Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » weird spam
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
howdy

we seem to be getting more and more of this weird spam (please note... i have changed the user name to: user... and the domain name to: domain.. in the following snippets from the email headers)

one the one hand i have the following:

Return-Path: <user<_at_>domain.com>
X-Envelope-To: dkleins@yahoo.com, dkleinschmidt<_at_>berklee.edu.com
Message-ID: <1765184641-357568512<_at_>mail.domain.com>
X-Footer: bGFsaXJlbWFyY2guY29t
Received: from mycomputer ([175.98.38.161])
(authenticated user user<_at_>domain.com)
by mail.domain.com (Kerio Connect 8.2.0);
Tue, 25 Feb 2014 08:23:06 -0500
From: "Blythe Kleinschmidt" <b_kleinschmidt<_at_>yahoo.com>
To: "dkleins" <dkleins<_at_>yahoo.com>,
"dkleinschmidt" <dkleinschmidt<_at_>berklee.edu.com>
Subject: Blythe Kleinschmidt
Date: Mon, 25 Feb 2014 02:23:04 +0100
MIME-Version: 1.0
X-mailer: Microsoft Office Outlook, Build 11.0.5510
Reply-To: b_kleinschmidt<_at_>yahoo.com


which claims to be from a user on our kerio mail server.. and they never sent it

then.. almost immediately we get the following:

This is an informative message sent by mail.domain.com.

The server was not able to deliver your email message

Subject: Blythe Kleinschmidt
Date: Mon, 25 Feb 2014 02:23:04 +0100

to the following addresses:

<dkleins<_at_>yahoo.com> (mta6.am0.yahoodns.net: 554 Message not allowed - [PH0
1] Email not accepted for policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120])
<dkleinschmidt<_at_>berklee.edu.com> (mail.edu.com: 550 5.7.1 Relaying to <dkle
inschmidt<_at_>berklee.edu.com> denied (authentication required))


any help in identifying how / why this is happening and preventing this from happening in the future would be greatly appreciated

thanks

yukioMishima

[Updated on: Tue, 04 March 2014 11:06]

  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
This is coming from a PC at IP address 175.98.38.161. Is this an IP address from you or your ISP? Whois says:

Taiwan, Province Of China Taipei Taiwan Fixed Network Co. Ltd.

Obviously, someone at this IP address knows the correct password of your user "user<_at_>domain.com", logs into your mail server and sends the message (which is not deliverable).

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
thanks for the reply

that address is NOT part of our company... nor is anyone there at this time

if the account had been compromised.... would these messages not appear in the users sent mail box (which they don't)

the 2 snippets in my post above are from the admin account... which is a catch-all for all mail that comes in / goes out

thanks

yukioMishima
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
If the account is compromised, the attacker can delete the messages from the sent items.

I would definitely change the password for that user to a strong password.

You should also watch your mail and security log for this IP address.

[Updated on: Tue, 04 March 2014 15:46]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
thanks again for the prompt reply

i have changed the user password

i will keep an eye on the logs

out of interest.. is a compromised user account the only way that something like this would be occurring

thanks again for all

yukioMishima
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
Quote:
(authenticated user user<_at_>domain.com)

Getting this in the header means that user<_at_>domain.com has successfully authenticated at your mail server.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
cool

thanks again again for all

yukioMishima
Previous Topic: Mac mail issues with Kerio
Next Topic: Microsoft Outlook has stopped working
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 11:21:49 CEST 2017

Total time taken to generate the page: 0.00489 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.