Unable to send email, blocked by antivirus

[thefid]

The issue: I am unable to send any email. I can still receive email.

Cause: Mcafee Enterprise 8.5.0i is blocking all outgoing email:

1/12/2012 6:31:54 PM Blocked by port blocking rule E:\Code-Crafters\Ability Mail Server 3\amsmain.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 176.53.113.13:25
1/12/2012 6:32:55 PM Blocked by port blocking rule E:\Code-Crafters\Ability Mail Server 3\amsmain.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 69.65.39.88:25
1/12/2012 6:34:11 PM Blocked by port blocking rule E:\Code-Crafters\Ability Mail Server 3\amsmain.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 216.18.22.134:25

This is what code crafters says in the outmail log:

Thu, 12 Jan 2012 18:32:35 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Thu, 12 Jan 2012 18:32:35 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Thu, 12 Jan 2012 18:32:35 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=luxuryhomeslosangeles.net: Found 1 records]
Thu, 12 Jan 2012 18:32:35 -> Failed: Action=[SMTP Transfer], Details=[Domain=luxuryhomeslosangeles.net, Host=today.luxuryhomeslosangeles.net:25, IP=50.115.0.190: Connection failed.]
Thu, 12 Jan 2012 18:32:36 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Thu, 12 Jan 2012 18:32:36 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Thu, 12 Jan 2012 18:32:36 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=luxuryhomeslosangeles.net: Found 1 records]
Thu, 12 Jan 2012 18:32:36 -> Failed: Action=[SMTP Transfer], Details=[Domain=luxuryhomeslosangeles.net, Host=today.luxuryhomeslosangeles.net:25, IP=50.115.0.190: Connection failed.]
Thu, 12 Jan 2012 18:32:55 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Thu, 12 Jan 2012 18:32:55 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Thu, 12 Jan 2012 18:32:55 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=behostbasket.com: Found 1 records]
Thu, 12 Jan 2012 18:32:55 -> Failed: Action=[SMTP Transfer], Details=[Domain=behostbasket.com, Host=mail.behostbasket.com:25, IP=69.65.39.88: Connection failed.]
Thu, 12 Jan 2012 18:33:15 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Thu, 12 Jan 2012 18:33:15 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Thu, 12 Jan 2012 18:33:15 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=mtcbor.com: Found 5 records]
Thu, 12 Jan 2012 18:33:15 -> Failed: Action=[SMTP Transfer], Details=[Domain=mtcbor.com, Host=tint.mtcbor.com:25, IP=70.99.243.225: Connection failed.]
Thu, 12 Jan 2012 18:33:15 -> Failed: Action=[SMTP Transfer], Details=[Domain=mtcbor.com, Host=ruff.mtcbor.com:25, IP=70.99.243.224: Connection failed.]
Thu, 12 Jan 2012 18:33:15 -> Failed: Action=[SMTP Transfer], Details=[Domain=mtcbor.com, Host=peel.mtcbor.com:25, IP=70.99.243.227: Connection failed.]
Thu, 12 Jan 2012 18:33:15 -> Failed: Action=[SMTP Transfer], Details=[Domain=mtcbor.com, Host=slang.mtcbor.com:25, IP=70.99.243.223: Connection failed.]
Thu, 12 Jan 2012 18:33:15 -> Failed: Action=[SMTP Transfer], Details=[Domain=mtcbor.com, Host=cloth.mtcbor.com:25, IP=70.99.243.226: Connection failed.]

I can confirm that none of these outgoing email were sent by any of the valid owners of the accounts.

I ran a full scan with McAffee, Trendmicro Housecall, and Panda's Active Scan which did not identify any compromised system files.

I need to know:
1. how I can block this traffic before it gets to the anti-virus software.
2. how I can identify if any account passwords have been compromised.

(unrelated to the pressing issue but important to me)
3. how to set up the spam filters to work properly.

Thank you.

[rob]

Once mail gets into the mail system and passed the SPAM checks, there is little you can do to stop the mail at that point. The solution is to get SPAM services up and running (there is a wizard in the SPAM settings which will help you set it up). OF course if a user is compromised then this is a priority to find this user and block their account. It is unfortunatly common for this to occur and so the best protection to future attacks is to set a daily limit per user for how many mails they can send. This is damage limitation.

To find the current offending user you will need to examine the logs, starting with the outmail log you have shown me here, and looking for the source of those mails in the SMTP log (searching for the sender email address is usually the best bet). This will give you the IP and the username used to login into the SMTP (or webmail). You can then take action on that user if you are certain it is them.

[thefid]

there is a wizard in the SPAM settings which will help you set it up

I have not seen a wizard for the spam filter... please provide more information about this feature.

It appears to have been a compromised account. Changing the passwords resolved the issue with the anti-virus. I also played with several settings while figuring it out and after restarting the system it was unable to open the ports for POP3, SMTP, and WebMail. Renaming the old directory, reinstalling the software then copying the email accounts back to new install resolved that issue. I also enabled anti-hammering and locked it down pretty tight. Currports identified an IP from an old Soviet Union state attempt to connect shortly after bring the email system back online. They didn't stay on for long, so this issue appears to have been resolved.

SUGGESTION: Could you add a monitoring system that lists the top email sending accounts? A simple page listing the top ten (or so) senders would go a long way in identifying compromised accounts like this one pretty quickly.

Thanks for your assistance.