Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Unauthorized Sent Mails (in mails folder i see Unauthorized emails being sent)
  •  
jbkayak

Messages: 17
Karma: 0
Send a private message to this user
Where can i find who is sending the email that i see in the MAILS folder???


Unfortuntaley, a user reponded to an email asking for their password. The real bad part was it was a default password to over 100 of the 500 accounts we have. I need help stopping them from sending SPAM as we are getting black listed.

I changed password on the accounts (triple checking that none were missed, 95% accurancy now), but it still looks like emails are coming through when i look at the mail folder. I checked mail.log but it looks like this

[04/Oct/2008 17:03:17] Sent: Queue-ID: 48e78d2e-0000939c, Recipient: <larisafromodessa<_a.t_>hotmail.com>, Result: delayed, Status: 4.1.8 421 PR(ct1) The mail server IP connecting to Windows Live Hotmail server has exceeded the connection limit allowed. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. For e-mail delivery information, please go to http://postmaster.live.com
While I am interested in fixing hotmail... MY IMMEDIATE concern is which account they are using to send out on.

Where can i find who is sending the email that i see in the MAILS folder???

That would be helpful, I don't want to turn on archeiving.

I get an aol error log that gives me the user account of SPAM senders. so i double check user name in kerio and change their passwords.

  •  
jbkayak

Messages: 17
Karma: 0
Send a private message to this user
I check the active connections and there are always a few IP addresses connected. On the webmail tab, I can see the user account they have hijacked, I change the default password to a new password and they dont log back in.
Even when there are NO USER WEBMAIL accounts connected, I see SPAM going out in the mail folder. I really thought they were using webmail to send out, using a users webmail and default password, but I see SPAM in mail folder even when no webmail sessions are active. Of course, some IP addresses are always active.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Actually, you should look again to the mail log and look at lines with "Recv:". It is important to track which IP addresses and users are *sending* emails to your server instead of victims receiving spams relayed through your server.
  •  
jbkayak

Messages: 17
Karma: 0
Send a private message to this user
hmm.. mail log looks like this:

[05/Oct/2008 14:48:01] Received: Queue-ID: 48e93611-0001c702, Service: SMTP, From: <alycewilson<_a.t_>sbcglobal.net>, To: <JohnKelly<_a.t_>starrealestate.com>, Size: 1333, Sender-Host: 209.191.85.227
[05/Oct/2008 14:48:01] Sent: Queue-ID: 48e935c6-0001c6ca, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 14:48:02] Received: Queue-ID: 48e93612-0001c703, Service: SMTP, From: <Carl<_a.t_>undercovrmarketing.com>, To: <tracie<_a.t_>starrealestate.com>, Size: 2479, Sender-Host: 174.132.62.3
[05/Oct/2008 14:48:04] Received: Queue-ID: 48e93614-0001c706, Service: DSN, From: <>, To: <alycewilson<_a.t_>sbcglobal.net>, Size: 2562, Report: failed
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e93611-0001c702, Recipient: <JohnKelly<_a.t_>starrealestate.com>, Result: delivered, Status: 2.1.5
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e93611-0001c702, Recipient: <kellyrealestate<_a.t_>earthlink.net>, Result: failed, Status: 5.1.8 550 550 Dynamic/zombied/spam IPs blocked. Write blockedbyearthlink<_a.t_>abuse.earthlink.net
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e93612-0001c703, Recipient: <tracie<_a.t_>starrealestate.com>, Result: delivered, Status: 2.1.5
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e84e2e-00011d62, Recipient: <onyaylo66<_a.t_>gregory.com>, Result: delayed, Status: 4.4.2 No greeting from remote host
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e84e2e-00011d62, Recipient: <oprtn1_6<_a.t_>downloadbizforms.com>, Result: delayed, Status: 4.4.3 DNS lookup failed
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e84e2e-00011d62, Recipient: <or<_a.t_>www2.starcat.ne.jp>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e84e2e-00011d62, Recipient: <oral_pussy_sex<_a.t_>hotmail.com>, Result: delayed, Status: 4.1.8 421 RP-001 The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed. Reason for rate limitation is related to IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e84e2e-00011d62, Recipient: <orange_cool123<_a.t_>hotmail.com>, Result: delayed, Status: 4.1.8 421 RP-001 The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed. Reason for rate limitation is related to IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support
[05/Oct/2008 14:48:04] Sent: Queue-ID: 48e84e2e-00011d62, Recipient: <orgazm89<_a.t_>mature.com>, Result: delayed, Status: 4.4.1

you'll notice that 6 entries are alphabetical mailing list. it continues from about 100 people alphabetically Sent

Does this log suggest Carl<_a.t_>undercovrmarketing.com>, To: <tracie<_a.t_>starrealestate.com> was the start of the problem.

Should I check to see if tracie password is compromised and change it to a new password.

I feel that the SPAM got the default password to over 100 user's (most have been since updated) and is using webmail to send out of user with compromised password. Does the log suggest this or otherwise??

thanks again for your time

James
  •  
jbkayak

Messages: 17
Karma: 0
Send a private message to this user
my mail log is sending 300 recpt in a row. all in alphabetical order. on webmail accounts that had the default password, i would find this address in the settings, mail tab under reply address.

[05/Oct/2008 21:52:49] Sent: Queue-ID: 48e88867-00013f8c, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 21:52:49] Sent: Queue-ID: 48e8ef76-00018f1a, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 21:52:50] Sent: Queue-ID: 48e93c63-0001ca0c, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 21:52:51] Sent: Queue-ID: 48e93c65-0001ca0d, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 21:52:52] Sent: Queue-ID: 48e8ef78-00018f1e, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host
[05/Oct/2008 21:52:53] Sent: Queue-ID: 48e8c3ee-000169c6, Recipient: <result<_a.t_>uklottery.co.uk>, Result: delayed, Status: 4.4.1 Cannot connect to remote host

I have deleted the info and changed the passwords on all accounts.

my mail log is still sending thousands of mails to recpt in alphbetical order. im sure results<_a.t_>uklottery.co.uk is to blame but I can figure out what account he has hijacked an is sending out on.

Is THERE A LOG THAT WILL TELL ME what authenicated user SENT 300 EMAILS IN A ROW

or is there another way to look at this??

thanks again

James
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
jbkayak wrote on Mon, 06 October 2008 07:00


Is THERE A LOG THAT WILL TELL ME what authenicated user SENT 300 EMAILS IN A ROW

or is there another way to look at this??

thanks again

James


Yes, it is the mail log. It contains info about every message received and sent by the server. Please note there is a difference between Sent and Received lines in the log. You should look there to find who sent these messages (it could be hours or even days ago). Also, check the message queue, spam messages could be still there as the server tries to deliver them to non-existing recipients.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
jbkayak wrote on Sun, 05 October 2008 23:58


Does this log suggest Carl<_a.t_>undercovrmarketing.com>, To: <tracie<_a.t_>starrealestate.com> was the start of the problem.

James


Yes, it does. And the email came from SMTP probably without authentication which means that your server is probably acting as an open relay.

Also I think you forgot to mention that KMS version you're running is quite old (the mail.log format is slightly improved in newer versions) therefore I would suggest also upgrading the server to the latest version.
Previous Topic: Groups of Apple Adressbook
Next Topic: it seems my email server is under attach, any suggestion?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Sep 25 02:56:24 CEST 2017

Total time taken to generate the page: 0.00476 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.