Email Servers
--
Questions
--
Followers
Top Experts
Hello, All.
(MailEnable Mail Server / Running on 2016 Windows Server)
The other day I checked my mail server only to find log files ranging from 200MB to 1GB.
That was a red flag as the domains listed under my mail server are mainly mine, and I have control over all clients.
After looking through the files, I noticed that two of my email accounts had been used to send out massive amounts of SPAM. Mainly to Yahoo accounts.
I dug through many resent files and started grabbing IP addresses and blocking the blocks, as most of them were from Russia and China.
I Deleted both accounts.
Now, most of my files are being filled up with just 127.0.0.1
With the names of the deleted accounts.
Here is a sample of my log files on two records displayed to keep the garbage low.
11/111/17/21 00:51:49 SMTP-OU 8882E66ABFC044DD9E86BED0621909D5.MAI 988 67.195.204.79 MAIL MAIL FROM:<admin@********.com> SIZE=10688 421 4.7.0 [TSS04] Messages from ((MY IP ADDRESS HERE)) temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes 49 174 admin@********.com better to see an important letter
11/17/21 00:51:51 SMTP-IN 48939815963E470B967B8718C0664A9C.MAI 1536 127.0.0.1 RCPT RCPT TO:<admin@********.com> 550 Requested action not taken: mailbox unavailable or not local. 67 36
I read that it could be a file on my IIS server that has given access, I checked my log files, and I am not seeing any suspicious activity other than the typical PHP wanna be mess.
I also read that it could be someone who may have access to my webmail, and since it is not being used at the moment, I disabled it through IIS.
Where else can I check, and what else can I do to stop these emails from being sent out.
I mean, I've deleted the accounts, and they are still being sent out using the accounts.
I just checked the recent log file, and it has thousands of lines of the
127.0.01 mailbox unavailable or not localThanks for any help you all can assist me with.
Wayne
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
You can see your outgoing mail by looking at queued messages, and delete from being re-queued
Where can I get a list of the IP Address ranges from to block?
AFRINIC is (45.96.0.0 - 45.111.255.255)
So, that would mean I would need to block
45.96.*.* - 45.111.*.*
Would that be accurate?
I checked for South Africa, and they are in a different range.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
2) This IP is owned by Yahoo.
# hostip 67.195.204.79
mtaproxy2.free.mail.vip.bf1.yahoo.com3) This suggests several possibilities... as follows...
a) If email is actually originating on 1x of your machines, then per Dr. Klahn (comment above), shutdown/stop/kill the MTA running on your machine... since you're running Windows, this most likely means your machine is hacked + the fastest/safest fix is to backup your data + to a fresh Windows install.
b) This could also mean somehow a hacker has acquired your Yahoo Mail Relay credentials... the user/pass you're using for port 587 submission through Yahoo.
To be safe, I'd change your Yahoo port 587 submission password to something unique, like a 16-32 alphanumeric string you've never used as a password anywhere before.
c) Be aware, if you use the same user/pass for Yahoo (or actually duplicate any user/pass multiple times), you'll almost surely eventually be hacked...
Especially if you use some sort of 3rd party password storage system...
Tip: The large/popular 3rd party services appear to either be continually hacked or sell user/pass combinations as part of their business model. You can test this by injecting some unique user/pass into these services then test how long it takes for them to show up in various public + Dark Net searches.
Do this once + it's very likely you'll never user a 3rd party password storage system ever again.
4) Mail... is... sigh... complex... so if you don't debug this type of problem on a daily basis, might be worthwhile to hire someone to help you.
5) Also, I'm unsure what type of logs Yahoo provides you to debug this.
My guess is Yahoo provides no detailed logs, so you have no debug starting point.
Consider using a Mail Relay service like https://smtp2go.com rather than Yahoo for mail relaying, as debugging this type of problem will almost surely be far easier than debugging Yahoo.
For (B), one tool that I've found useful in the past (when I had a SQL Server get hacked) is Security Task Manager by a company called Neuber or something like that. I couldn't find the problem using the normal Windows task manager and it was because of some Java-based technique of hiding the process from most other tools. The Security Task Manager is shareware, but its free functionality will scan all the processes (including hidden ones) and rank them according to risk factors (so an unsigned invisible process that uses network ports gets ranked high, while Notepad gets ranked low), which makes it a lot easier to spot POTENTIALLY malicious processes (some normal processes are just risky-looking and it's up to you to know what -should- be running on your system).
For (A), I'd check your web server logs to see if you have a corresponding level of activity to what you're seeing in your mail logs.
Finally, check MailEnable's relay settings to make sure it hasn't simply been configured as an open relay.
Where can I get a list of the IP Address ranges from to block?
There are free lists, not as accurate as paid lists but still quite good. Most of these are designed with linux systems using xtables / iptables geoIP filtering, so "adjustments" must be made for Windows systems. These lists change weekly so it's not a one-time fix.
https://linklyhq.com/blog/list-of-5-free-geoip-databases-2020
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
There were two email accounts hacked. Once I found out which accounts were hacked, I deleted them, cleaned up the queues, and began blocking countries from the Mail Server itself. Unfortunately, I cannot block from the router end, as I get traffic from all over the world hitting my sites.
So far, everything is back and running smoothly.
I've been removed from several blacklists, so that is good.
Just hoping it does not happen again.
It does not look like they have an Eval version anymore of Exchange Server.
And the Postfix is LINUX only, which I do not have an issue with.
I will have to learn how to install and work with it. All the videos and information found so far on the subject is about having it to send mail through Amazon or Gmail. In my case, I host my own.
I will check the Exchange Server to see if I can find an Eval of it.
Found a download for the 2016
https://www.microsoft.com/en-us/download/details.aspx?id=57827
Email Servers
--
Questions
--
Followers
Top Experts
Within Internet message handling services (MHS), a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture. A MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol (SMTP). The terms mail server, mail exchanger, and MX host may also refer to a computer performing the MTA function. The Domain Name System (DNS) associates a mail server to a domain with mail exchanger (MX) resource records containing the domain name of a host providing MTA services.