Is spam being sent out from a local machine on your network? Follow these steps to track down a spambot.

Has this happened to you? Let’s say you’re the MDaemon administrator for your company, and you’ve noticed that somewhere, somehow, spam messages are being sent from within your network. Perhaps one of your PCs has been compromised. What do you do? Here are some tips to help you track the issue down.

First, make sure you have the option “Authentication is always required when mail is from local accounts” enabled (Security | Security Settings | SMTP Authentication). Also enable “Credentials used must match those of the return-path address” and “Credentials used must match those of the From header address.” Then, make sure “…unless message is sent to a local account” is unchecked to prevent intra-domain spam (between local domain users).

SMTP Authentication in MDaemeon

Make sure the appropriate boxes are checked to require SMTP authentication

Next, find out if the spam messages are coming in from an authenticated session. To do this, locate one of the spam messages & open it up in Notepad to view its headers (or you can open it in Queue & Statistics Manager). Does the message have an X-Authenticated-Sender header? It will look something like this:

X-Authenticated-Sender: SpammerUser@example.com

If this header is present, then that is the user who authenticated to send the message. The first thing you should do in this case is to change the account’s password via the Accounts menu in MDaemon. Even if the spamming is going through the user’s mail client, until you give the user the new password and they update their mail client the authentication credentials will be rejected and the spamming will be temporarily stopped.

In newer versions of MDaemon, we’ve added Account Hijack Detection, which will automatically disable an account if it sends a specified number of outbound messages via an authenticated session in a given period of time. We recommend enabling this feature. In MDaemon, it’s located under Security | Security Settings | Screening | Hijack Detection.

Account Hijack Detection

Account Hijack Detection

The next step is to look at the Received headers. Find the one where the message was received by your server. Here is an example of what this header would look like:

Received from computer1 (computer1@example.com (192.198.1.121) by example.com (MDaemon PRO v17) with ESMTP id md50000000001.msg for <UserWhoWasSpammed@example.com >, Fri, 13 Sep 2016 21:00:00 -0800

Find the connecting IP (192.198.1.121) in the above example. This is the machine that is sending out spam. Locate that machine to deal directly with the spambot on that machine.

If the message wasn’t authenticated or wasn’t sent from your local network, locate the Message-ID header and copy that value.

Message-ID: <123.xyx.someone@example.net>

Then open the MDaemon SMTP-IN log that covers the time when that message was received by MDaemon (based on the timestamp in the received header) and search for that Message-ID in the log (in the 250 response line when the message is accepted):

Thu 2016-09-12 20:00:00: –> 250 Ok, message saved <Message-ID: <123.xyx.someone@example.net>>

Look at the rest of transaction and see why the message was accepted/not rejected – spam score, DNSBLs, etc.

Also, if your external domain is listed in the Trusted Hosts list (Security | Security Settings | Trusted Hosts), try removing it from this list.

Check back often for more tips & tricks!

If you’re not archiving your email, you should be!

Archive-ButtonWhen disaster strikes, is your business able to recover from data loss with minimal downtime?

How does your business handle legal requests for discovery and compliance audits?

Are you protected against data loss when employees leave the company?

Businesses of all sizes worldwide rely on email for their day-to-day communication needs. With the prevalence of malware, ransomware, and malicious actors hell-bent on wreaking havoc for personal profit, and with increasingly strict guidelines for HIPAA, FERPA and other regulations, it is more important than ever to have backup copies of all email communications for your business.

MailStore is a complete, secure archiving solution that can grow with your business. A robust archiving solution such as MailStore can meet your company’s needs in these key areas:

  • Compliance & eDiscovery – Businesses in the education, legal and healthcare industries have a growing list of regulations and eDiscovery requirements that must be met.
  • Disaster Recovery – When disaster strikes, in addition to easily getting data into your archive, you want it to be just as easy to get data back out of your archive. MailStore supports multiple archive & export methods, providing the flexibility businesses need to get their data into and back out of MailStore regardless of what email platform or mail client is used.
  • Reduced Server Workload – An archive solution helps reduce the workload of the mail server, freeing up resources for more important business communications.
  • Storage Space - MailStore can be configured to delete messages after a given period of time once they have been archived. This helps reduce storage requirements on the server.
  • Easy Backup & Restore – MailStore makes it easy to make backup copies of your important email messages – from any mail server, mail client, or even a PST file. The restore process is just as easy!
  • Avoidance of PST Nightmares – PST files can be archived and accessed from the MailStore client. Businesses whose users use PST files will benefit from being able to consolidate these PST files in a single archive location.
  • Elimination of Mailbox Quotas – Archived messages can be removed from the mail server after a period of time, reducing the need for mailbox quotas.
  • Prevent Users from Deleting Emails – A journaling mailbox can be configured on the mail server to collect copies of all inbound and outbound mail. You can then create a journaling archive profile in MailStore to capture all inbound and outbound messages as they pass through the mail server. This allows all messages to be archived even when the sender or recipient deletes the message from his Inbox or Sent Items folder.
  • Increased Productivity – Archived messages and attachments are fully indexed, making it easy to perform complex searches in a matter of seconds.

We’ve created the following video to help you get started with MailStore.

Want to learn more?  Click here to start using MailStore today!