Ability Mail Server Got Hacked.

[pagadala1]

Hi,

I have been using your ability mail server for past one year. Recently this server got hacked, whenever I start my server it started sending junk mails to the users, I am getting lots of complaints about this. Here are the outgoing mails log. Because of this all major email providers blocking my emails

Fri, 25 Sep 2009 15:11:44 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Connection accepted.]
Fri, 25 Sep 2009 15:11:44 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: ca11886@aol.com]
Fri, 25 Sep 2009 15:11:44 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: ca4runway@aol.com]
Fri, 25 Sep 2009 15:11:44 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: caaring@aol.com]
Fri, 25 Sep 2009 15:11:44 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: caasel@aol.com]
Fri, 25 Sep 2009 15:11:44 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cabakerman@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cabeech123@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cabel33176@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cabingal911@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: caboosebndt@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cabroome01@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cabrummitt@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: caburgess@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cacheman93@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cacioppo5@aol.com]
Fri, 25 Sep 2009 15:11:45 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: caciquehall@aol.com]
Fri, 25 Sep 2009 15:11:46 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cackyk@aol.com]
Fri, 25 Sep 2009 15:11:46 -> Failed: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Rejected: cactuscjp@aol.com (550 We would love to have gotten this email to cactuscjp@aim.com. But, your recipient never logged onto their free AIM Mail account. Please contact them and let them know that they're missing out on all the super features offered by AIM Mail. And by the way, they're also missing out on your email. Thanks.)]
Fri, 25 Sep 2009 15:11:46 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Recipient Accepted: cactuscowgirlaz@aol.com]
Fri, 25 Sep 2009 15:11:46 -> Failed: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-03.mx.aol.com:25, IP=205.188.109.56: Transaction rejected with: 421 SERVICE NOT AVAILABLE]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Connection accepted.]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: ca11886@aol.com]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: ca4runway@aol.com]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: caaring@aol.com]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: caasel@aol.com]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cabakerman@aol.com]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cabeech123@aol.com]
Fri, 25 Sep 2009 15:11:47 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cabel33176@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cabingal911@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: caboosebndt@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cabroome01@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cabrummitt@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: caburgess@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cacheman93@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cacioppo5@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: caciquehall@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cackyk@aol.com]
Fri, 25 Sep 2009 15:11:48 -> Failed: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Rejected: cactuscjp@aol.com (550 We would love to have gotten this email to cactuscjp@aim.com. But, your recipient never logged onto their free AIM Mail account. Please contact them and let them know that they're missing out on all the super features offered by AIM Mail. And by the way, they're also missing out on your email. Thanks.)]
Fri, 25 Sep 2009 15:11:48 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Recipient Accepted: cactuscowgirlaz@aol.com]
Fri, 25 Sep 2009 15:11:49 -> Success: Action=[SMTP Transfer], Details=[Domain=ntcumc.org, Host=mail.ntcumc.org:25, IP=74.7.116.178: Recipient Accepted: cajiuat@ntcumc.org]
Fri, 25 Sep 2009 15:11:49 -> Failed: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-02.mx.aol.com:25, IP=205.188.155.72: Transaction rejected with: 421 SERVICE NOT AVAILABLE]
Fri, 25 Sep 2009 15:11:49 -> Success: Action=[SMTP Transfer], Details=[Domain=ntcumc.org, Host=mail.ntcumc.org:25, IP=74.7.116.178: Transaction completed, sent to 1 of 1 recipients successfully.]
Fri, 25 Sep 2009 15:11:49 -> Success: Action=[MX Lookup], Details=[DNS=192.168.1.202, Domain=lamar.com: Found 1 records]
Fri, 25 Sep 2009 15:11:49 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Connection accepted.]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: ca11886@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: ca4runway@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: caaring@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: caasel@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=lamar.com, Host=cuda.lamar.com:25, IP=65.124.72.45: Connection accepted.]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cabakerman@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cabeech123@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cabel33176@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cabingal911@aol.com]
Fri, 25 Sep 2009 15:11:50 -> Failed: Action=[SMTP Transfer], Details=[Domain=lamar.com, Host=cuda.lamar.com:25, IP=65.124.72.45: Recipient Rejected: cajones@lamar.com (554 Service unavailable; Client host [rrcs-69-63-87-194.west.biz.rr.com] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=69.63.87.194)]
Fri, 25 Sep 2009 15:11:50 -> Failed: Action=[SMTP Transfer], Details=[Domain=lamar.com, Host=cuda.lamar.com:25, IP=65.124.72.45: All remaining recipients were rejected.]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: caboosebndt@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cabroome01@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Failed: Action=[MX Lookup], Details=[DNS=192.168.1.202, Domain=suscom.net]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cabrummitt@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: caburgess@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[MX Lookup], Details=[DNS=192.168.1.202, Domain=hawaii.rr.com: Found 2 records]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cacheman93@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cacioppo5@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: caciquehall@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cackyk@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Failed: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Rejected: cactuscjp@aol.com (550 We would love to have gotten this email to cactuscjp@aim.com. But, your recipient never logged onto their free AIM Mail account. Please contact them and let them know that they're missing out on all the super features offered by AIM Mail. And by the way, they're also missing out on your email. Thanks.)]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Recipient Accepted: cactuscowgirlaz@aol.com]
Fri, 25 Sep 2009 15:11:51 -> Success: Action=[SMTP Transfer], Details=[Domain=hawaii.rr.com, Host=hrndva-smtpin01.mail.rr.com:25, IP=71.74.56.243: Connection accepted.]
Fri, 25 Sep 2009 15:11:52 -> Failed: Action=[SMTP Transfer], Details=[Domain=aol.com, Host=mailin-01.mx.aol.com:25, IP=64.12.222.197: Transaction rejected with: 421 SERVICE NOT AVAILABLE]

[Code Crafters]

Make sure that you have SMTP authentication enable in the SMTP settings. Also make sure that SMTP relaying safe IPs don't cause SMTP authentication to be bypassed by your router IP or otherwise. If you send your mail server domain to chris@code-crafters.com I'll check if your mail server is secured by SMTP authentication.

Once SMTP authentication is enabled, only valid users with can relay mail onto the Internet via your mail server. If you still have SPAM mails going through your outgoing mail queue with SMTP authentication, you may have a valid user sending them or a comprimised account. To get round this you should check Outmail, SMTP and WebMail logs to see if you can find any users sending SPAM mails and block their account if necessary. You can also change passwords on your mail accounts if you don't have too many and get the users to retrieve new passwords from you or update these themselves. You can also restrict the Max Mails Per IP Per Day in the SMTP security settings if all your mail doesn't come from a single router IP or similar. There are also Max Mails Per Day settings in the group settings which you can use to stop any single user sending too many mails a day to limit the potential for SPAM mails being sent.

[Marc]

Hello Chris,

I am sending you my remote admin url if you can help. I have the same issue as above, but mine is intermittent.

Thanks Marc

[Code Crafters]

Send your mail server domain, remote admin port and remote admin username / password to chris@code-crafters.com (not on forum of course) and I'll log in and take a look at your settings for any obvious problems.

[Code Crafters]

Looking at your settings, you are secured by SMTP authentication correctly which means that only users with a valid username and password can relay mail externally via your Ability Mail Server. However, there are the following possible causes of abuse on your hosted domains.

1) You host a lot of domains with quite a few users. Any of these legitimate users can relay mail via your AMS to other external addresses. You should make sure you have set group limits on the Max Mails Per Day sent by each user. If all of your traiffic doesn’t come from a single router Internet IP you can also limit per IP in the SMTP settings.
2) Also you should consider the possibility that an account has been compromised and its username and password used to send SPAM. Check your SMTP logs for any abusive sender addresses hosted on your mail server and take appropriate action such as temporarily suspending or deleting the account. Chances are the user may not know so changing the password may be all that is needed to stop this from continuing.
3) Your primary domain doesn’t have an SPF record. Without one people can easily spoof mail as coming from your domains sent without coming from your Ability Mail Server. If you add an SPF record, any mail servers that support SPF (which most good ones do) will block any mail that doesn’t come from the authorised IPs you set in the SPF record. You should add an SPF record (actually a TXT record) for any of your domains that you control similar to the following:

v=spf1 mx ptr –all

Let me know how you get on.

[Marc]

Good advice here, thanks for taking the time to do that Chris.

I had forgotten the extra settings for groups, so simply setting the max mails per day will help greatly while I troubleshoot it further and add the SPF settings.

Thanks for now.

[Code Crafters]

You're very welcome. Let me know if you need any further help with this or email me if you want me to recheck any of your settings or domains for SPF records being set up correctly.

[Marc]

I think the issue I have could be caused by an auto responder set up by one user. It responding to all his spam.

I take it the "Max sent mails per day" setting doesn't override the autoresponder?

[Code Crafters]

Please see the forum topic Autoresponder problems wtih SPAM for our recommended solution to this problem. If possible, please post further replies to this topic on the linked post as another user has also just posted a reply to this topic. Note that there are 2 pages of replies; the solution by Rob from our team is on page 1. I will also discuss this with our team to consider adding a better built in solution to this issue for future updates.