forum.mailenable.com

[hostbreak]

Someone is spamming through our ME server but we are unable to catch the account. We have SMTP AUTH enabled so no one can send email without using valid login/password. Authentication type is "MailEnable Integrated".

In the SMTP Activity log file I see the spammer like this:

Code: Select all

03/21/07 00:00:06   SMTP-IN   28F06D90274848BD91629D348F325150.MAI   2200   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   4ECB2D2758164F18BFE79BA9FDD54C95.MAI   2560   66.15.28.65   AUTH   {blank}   334 UGFzc3dvcmQ6   18   18   postmaster   
03/21/07 00:00:06   SMTP-IN   49416ABB89DF4D5EB68FE08DD54B6F73.MAI   1872   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   4D5EDA9487884693B841649A0D16A232.MAI   2244   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   5004DDA8AB9F451796FA4E389955896D.MAI   2848   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   CC2B76FD7A4341B7AE04D09D6F7F2976.MAI   1892   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   A81425D63F1A4F03A78634DCFD822FF3.MAI   2800   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   D61808DA8CDC426E8127AE9081EDF594.MAI   2596   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   CBDACF4A8AC14271819E9E08B4A258BB.MAI   2620   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   2914DF90D2AA46C08A607014CEF0E02F.MAI   2868   66.15.28.65   QUIT   QUIT   221 Service closing transmission channel   42   6   postmaster   Win 2000 USD with Western Union!
03/21/07 00:00:06   SMTP-IN   B1160565E7B4407090CFF90A6CE37C9F.MAI   2824   66.15.28.65   AUTH   {blank}   334 UGFzc3dvcmQ6   18   18   postmaster   
03/21/07 00:00:06   SMTP-IN   4ECB2D2758164F18BFE79BA9FDD54C95.MAI   2560   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   
03/21/07 00:00:06   SMTP-IN   4D5EDA9487884693B841649A0D16A232.MAI   2244   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   CC2B76FD7A4341B7AE04D09D6F7F2976.MAI   1892   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   CBDACF4A8AC14271819E9E08B4A258BB.MAI   2620   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   D61808DA8CDC426E8127AE9081EDF594.MAI   2596   66.15.28.65   RSET   RSET   250 Requested mail action okay, completed   43   6   postmaster   
03/21/07 00:00:06   SMTP-IN   B1160565E7B4407090CFF90A6CE37C9F.MAI   2824   66.15.28.65   AUTH   cG9zdG1hc3Rlcg==   235 Authenticated   19   18   postmaster   

In the SMTP DEBUG log file I see this:

Code: Select all

03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials
03/21/07 00:00:06   ME-I0135: Authenticating User:postmaster using Authentication Provider Credentials

I am pulling hairs because authenticated user is "Postmaster" with domain prefix. How do I catch the SPAMMER? Please help!

Thank you

[jbrochu]

if hes using postmaster to authenticate, cant you just change that postmaster account's password?

Also block 66.15.28.XXX in your Inbound connections tab. Unless hes coming from more than one IP, which is probably the case.

[hostbreak]

There are 400 postoffices and each one has got his postmaster account. Which postmaster of which postoffice should I block? IP is already blocked.

[jbrochu]

What if after the authentication, you track down the delivery of the message, which is usually a few lines later, where your server is deliver to theirs the email. In that transmission, it should have the FROM email address which should be postmaster@yourhackedpostoffice.com NO ?

[jbrochu]

Actually that full address of postmaster should be in the logs you posted above , doesnt it have the postmaster's full email address? Just look at my logs my users full email address is in the authentication process, so I know what postoffice they are in and you should too.

[hostbreak]

Actually that full address of postmaster should be in the logs you posted above , doesnt it have the postmaster's full email address? Just look at my logs my users full email address is in the authentication process, so I know what postoffice they are in and you should too.

That is the problem, it doesn't list the full e-mail for this spammer whereas when I see other entries I find full emails against which user is authenticated.

[jbrochu]

That doesnt make much sense. But did you follow the logs and see the transactions of these emails getting delivered to the remote servers? In those transactions, is the full email address there? I dont see any email server accepting email from just postmaster, there has to be a full email address.

Open the log in notepad, and search based on the subject the spammer uses. Track through the log and find the logging where its getting delivered. See if the full email address is there.

[hostbreak]

Since this is SPAM therefore no use of tracing FROM or TO address (FROM is fake, TO is victim). I need to find which account is used to authenticate this mailing!!!

[jbrochu]

What if you try this:

Try the following registry switch to change to advanced logging on the SMTP service maybe we can pick up what the remote server is doing;

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Connectors\SMTP]
"Debug Logging Level"=dword:0000000a



Maybe the additional logging will help provide you with the needed details of the smtp auth sessions.

Other than that I think Im out of ideas. Sorry

[MailEnable]

There are 400 postoffices and each one has got his postmaster account. Which postmaster of which postoffice should I block? IP is already blocked.

If the username only appears as postmaster in your log files, then you can assume they are using postmaster on the default postoffice.

Otherwise it would be noted as Postmaster@postoffice name.

You can determine the name of the default postoffice by right clicking on Servers|localhost in the MMC.

[hostbreak]

Great help, thanks!