   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   4D5EDA9487884693B841649A0D16A232.MAI   2244   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   5004DDA8AB9F451796FA4E389955896D.MAI   2848   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   CC2B76FD7A4341B7AE04D09D6F7F2976.MAI   1892   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   A81425D63F1A4F03A78634DCFD822FF3.MAI   2800   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   D61808DA8CDC426E8127AE9081EDF594.MAI   2596   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   CBDACF4A8AC14271819E9E08B4A258BB.MAI   2620   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   2914DF90D2AA46C08A607014CEF0E02F.MAI   2868   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   B1160565E7B4407090CFF90A6CE37C9F.MAI   2824   66.15.28.65   AUTH   {blank}   334 UGFzc3dvcmQ6   18   18   postmaster   
03/21/07 00:00:06   SMTP-IN   4ECB2D2758164F18BFE79BA9FDD54C95.MAI   2560   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   4D5EDA9487884693B841649A0D16A232.MAI   2244   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   CC2B76FD7A4341B7AE04D09D6F7F2976.MAI   1892   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   CBDACF4A8AC14271819E9E08B4A258BB.MAI   2620   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   D61808DA8CDC426E8127AE9081EDF594.MAI   2596   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   B1160565E7B4407090CFF90A6CE37C9F.MAI   2824   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   


In the SMTP DEBUG log file I see this:
Code: Select all
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials


I am pulling hairs because authenticated user is "Postmaster" with domain prefix. How do I catch the SPAMMER? Please help!

Thank you
hostbreak
 
Posts: 27
Joined: Mon Jun 12, 2006 10:41 am

Postby jbrochu » Thu Mar 22, 2007 11:18 am

if hes using postmaster to authenticate, cant you just change that postmaster account's password?

Also block 66.15.28.XXX in your Inbound connections tab. Unless hes coming from more than one IP, which is probably the case.
jbrochu
 
Posts: 113
Joined: Fri Mar 24, 2006 10:19 pm

Postby hostbreak » Thu Mar 22, 2007 11:23 am

There are 400 postoffices and each one has got his postmaster account. Which postmaster of which postoffice should I block? IP is already blocked.
hostbreak
 
Posts: 27
Joined: Mon Jun 12, 2006 10:41 am

Postby jbrochu » Thu Mar 22, 2007 11:29 am

What if after the authentication, you track down the delivery of the message, which is usually a few lines later, where your server is deliver to theirs the email. In that transmission, it should have the FROM email address which should be postmaster@yourhackedpostoffice.com NO ?
jbrochu
 
Posts: 113
Joined: Fri Mar 24, 2006 10:19 pm

Postby jbrochu » Thu Mar 22, 2007 11:34 am

Actually that full address of postmaster should be in the logs you posted above , doesnt it have the postmaster's full email address? Just look at my logs my users full email address is in the authentication process, so I know what postoffice they are in and you should too.
jbrochu
 
Posts: 113
Joined: Fri Mar 24, 2006 10:19 pm

Postby hostbreak » Thu Mar 22, 2007 11:36 am

jbrochu wrote:Actually that full address of postmaster should be in the logs you posted above , doesnt it have the postmaster's full email address? Just look at my logs my users full email address is in the authentication process, so I know what postoffice they are in and you should too.


That is the problem, it doesn't list the full e-mail for this spammer whereas when I see other entries I find full emails against which user is authenticated.
hostbreak
 
Posts: 27
Joined: Mon Jun 12, 2006 10:41 am

Postby jbrochu » Fri Mar 23, 2007 12:44 am

That doesnt make much sense. But did you follow the logs and see the transactions of these emails getting delivered to the remote servers? In those transactions, is the full email address there? I dont see any email server accepting email from just postmaster, there has to be a full email address.

Open the log in notepad, and search based on the subject the spammer uses. Track through the log and find the logging where its getting delivered. See if the full email address is there.
jbrochu
 
Posts: 113
Joined: Fri Mar 24, 2006 10:19 pm

Postby hostbreak » Fri Mar 23, 2007 5:26 am

Since this is SPAM therefore no use of tracing FROM or TO address (FROM is fake, TO is victim). I need to find which account is used to authenticate this mailing!!!
hostbreak
 
Posts: 27
Joined: Mon Jun 12, 2006 10:41 am

Postby jbrochu » Fri Mar 23, 2007 4:14 pm

What if you try this:

Try the following registry switch to change to advanced logging on the SMTP service maybe we can pick up what the remote server is doing;

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Connectors\SMTP]
"Debug Logging Level"=dword:0000000a



Maybe the additional logging will help provide you with the needed details of the smtp auth sessions.

Other than that I think Im out of ideas. Sorry
jbrochu
 
Posts: 113
Joined: Fri Mar 24, 2006 10:19 pm

Postby MailEnable » Tue Mar 27, 2007 9:34 pm

There are 400 postoffices and each one has got his postmaster account. Which postmaster of which postoffice should I block? IP is already blocked.


If the username only appears as postmaster in your log files, then you can assume they are using postmaster on the default postoffice.

Otherwise it would be noted as Postmaster@postoffice name.

You can determine the name of the default postoffice by right clicking on Servers|localhost in the MMC.
Regards, Andrew
MailEnable
Site Admin
 
Posts: 4424
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Postby hostbreak » Wed Mar 28, 2007 5:53 am

Great help, thanks!
hostbreak
 
Posts: 27
Joined: Mon Jun 12, 2006 10:41 am


Return to MailEnable Enterprise Edition

Who is online

Users browsing this forum: No registered users and 4 guests