Products: IMail Server Premium, IMail Server

How to correct a compromised account

« Go Back

Information

 
Description
I believe my server has a compromised user account, how can I locate the problem account and correct this problem?
Solution
There are a few steps required to correct a compromised account:

Step 1 - Determine which user account(s) has been compromised. There are several ways to do this:

Open the SMTP log and search for the word "Authenticated".  Each line you find should show the user that authenticated. Hit "Find Next" repeatedly in the text editor to see if you can establish and account that is authenticating too frequently. If you suspect a particular account is authenticating too often, search the message thread to see who the mail is being sent to. If the recipient looks like a spammy address(johndoe@yahoo.com.tw johndoe2@yahoo.com.tw), then you have likely found one of the problem accounts.  If you need more information on tracking messages through the SMTP log, refer to this article: http://ipswitchmsg.force.com/kb/articles/FAQ/How-to-track-an-email-message-through-the-SMTP-log

Alternatively, you can look directly in the spool to see if you can determine what account authenticated to send the message.  Generally after an account is compromised, there will be thousands of messages backed up in the spool. Find one of the files that starts with the letter "Q" and open it with a text editor.  There should be a line in that starts with the letter "A".  The user account on this line is the one that authenticated to send the message. To further understand which files are located in the IMail Spool refer to this article:  http://ipswitchmsg.force.com/kb/articles/FAQ/What-files-are-in-the-queue-1307739579750

Step 2 - Fixing the compromised account.

You'll need to ensure the spammer cannot authenticate as soon as possible. To do this, either disable the account or change the account password to something more secure.  After doing either of these actions, be sure to restart the SMTP and Queue Manager services. This will kill any existing authenticated sessions the spammer is using.  If the account is used on a desktop machine, you'll need to have that machine scanned for viruses before supplying the account password to the user.  Often passwords are highjacked from desktop email clients by a virus infection.

Step 3 - Clean up the spam

If you are lucky, you caught the attack before much mail left your server, but the odds are high that you have many spam messages in your IMail spool waiting to go to remote servers. You'll want to get those messages deleted as soon as possible to decrease the likelihood of your server getting blacklisted.  The utility attached to this article will help with this task. Here are the steps:
1. Download the attached Spam Cleaner utility and extract it.  Note: DO NOT extract this to the IMail directory.
2. Stop the IMail SMTP and Queue Manager services and then rename the spool directory.  Example: Rename C:/IMail/Spool to  C:/IMail/Spool_old.
3. Restart IMail SMTP and Queue Manager. Notice that this will create a new spool directory.
4. Run the Spam Cleaner utility from step 1.
5. When prompted, Select the original spool folder as the directory location.
6. On the main screen, enter the email address of the compromised account discovered above and click search.  Alternatively, you can also search for spam based on a From Address or a To Address.
7. Once you have cleaned the spam from the old spool directory, manually copy any remaining files to the new active spool directory.

For information on preventing compromised accounts, please see the following article:  http://ipswitchmsg.force.com/kb/articles/FAQ/Best-practices-to-prevent-spam-relaying-1307739584502

 
  •  
VersionAll Versions
Attachment

 
Customer Service Softwaresalesforce.comHome | Product