One problem I have seen with Hijack is that when a spammer hijacks an account and sends via SMTP auth, the IPs always show as the server IP address, therefore the spam falls under the same policy as SMTP auth: Either the good mail mixed in with the Hijack-held spam, or the spam goes out because of an SMTP auth whitelist.
Re: The Italian spam - a fast way to identify a hijacked SMTP auth account is to examine the Q*.SMD file - it contains the hijacked sending account name. ----- Original Message ----- From: John T (lists) To: [email protected] Sent: Friday, December 21, 2007 12:50 PM Subject: RE: [IMail Forum] Italian Spam thru mail server Not tedious at all if you are using Declude and have Hijack configured. Declude is the ONLY product that includes a specific way to track the number of outgoing email and define a policy on this. So, even if an account was comprised and they attempted to send through that account, Declude Hijack would catch it, even if authenticated. John T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, December 21, 2007 8:44 AM To: [email protected] Subject: RE: [IMail Forum] Italian Spam thru mail server Troy usually this type of spammer will log on once and send 100s or 1000s of pieces of spam in the same session. We used the log analyze tool to help parse out which of our IPs was sending. Another way is to find the message ID of one of the pieces of spam and then track that back to a login ---it is tedious work. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton Sent: Friday, December 21, 2007 9:25 AM To: [email protected] Subject: RE: [IMail Forum] Italian Spam thru mail server I've checked through the logs and didn't see anything relating to an account on my server, but I'll check it again. Troy D. Hilton Serveon, Inc. 302-529-8640 [EMAIL PROTECTED] ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, December 21, 2007 11:17 AM To: [email protected] Subject: RE: [IMail Forum] Italian Spam thru mail server Check to see if an account has been hijacked. Happened to us recently when a client had an account with the password the same as the account name. We found someone was sending chinese spam through our server, very similar to what you are seeing. Looking through the logs we were finally able to isolate the account they were logging on with in order to send. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton Sent: Wednesday, December 19, 2007 9:53 AM To: [email protected] Subject: [IMail Forum] Italian Spam thru mail server Over the past few weeks I've been getting sporadic hits of Italian emails going thru my mail server. None of it appears to be addressed to any of my clients but its from some Italian address to a bunch of addresses, mostly Italian. I've run tests against my server and I'm not an open relay. I've been able to redirect the spam by IMail rules but this is tedious and I'm worried I'll get listed. In checking the logs I found the following line of text: Infobot message to <> not sent, precedence bulk Does this mean I've been hacked? Has anyone seen this before? Please advise. Troy D. Hilton Serveon, Inc. 302-529-8640 [EMAIL PROTECTED]
