> On Jul 6, 2016, at 1:21 PM, SH Development <listacco...@starionline.com> > wrote: > > Here’s a strange one. In my normal routine of glancing at the maillog file, > and subsequently the queue, I noticed several hundred emails queued up, all > with some bogus email variation on one of my domains. So for instance: > > abj...@mydomain.com > lwoei...@mydomain.com > > And so forth. > > I traced it back to a particular IP address, and as a temporary stop-gap > measure, blocked that IP in the firewall and changed the passwords on the two > email addresses that use that domain. The spam stopped.
When I have seen this someone’s email password has been phished. > > The strange thing is, that as soon as I unblock that one IP, it starts up > again. I’m not sure how this one IP is managing to spoof email, and I am not > having any issues with any of my other 40 domains. I can very clearly start > and stop the abuse by blocking the IP. > What usually happens to me is that when the spam starts again the first login of the spammer using the compromised address will show up. After the initial login I believe it keeps the connection open and continues to write to new emails using the bogus addresses > abj...@mydomain.com > lwoei...@mydomain.com > I’m not sure what I’m looking for, or how to find out how they are dumping > this spam on my server, I thought I had it locked down pretty well and I > haven’t had any problems for a couple of years until this week. > I believe I usually grab the message id and search the logs for the submitter and eventually I can usual catch the initial login. I’m no expert but that is how I cope with this. It has only happened twice. Ben > Jeff > >
