Yeah, that's looking a bit too tedious for me. Well, I looked at the webmail setting for my compromised user and found that their signature had been altered and in its place was a long letter resembling a Nigerian scam. The reply to: address had also been altered to the familiar addresses I found.
I proceeded to check other users signatures and found two other accounts that had their signatures replaced by scam messages. So now I'm off to write a script to isolate any users that have altered reply to addresses so I can require them to change their passwords. I have no idea how to avoid this for the future. The users passwords met complexity standards so I guess I just need to keep a better eye on it. Thanks! Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz Sent: Thursday, January 24, 2008 4:03 PM To: '[email protected]' Subject: RE: [IMail Forum] Tracking Messages It's been a few years since I've used Imail's webmail. Prior to using IIS, web messaging logged to two w* files located in the spool directory. I tried logging into webmail as a user but see no authentication information in any Imail logs. I do see a "logout" in the IIS log but I suspect that won't appear if the user doesn't click the "logout" link. -Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, January 24, 2008 3:26 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages Yes, that must be it. When I send emails from webmail, they do appear like that. I'm not sure why I was expecting something different. So that's a simple answer, thanks! However, that means I have to rely on my web server logs to determine who was logged in as kyakg and sending those emails... unfortunately authentication is handled my the imail CGI app and wouldn't be included in that log. Any idea how I would track this back to a session and a user in web messaging? :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz Sent: Thursday, January 24, 2008 2:54 PM To: '[email protected]' Subject: RE: [IMail Forum] Tracking Messages Perhaps it was sent through the web mail interface? -Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, January 24, 2008 2:33 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages This is very strange. A few days ago our server was caught sending out scam emails. I narrowed it down to about 40 sessions that day that all started out with: 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] connect 199.176.228.5 port 2901 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] EHLO 199.176.228.5 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) Authenticated [EMAIL PROTECTED], session treated as local. 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] MAIL FROM:[EMAIL PROTECTED] The sending address seemed to rotate between about ten different addresses, the above mail from being one of them. According to this log it was initiated on the server itself. My first thought is that I'm compromised. However, if I was why would the connection bother authenticating? My server would not need to authenticate via SMTP. I've checked my server over and I can't find anything out of the ordinary. My virus scanner is running fine and overall the server is very clean. The only application it is responsible for is Imail so I don't have too many processes to sift through. I changed the password for kyakg, which all of the sessions used to authenticate. Since then I haven't seen any more spam. I haven't even seen an entry in the logs for kyakg trying to authenticate. Confused... Any recommendations on how to figure out what this means? Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Dorman Sent: Thursday, January 24, 2008 12:13 PM Cc: [email protected] Subject: Re: [IMail Forum] Tracking Messages On Thursday, January 24, 2008, 09:06:09, Will wrote: > Any idea where one would find the connecting IP for SMTPD in the logs? > 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] connect 199.176.228.5 port 2901 Some client at IP address 199.176.228.5 connected to your e-mail server at 199.176.228.5 Note that both client and server are on the same machine. > 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] EHLO 199.176.228.5 The client sent a broken EHLO command, the RFC's require an address literal to be enclosed by brackets. -- [EMAIL PROTECTED] "The avalanche has already started, it is too Rod Dorman late for the pebbles to vote." - Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
