Yeah I found the corresponding entries in the logs. It is not a standard spam impersonation technique.
The From address belongs to the customer, however it is not a user address. It is an alias. So it does not have a password. AND the headers of the SPAM message show that the message was relayed by the Imail server. AND the logs indicate that the message was relayed by the Imail server. I am not saying that the spammer is necessarily using this customer's password. There are ~1,000 other customers on this server. Each customer has 10 to 100 mailboxes. It could be one of these other mailboxes that the spammer uses to authenticate. Once they've authenticated they do the impersonation. -----Original Message----- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Need HELP with rules >I have a customer who is on a shared Imail server with ~1000 other customers. > >Recently someone has been impersonating him and sending porno spam. It is >not a trivial impersonation - they are actually able to relay mail via his >Imail server from a computer somewhere in Macedonia. The Imail server is >set to "No mail relay". So I guess the spammer is one of the 1000 other >customers on the same Imail server. Or someone who hacked/sniffed a >legitimate customer's username and password? Rather than guessing, have you looked at the IMail log files to see how the mail was sent out? Have you checked to see if this E-mail was really sent from your server? >I can only see one way to stop this impersonation - to create a rule that >will check the From and the IP address in the header. The good customer >always sends mail from the same static IP address. > >I am trying to create an outbound rule. I have tried it on the customer's >virtual host as well as on the physical host. I can't seem to make the >rule work. If, indeed, the password was guessed/hacked, a rule could patch the problem. However, wouldn't it be easier to tell your user that they need to change their password? Note that sniffing passwords is not a trivial task unless you have access to the same LAN as the user whose password you are acquiring. I'm guessing this isn't what you think it is -- from the information you've provided, it sounds like standard spam (a spammer sending an E-mail with someone else's return address, or the return address the same as the recipient's address). -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
