Tracking Down a Spambot

Has this happened to you? Let’s say you’re the MDaemon administrator for your company, and you’ve noticed that somewhere, somehow, spam messages are being sent from within your network. Perhaps one of your PCs has been compromised. What do you do? Here are some tips to help you track the issue down.

First, make sure you have the option “Authentication is always required when mail is from local accounts” enabled (Security | Security Settings | SMTP Authentication). Also enable “Authentication credentials must match those of the email sender.” Then, make sure “…unless message is to a local account” is unchecked to prevent intra-domain spam (between local domain users).

Next, find out if the spam messages are coming in from an authenticated session. To do this, locate one of the spam messages & open it up in Notepad to view its headers (or you can open it in Queues & Statistics Manager). Does the message have an X-Authenticated-Sender header? It will look something like this:


If this header is present, then that is the user who authenticated to send the message. The first thing you should do in this case is to change the account’s password via the Accounts menu in MDaemon. Even if the spamming is going through the user’s mail client, until you give the user the new password and they update their mail client the authentication credentials will be rejected and the spamming will be temporarily stopped.

The next step is to look at the Received headers. Find the one where the message was received by your server. Here is an example of what this header would look like:

Received from computer1 ( ( by (MDaemon PRO v13.5.3) with ESMTP id md50000000001.msg for < >, Fri, 13 Sep 2013 21:00:00 -0800

Find the connecting IP ( in the above example. This is the machine that is sending out spam. Locate that machine to deal directly with the spambot on that machine.

If the message wasn’t authenticated or wasn’t sent from your local network, locate the Message-ID header and copy that value.

Message-ID: <>

Then open the MDaemon SMTP-IN log that covers the time when that message was received by MDaemon (based on the timestamp in the received header) and search for that Message-ID in the log (in the 250 response line when the message is accepted):

Thu 2013-09-12 20:00:00: –> 250 Ok, message saved <Message-ID: <>>

Look at the rest of transaction and see why the message was accepted/not rejected – spam score, DNSBLs, etc.

Also, if your external domain is listed in the Trusted Hosts or Trusted Domains list (Security | Security Settings | Trusted Hosts), try removing it from this list.

Check back often for more tips & tricks!

MDaemon Mail Pruning Tips & Tricks

MDaemon’s pruning feature allows you to remove old data from the server and free up disk space. You may be familiar with the Public Folder Pruning settings under the Server Settings menu, or the Account & Mail Pruning settings under the Domain Manager, but did you know you can fine-tune your pruning settings using a Command prompt? The command line interface allows you to be very specific about what you want to prune. For example, you can prune (remove) messages that are a specified number of days old (say, 15 days) for a sub-folder of the inbox of a specific account, have those messages moved to a designated public folder, or just have the pruning information logged without actually deleting any data so that you can run this feature in test mode.

In the screenshot shown here, I’ve used the /n command to move messages from every user’s Inbox folder (/p=”Inbox.IMAP”) that are over 5 days old (/d=5) to a zipped archive folder in the Backup directory (\z=”c:\backup\archive”).

MDaemon Email Pruning

MDaemon Email Pruning

For a comprehensive lesson on using Account Pruning, including all of its commands and proper syntax, view the AccountPrune.txt file, located in the MDaemon/App directory. This file explains all of the command parameters & provides examples of each.

Please share your comments if you have any questions.