On 07/06/2016 01:35 PM, Ben Greenfield wrote:
On Jul 6, 2016, at 1:21 PM, SH Development <listacco...@starionline.com> wrote:
Here’s a strange one. In my normal routine of glancing at the maillog file,
and subsequently the queue, I noticed several hundred emails queued up, all
with some bogus email variation on one of my domains. So for instance:
abj...@mydomain.com
lwoei...@mydomain.com
And so forth.
I traced it back to a particular IP address, and as a temporary stop-gap
measure, blocked that IP in the firewall and changed the passwords on the two
email addresses that use that domain. The spam stopped.
When I have seen this someone’s email password has been phished.
See my previous response to Michael Fox on how to lock down
authenticated senders to a canonical envelope sender. This will prevent
the rotating forged local addresses, and make it much easier to see
which account has been compromised in the process. Then it's simply a
matter of disabling the account.
The account can be found in the logs as well, but is there any need for
your own senders to arbitrarily forge email from your domain?
Mike
--
Michael D. Sofka sof...@rpi.edu
C&MT Sr. Systems Programmer, Email, TeX, Epistemology
Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/
