On 6/28/2012 2:59 PM, VinnyHIDDEN@@Dell.com wrote:
> The most common way I see this happen is a user receives a forged email from "support" phishing
for their email credentials. They supply them and then it's a
free-for-all from a botnet of accounts
sending as that user through your mail server.
that certainly didn't happen in this case. the particular user is VERY
tech savvy and would never do anything like taht. the password must have
been compromised in some other way.
> The most effective way I've found to combat this is to apply the recommended settings, in particular
g_safe_smtp which requires that users authenticating to relay via SMTP
have recently also authenticated
via POP3/IMAP. This seems to have effectively stopped all of this type
of abuse on the systems I run. This
doesn't stop end users from giving away their credentials of course, but
it helps prevent the abuse of your
server in the end... at least until the people stealing the credentials
realize they can get around this
by authenticating via POP3/IMAP prior to relaying via auth SMTP. :(
i had this set MANY moons ago on dmail. however, i stopped using it,
since as i recollect, you couldn't set the allowable interval between
pop/imap login and send request.
and, as you say, it's easily gotten around.
advanced web systems
> -----Original Message-----
> From: David Camm [mailtoHIDDEN@advwebsys.com]
> Sent: Thursday, June 28, 2012 2:32 PM
> To: SurgeMail List
> Subject: [SurgeMail List] customer email account hijacked - anything i can do?
> just got a call from a customer. he's getting a huge number of
> non-delivery notices for emails he did not send.
> none of the 'to' addresses are in his address book so it's not a trojan
> or virus on his workstation.
> i looked at a few of the returned messages and they all look like this:
> X-Default-Received-SPF: pass (skip=loggedin (res=PASS))
> x-ip-name=184.108.40.206; THIS IP IS DIFFERENT ON EACH MSG
> Date: Thu, 28 Jun 2012 21:30:40 +0300
> From: Paul DeLay HIDDEN@email@example.com> THE NAME IS DIFFERENT
> ON EACH MSG
> Organization: mbpdsy
> X-Priority: 3 (Normal)
> Message-ID: <744914006HIDDEN@firstname.lastname@example.org>
> Subject: Look at Pic No. 776
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-asciislplavsic
> Content-Transfer-Encoding: 8bit
> then there's some nasty text.
> i had him change his password immediately.
> looking at the outbound queue, there are still a few message from him
> awaiting delivery. they all have different 'from' ip addresses. i've
> deleted them.
> since we're very strict about requiring authentication for smtp, the
> only thing i can think of is that his password was guessed.
> anyone have any ideas as to how this can be prevented - other than
> strong passwords?
> david camm
> advanced web systems
> keller, tx
Last Message | Next Message
Site Map |
Contact Netwin |
POP3 Mail Server |
Linux Webmail |
UnInstall instructions for all products
Copyright © 2017 Netwin Ltd. All rights reserved.