On 8/25/2014 11:27 AM, Jim Shupert wrote:
friends,
I have one user [ MrBlue } who is a valid user on my domain of
theppjgroup.com
It seems MrBlue has been getting overloaded with failure notices..
I *Think
that someone is sending mail spoofing MrBlue -- but they do not have
the password
Thanks Dan, you pretty much explained in details what I suggested ;-)
I agree that this is indeed a hijacked account sending out spam and receiving
bounces from those that were not delivered. In addition to Dans suggestions
(password change and malware scan on systems) I would recommend
+2
Very good interpolation..
This is more the correct answer because I have the T-shirt on this one LOL
On 08/26/2014 09:53 AM, Dan McAllister wrote:
On 8/25/2014 11:27 AM, Jim Shupert wrote:
friends,
I have one user [ MrBlue } who is a valid user on my domain of
theppjgroup.com
It seems
Dan,
Thank you for the lesson on mail headers.
I very much need to know more about that sort of thing in order to do
the kind of forensics of these sort of problems.
1st let me say that if I look at a legit MrBlue email
it says in the header only and always
mrb...@theppjgroup.com
so when
Unless Mrblue is on a road trip somewhere accessing his mail... Then yes.
I would do a nslookup 72.189.129.134 and see who it belongs to.
mainly what country it is in.
On 8/26/2014 1:51 PM, Jim Shupert wrote:
Dan,
Thank you for the lesson on mail headers.
I very much need to know more about
Did you a solid...
Looks like hes in florida and its a Time warner cable ip
Results from DNSstuff.com
Origin AS Data RIR Data
*No Data Found!*
*Reverse* 72-189-129-134.res.bhn.net.
*Reverse-verified* No
*Country Code* US
*Country* United States
*Region*
friends,
I have one user [ MrBlue } who is a valid user on my domain of
theppjgroup.com
It seems MrBlue has been getting overloaded with failure notices..
I *Think
that someone is sending mail spoofing MrBlue -- but they do not have the
password -- so it fails
and My ( actual ) MrBlue then
It looks more like an authenticated mail from your server from a hijacked
account. Check you servers logs for indications what account has been sending a
lot of mails lately and change that accounts password.
Sent from my iPhone
On 25 Aug 2014, at 17:27, Jim Shupert jshup...@pps-inc.com
