Hi!
Been running the server for a week or so. Thought I had set it up to block all nasty spammers.
However, it's now being used for spam and I can see in the logs that the spammer manages to authenticate with an account that doesn't even exist.
The domain exists as a domain in one postoffice, but the user mailbox/account does not. Even though, it looks like the account (that does not exist) is authenticated.
Log:
04/29/20 00:00:30 ME-I0135: Authenticated User:(non-existing_account)@(existing_domain).com using Authentication Provider Credentials
04/29/20 00:00:30 ME-I0108: [2128] Relay Granted: Sender has authenticated.
04/29/20 00:00:30 ME-I0135: Authenticated User:(non-existing_account)@(existing_domain)com using Authentication Provider Credentials
How can this be?
URGENT: Spammer manages to authenticate
Re: URGENT: Spammer manages to authenticate
I will reply to this myself, but the answer begs another question...
1. There was indeed a user with that username in the system but I could not see it at first and I had not created it.
2. The question now is who created the user and how? The domain that the user was under was just an internal domain with no admin users. No one else but me had login to this domain.
3. I had set up a postoffice called XYZ. The postoffice had two domains: xyz.com and xyz.org. The user name that the spammer used was aaa@xyz.com. (username and domains are just made up to explain)
4. When I looked in the XYZ postoffice there was no user called aaa@xyz.com. A very long time ago the email address aaa@xyz.com existed on another mailserver but has not been used for many years and that mail server does not exist anymore.
5. I closed the MMC by mistake and then when I opened again, I found the problem. Somehow, someone had created the domains xyz.com and xyz.org as separate postoffices and behold... under xyz.com there was a mailbox aaa@xyz.com!! Two more mailboxes had been created bbb@xyz.com and ccc@xyz.com. These two were also valid email addresses that was used a long time ago
While I am happy I found the explanation to the original problem I am a bit worried about how the postoffices got created. The MailEnable server was running in Migration Mode. Could that somehow explain how they got created?
There is of course the possibility that someone hacked my admin password and logged in to web admin, but that would not allow for new postoffices right?
1. There was indeed a user with that username in the system but I could not see it at first and I had not created it.
2. The question now is who created the user and how? The domain that the user was under was just an internal domain with no admin users. No one else but me had login to this domain.
3. I had set up a postoffice called XYZ. The postoffice had two domains: xyz.com and xyz.org. The user name that the spammer used was aaa@xyz.com. (username and domains are just made up to explain)
4. When I looked in the XYZ postoffice there was no user called aaa@xyz.com. A very long time ago the email address aaa@xyz.com existed on another mailserver but has not been used for many years and that mail server does not exist anymore.
5. I closed the MMC by mistake and then when I opened again, I found the problem. Somehow, someone had created the domains xyz.com and xyz.org as separate postoffices and behold... under xyz.com there was a mailbox aaa@xyz.com!! Two more mailboxes had been created bbb@xyz.com and ccc@xyz.com. These two were also valid email addresses that was used a long time ago
While I am happy I found the explanation to the original problem I am a bit worried about how the postoffices got created. The MailEnable server was running in Migration Mode. Could that somehow explain how they got created?
There is of course the possibility that someone hacked my admin password and logged in to web admin, but that would not allow for new postoffices right?
