Finding a Compromised Email Account

Spam listsA few months ago we put up a post about some steps you can take to avoid having your mail server blacklisted on various RBLs and other anti-spam lists. This is a great preventative measure, but it doesn’t mean an email account can’t get compromised. So, what do you do if you DO have a compromised account on your mail server? In addition, how can you find which account was the one compromised?

Before we look at how to find a compromised account, let’s look at some signs that point to possibly having an account that’s being used for spamming. These indications include:

  • Having email deliveries rejected to popular mail services like GMail, Yahoo! or Live.com
  • Having email deliveries rejected from other ISPs and/or hosting providers
  • Seeing a lot of email filling up your spool
  • And, of course, having customers call in complaining of delivery delays

Thankfully, SmarterMail makes it very easy to find an email account that is potentially compromised. All you need to do is check your Message Traffic report. To do this:

  1. Log in to SmarterMail as the system administrator
  2. Go to the Reports area
  3. Expand System Summary Reports, then Traffic Reports
  4. Click on Message Traffic
    1. This report lists all domains on the mail server, and also displays the total incoming and outgoing messages for those domains. The domain with the compromised account will more than likely be the one with the most outgoing messages.
  5. Click on the domain you suspect to have the compromised account to display all of the users of that domain. Again, the one that is compromised is more than likely the one with the most messages sent.
  6. Click on the user to take a look at their message traffic from the past week. Generally, you’ll see a large increase in outgoing messages that will probably coincide with when the account was hacked.

So, now that you found the account, what recourse do you have?

First and foremost, you should disable the account. You can do this one of two ways:

  • Simply change the user’s password, or
  • Actually disable their account. When disabling the account, you can elect to disable outgoing while allowing the user to continue to receive incoming mail, or disable the account completely. Disabling doesn’t delete the account, it simply keeps it from being able to send, and possibly receive, email.

Once the account is disabled, your spool should start clearing up. If you haven’t verified whether the domain, or possibly the mail server as a whole, was blacklisted, you will want to do that  now. A simple check over at http://www.mxtoolbox.com will help determine which, if any, blacklists you’re on. From there, you will want to contact each, using whatever contact methods they prefer, to let them know what steps you’ve taken to not only stop this spammer, but also what you’ve done to protect your mail server from future issues. That’s where our previous blog post, 5 Ways to Avoid Being Blacklisted, will come in handy.

As you can see, it’s pretty easy to find a potential hacked account within SmarterMail. The hope is you won’t ever need to find one, but, if you do, we try to make it as simple as possible. Go ahead and bookmark this post, or, if you’d rather, we’ve condensed some of this information down into a knowledge base article, also entitled Finding a Compromised Account. Thanks for reading!

9 Responses to Finding a Compromised Email Account

  1. ATaheri says:

    Hi, when I run this report I always get a Request Timed out – is there a way to be able to retrieve this data?

    • ST-DCurtis says:

      You can use the Message Data report as well, and you can also view reports on a domain-by-domain basis. So maybe use Message Data to find the domain, then manage the domain and run the Message Traffic report to see the users.

      • G9g GAMEs says:

        You can go back to search historical information

  2. Grzegorz W. says:

    Hello,

    maybe you could consider creating some kind of pseudo inteligent system which will notify SmarterMail admin if there will be big difference in outgoing email being sent when compared to email account history? This is just idea without thinking too much about how it could be implemented but IMHO worth considering.

    Regards

    • ST-DCurtis says:

      Grzegorz – the Event system and security settings in SmarterMail CAN do something like that already. You have the ability to set up some Abuse Detection rules that will send a notification, then you can also create an Event to fire off when the rule is met. It’s not an historical setting, but you can set limits to the number of emails you will allow to be sent in a given timeframe before the rule is triggered. Check this help page for more info: http://help.smartertools.com/SmarterMail/v11/Topics/SystemAdmin/Security/Advanced/AbuseDetection.aspx

      • webio says:

        Hello,

        yep. I know but having a lot of customers with various email number being sent by them and more and more sophisticated email credentials hijacking which leads to only certain number of emails is being sent in given amount of time having event system option which will also cover historical data would be very interesting.

        Regards

      • ST-DCurtis says:

        Point taken. I will add this to the feature list we’ll use for discussing the next version of SmarterMail. Thanks!

      • ATaheri says:

        Do you have any recommendations on the settings to create?

      • ST-DCurtis says:

        Recommendations are tough as they really depend on how your customers use email and your overall business needs/rules. One domain may normally send a lot of email whereas another may not. So standardized guidelines, or even recommendations, are difficult to provide, at best. I’d suggest looking at some historical data for the mail server and its domains, then work from there.

Follow

Get every new post delivered to your Inbox.

Join 1,195 other followers

%d bloggers like this: