> On Jul 6, 2016, at 12:50 PM, Michael D. Sofka <sof...@rpi.edu> wrote: > > On 07/06/2016 01:35 PM, Ben Greenfield wrote: >> >>> On Jul 6, 2016, at 1:21 PM, SH Development <listacco...@starionline.com> >>> wrote: >>> >>> Here’s a strange one. In my normal routine of glancing at the maillog >>> file, and subsequently the queue, I noticed several hundred emails queued >>> up, all with some bogus email variation on one of my domains. So for >>> instance: >>> >>> abj...@mydomain.com >>> lwoei...@mydomain.com >>> >>> And so forth. >>> >>> I traced it back to a particular IP address, and as a temporary stop-gap >>> measure, blocked that IP in the firewall and changed the passwords on the >>> two email addresses that use that domain. The spam stopped. >> >> When I have seen this someone’s email password has been phished. > > See my previous response to Michael Fox on how to lock down authenticated > senders to a canonical envelope sender. This will prevent the rotating > forged local addresses, and make it much easier to see which account has been > compromised in the process. Then it's simply a matter of disabling the > account. > > The account can be found in the logs as well, but is there any need for your > own senders to arbitrarily forge email from your domain?
No, there is no need. What I’m finding difficult is the lack of information in my logs about this. I did a search on the message ID of one of the messages. It shows multiple attempts of trying to deliver the message (and nobody’s accepting), but it doesn’t show me when it was created or by what account. Could I have something turned off in logging that should be on? Jeff
