Its true, the credentials could have be stolen elsewhere, such as a phishing message. Though in my mind, a virus is more likely. But I don't have evidence either way. Just with my experience has been almost always been a virus.
Trying to track down the phish would pretty much be impossible. Though I did check our spam traps from the last few months and didn't see anything likely. Ski, that's how I noticed. We use per user rate limiting with exim. Thanks for you help. On Tue, Nov 8, 2011 at 11:10 AM, Benjamin Krueger <[email protected]> wrote: > You may have assumed too early, and without enough evidence. There are lots > of ways somebody could have gotten Alice's credentials. FWIW, probably the > most likely method is that Alice was phished and gave her credentials > willingly. She probably doesn't remember or realize, and even if she does > remember she may lie about it. > > If your policy allows for it, and you don't mind invading Alice's privacy, > you could check Alice's email for a phishing message and her browser history > for the URL she clicked through to; if you're lucky, you may correlate > something there. But that's a lot of work, and doesn't provide any value to > anyone so it's your call. > > -- > Benjamin > > On Nov 8, 2011, at 10:54 AM, Steven Kurylo wrote: > >> Hi, >> >> We had an incident yesterday evening and I'm trying to track down the >> root cause. >> >> Spam starting flowing through our mail servers using the credentials >> of a user, Alice. Each message came from a different IP address, >> spread over the globe. Each message is quite clearly spam, trying to >> get you to visit an URL. The from header of the spam message is using >> Alice's email address. The messages I've checked are in the form of >> "Lindsey Lohan free from prison". >> >> There are no invalid password attempts for Alice, so I assume one of >> their computers was compromised by a virus and their credentials and >> outgoing mail server name stolen. Then a botnet is using the >> credentials to use our mail server as a relay. >> >> Sophos is running on Alice's laptop, and there are no signs of a >> virus. But of course the credentials could have been stolen from >> somewhere else. >> >> Is anyone familiar with this virus? The URLs I've looked at so far >> are timing out, so I can't check the virus that way. >> >> Thank you. >> >> -- >> Steven Kurylo >> _______________________________________________ >> Tech mailing list >> [email protected] >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ > > -- Steven Kurylo _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
