You may have assumed too early, and without enough evidence. There are lots of ways somebody could have gotten Alice's credentials. FWIW, probably the most likely method is that Alice was phished and gave her credentials willingly. She probably doesn't remember or realize, and even if she does remember she may lie about it.
If your policy allows for it, and you don't mind invading Alice's privacy, you could check Alice's email for a phishing message and her browser history for the URL she clicked through to; if you're lucky, you may correlate something there. But that's a lot of work, and doesn't provide any value to anyone so it's your call. -- Benjamin On Nov 8, 2011, at 10:54 AM, Steven Kurylo wrote: > Hi, > > We had an incident yesterday evening and I'm trying to track down the > root cause. > > Spam starting flowing through our mail servers using the credentials > of a user, Alice. Each message came from a different IP address, > spread over the globe. Each message is quite clearly spam, trying to > get you to visit an URL. The from header of the spam message is using > Alice's email address. The messages I've checked are in the form of > "Lindsey Lohan free from prison". > > There are no invalid password attempts for Alice, so I assume one of > their computers was compromised by a virus and their credentials and > outgoing mail server name stolen. Then a botnet is using the > credentials to use our mail server as a relay. > > Sophos is running on Alice's laptop, and there are no signs of a > virus. But of course the credentials could have been stolen from > somewhere else. > > Is anyone familiar with this virus? The URLs I've looked at so far > are timing out, so I can't check the virus that way. > > Thank you. > > -- > Steven Kurylo > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
