How to find an internal spammer on your CloudServer
If a lot of spam is being sent out from your SmarterMail server it usually means someone was able to get a valid email address and password to send out from that server. Stopping it is pretty simple. You just have to get some header info and then find the email address they authenticate with.
1. First you will need to switch the SMTP logs to detailed. This will begin logging the SMTP session in detail including the user name used to auth. They have to use SMTP to send "out" so that's why we need this log.
2. Go to the spool and open one of the spam messages, take a look at the header. You will see something like this:
Return-Path: <firstname.lastname@example.org> Received: from 173-9-151-253-miami.txt.hfc.comcastbusiness.net [18.104.22.168] by mail.shoestringshopping.com with SMTP; Tue, 8 Dec 2009 06:54:37 -0700 From: "Bancolombia"<Notificaciones@bancolombia.com> Subject: Actualización De Datos para Nuestros Clientes. Date: Tue, 8 Dec 2009 08:55:54 -0500 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
The important part is the IP highlighted above. "22.214.171.124" within the Received:From log detail. this is the IP address the messages are coming from. This is the clue we need to search the SMTP log and find the user they got to authenticate from.
3. Now that we have the IP we just need to search the SMTP log. Click on view logs in the management interface and then type in the IP and check enable related traffic then hit search. You'll get results like this, if you don't then you need to open the file manually on the mail server with notepad and do a search there.
08:13:49 [126.96.36.199] rsp: 220 mail.example.com
08:13:49 [188.8.131.52] connected at 12/8/2009 8:13:49 AM
08:13:49 [184.108.40.206] cmd: EHLO User
08:13:49 [220.127.116.11] rsp: 250-mail.example.com Hello [18.104.22.168] 250-SIZE 31457280 250-AUTH LOGIN CRAM-MD5 250 OK
08:13:49 [22.214.171.124] cmd: AUTH LOGIN
08:13:49 [126.96.36.199] rsp: 334 VXNlcm5hbWU6
08:13:50 [188.8.131.52] rsp: 334 UGFzc3dvcmQ6
08:13:50 [184.108.40.206] rsp: 235 Authentication successful
08:13:50 [220.127.116.11] Authenticated as email@example.com
08:13:50 [18.104.22.168] cmd: RSET
08:13:50 [22.214.171.124] rsp: 250 OK
Look for the entry Authenticated as. Now all you have to do is disable the user(follow to step 4, double click on the user, click the Disable User check box, and then click save) and the spam should stop.
4. After the user is disabled go to spam settings and enable outgoing blocking and set the weight to 20. You can do this by clicking on the security icon in your DDS systems admin panel and then antispam administration. It won't prevent everything but it will help in case this happens again. Keep in mind that this can have an effect on your outgoing mail so do not forget that you have changed this if suddenly someone starts complaining about not being able to send mail.
These instructions were created from a real world scenario with one of our customers.
Related KB Articles