Compromised Server? Can't figure out my logs!

by **lbarlean** » Tue Apr 15, 2008 4:41 pm

I've seen a couple of posts similar to my situation. Spam is being sent out with the "From" header line containing my user's email address so they are getting all of the bounced messages. This is happening with more and more frequency (3 already this week). I can't tell for sure if it's coming from our mail server.

Can anyone give me hint on how to read the logs?

for example here is one outgoing log entry that looks suspicious...

Tue, 15 Apr 2008 05:23:17 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Tue, 15 Apr 2008 05:23:17 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Tue, 15 Apr 2008 05:23:17 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=boughnerart.com: Found 5 records]
Tue, 15 Apr 2008 05:23:17 -> Success: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx5.business.mindspring.com:25, IP=198.185.2.67: Connection accepted.]
Tue, 15 Apr 2008 05:23:17 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx5.business.mindspring.com:25, IP=198.185.2.67: Recipient Rejected: pfspugjjfboo@boughnerart.com (550 pfspugjjfboo@boughnerart.com...User unknown)]
Tue, 15 Apr 2008 05:23:17 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx5.business.mindspring.com:25, IP=198.185.2.67: All remaining recipients were rejected.]
Tue, 15 Apr 2008 05:23:17 -> Success: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx4.business.mindspring.com:25, IP=198.185.2.67: Connection accepted.]
Tue, 15 Apr 2008 05:23:18 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx4.business.mindspring.com:25, IP=198.185.2.67: Recipient Rejected: pfspugjjfboo@boughnerart.com (550 pfspugjjfboo@boughnerart.com...User unknown)]
Tue, 15 Apr 2008 05:23:18 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx4.business.mindspring.com:25, IP=198.185.2.67: All remaining recipients were rejected.]
Tue, 15 Apr 2008 05:23:18 -> Success: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx3.business.mindspring.com:25, IP=198.185.2.67: Connection accepted.]
Tue, 15 Apr 2008 05:23:19 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx3.business.mindspring.com:25, IP=198.185.2.67: Recipient Rejected: pfspugjjfboo@boughnerart.com (550 pfspugjjfboo@boughnerart.com...User unknown)]
Tue, 15 Apr 2008 05:23:19 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx3.business.mindspring.com:25, IP=198.185.2.67: All remaining recipients were rejected.]
Tue, 15 Apr 2008 05:23:19 -> Success: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx2.business.mindspring.com:25, IP=198.185.2.67: Connection accepted.]
Tue, 15 Apr 2008 05:23:20 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx2.business.mindspring.com:25, IP=198.185.2.67: Recipient Rejected: pfspugjjfboo@boughnerart.com (550 pfspugjjfboo@boughnerart.com...User unknown)]
Tue, 15 Apr 2008 05:23:20 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx2.business.mindspring.com:25, IP=198.185.2.67: All remaining recipients were rejected.]
Tue, 15 Apr 2008 05:23:20 -> Success: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx1.business.mindspring.com:25, IP=198.185.2.67: Connection accepted.]
Tue, 15 Apr 2008 05:23:21 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx1.business.mindspring.com:25, IP=198.185.2.67: Recipient Rejected: pfspugjjfboo@boughnerart.com (550 pfspugjjfboo@boughnerart.com...User unknown)]
Tue, 15 Apr 2008 05:23:21 -> Failed: Action=[SMTP Transfer], Details=[Domain=boughnerart.com, Host=mx1.business.mindspring.com:25, IP=198.185.2.67: All remaining recipients were rejected.]

As much as I can tell is that nothing was added to the mail queue from this entry, but the fact that it is in the outgoing logs in the first place gives me concern.

Any advice would be greatly appreciated! Thank you!
-Laurie

by **rob** » Thu Apr 17, 2008 10:42 am

The best way to check to see how that mail got into your outmail log is to simple search the SMTP log for a matching SMTP recipient. This will then allow you to identify how the mail got into your system. I would also recommend searching the WebMail system as this also can generate mail. There are several ways these mails can legitmatly get into the system, and the most simpliest is that one of your users login details has been picked up by malicous software. Actions you can take include request that any effected user change their password, block the source of the mails (the IP) and also enable mail sending restrictions (group and smtp settings) to prevent the possibility of this esculating.

by **lbarlean** » Thu Apr 17, 2008 6:00 pm

I so far haven't been able to find a matching entry in either the SMTP or the Webmail. Is that because the recipients were rejected?

by **rob** » Fri Apr 18, 2008 11:00 am

The extract you have copied and pasted is from the outgoing mail log, and mentions the recipient 'pfspugjjfboo@boughnerart.com'. There are only 3 ways such a mail could make it into AMS and that is most likely the SMTP or WebMail (which could mean a comprised user account). Another possiblity however is if you use POP3 Retrievals. If you do then I will also recommend you examine those log files too. By default POP3 Retrievals is configured so it will only pull mail for local accounts but it is indeed possible to adjust the settings so that the mail pulled from the POP3 retrieval actually lands in the outgoing mail service.

I should also note while searching a log, you should look for: pfspugjjfboo@boughnerart.com

by **lbarlean** » Thu May 01, 2008 9:34 pm

Hi Rob,
thanks for the reply & suggestions! I'm just getting back around to checking into this.
I checked the SMTP logs and webmail logs (searched for 'pfspugjjfboo' and manually read the log entries between 4am and 6am on the 15th of April). Nada. Nothing relating to this outgoing Mail entry. We also do not use POP3 retrievals. Here are the other logs for around this time...

**************WEBMAIL*********************** (no webmail login between 4:49am and 7:09 am)
Tue, 15 Apr 2008 04:45:18 -> 99.200.67.21 -> Success: Action=[Accept Connection], Details=[Port 80]
Tue, 15 Apr 2008 04:45:18 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \ - Redirect: /_index]
Tue, 15 Apr 2008 04:45:18 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_index - OK]
Tue, 15 Apr 2008 04:45:19 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\maintitle.gif - Not Modified]
Tue, 15 Apr 2008 04:45:19 -> 99.200.67.21 -> Success: Action=[Accept Connection], Details=[Port 80]
Tue, 15 Apr 2008 04:45:19 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_captchaimage_31005.jpg?code=31005 - OK]
Tue, 15 Apr 2008 04:45:21 -> 99.200.67.21 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 04:45:21 -> 99.200.67.21 -> Success: Action=[Accept Connection], Details=[Port 8100: Implicit SSL]
Tue, 15 Apr 2008 04:45:22 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \ - Redirect: /_index]
Tue, 15 Apr 2008 04:45:22 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_index - OK]
Tue, 15 Apr 2008 04:45:22 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\maintitle.gif - Not Modified]
Tue, 15 Apr 2008 04:45:22 -> 99.200.67.21 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 04:45:23 -> 99.200.67.21 -> Success: Action=[Accept Connection], Details=[Port 8100: Implicit SSL]
Tue, 15 Apr 2008 04:45:23 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_captchaimage_7574.jpg?code=7574 - OK]
Tue, 15 Apr 2008 04:46:00 -> 99.200.67.21 -> Success: Action=[Login], Details=[cfroome@preparedresponse.com]
Tue, 15 Apr 2008 04:46:00 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[POST \_login - Redirect: /_selectfolder?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600&folder=Inbox&page=1&stopsearch=yes]
Tue, 15 Apr 2008 04:46:00 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_selectfolder?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600&folder=Inbox&page=1&stopsearch=yes - Redirect: /_folder?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600&page=1]
Tue, 15 Apr 2008 04:46:00 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_folder?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600&page=1 - OK]
Tue, 15 Apr 2008 04:46:01 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\gap_9x9.gif - Not Modified]
Tue, 15 Apr 2008 04:46:01 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\pagetitleback.gif - Not Modified]
Tue, 15 Apr 2008 04:46:01 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\withoutchildren.gif - Not Modified]
Tue, 15 Apr 2008 04:46:02 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\triggerpop3retr.gif - Not Modified]
Tue, 15 Apr 2008 04:46:05 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_options?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600 - OK]
Tue, 15 Apr 2008 04:46:06 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_personaldata.gif - Not Modified]
Tue, 15 Apr 2008 04:46:06 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_addressbook.gif - Not Modified]
Tue, 15 Apr 2008 04:46:06 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_advancedoptions.gif - Not Modified]
Tue, 15 Apr 2008 04:46:07 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_password.gif - Not Modified]
Tue, 15 Apr 2008 04:46:07 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_autoresponse.gif - Not Modified]
Tue, 15 Apr 2008 04:46:07 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_signatures.gif - Not Modified]
Tue, 15 Apr 2008 04:46:07 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\icon_pop3retrs.gif - Not Modified]
Tue, 15 Apr 2008 04:46:09 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_autoresponse?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600&selectmode=yes - Redirect: /_autoresponse?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600]
Tue, 15 Apr 2008 04:46:09 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_autoresponse?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600 - OK]
Tue, 15 Apr 2008 04:47:10 -> 99.200.67.21 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 04:47:15 -> 99.200.67.21 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 04:48:24 -> 99.200.67.21 -> Success: Action=[Accept Connection], Details=[Port 8100: Implicit SSL]
Tue, 15 Apr 2008 04:48:24 -> 99.200.67.21 -> Success: Action=[Update Auto-Response]
Tue, 15 Apr 2008 04:48:24 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[POST \_processautoresponse?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600 - Redirect: /_options?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600]
Tue, 15 Apr 2008 04:48:25 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_options?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600 - OK]
Tue, 15 Apr 2008 04:48:34 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_logout?id=1OPd6w8RBGYs3fpJW57v5DmMibaxYv2O2d9e20080415044600 - Redirect: /_loggedout]
Tue, 15 Apr 2008 04:48:35 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \_loggedout - OK]
Tue, 15 Apr 2008 04:48:35 -> 99.200.67.21 -> Success: Action=[HTTP Request], Details=[GET \images\returntologin.gif - Not Modified]
Tue, 15 Apr 2008 04:49:00 -> 99.200.67.21 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 07:09:34 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 80]
Tue, 15 Apr 2008 07:09:34 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \ - Redirect: /_index]
Tue, 15 Apr 2008 07:09:34 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \_index - OK]
Tue, 15 Apr 2008 07:09:34 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 80]
Tue, 15 Apr 2008 07:09:34 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \_captchaimage_26336.jpg?code=26336 - OK]
Tue, 15 Apr 2008 07:09:34 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \images\maintitle.gif - Not Modified]
Tue, 15 Apr 2008 07:09:35 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 8100: Implicit SSL]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \ - Redirect: /_index]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \_index - OK]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \images\maintitle.gif - Not Modified]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 8100: Implicit SSL]
Tue, 15 Apr 2008 07:09:36 -> 209.147.114.2 -> Success: Action=[HTTP Request], Details=[GET \_captchaimage_29449.jpg?code=29449 - OK]
Tue, 15 Apr 2008 07:09:44 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 07:09:44 -> 209.147.114.2 -> Success: Action=[Close Connection]

*************SMTP*********************(log entries between 5:21am and 5:25am)

Tue, 15 Apr 2008 05:21:31 -> 76.96.62.17 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:21:31 -> 76.96.62.17 -> Success: Action=[Received Hello], Details=[Host=QMTA10.westchester.pa.mail.comcast.net]
Tue, 15 Apr 2008 05:21:31 -> 76.96.62.17 -> Success: Action=[Received Sender], Details=[maxwells@nutn.net]
Tue, 15 Apr 2008 05:21:31 -> 76.96.62.17 -> Success: Action=[Received Recipient], Details=[awells@preparedresponse.com]
Tue, 15 Apr 2008 05:21:31 -> 76.96.62.17 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:21:32 -> 76.96.62.17 -> Success: Action=[Complete Mail Transaction], Details=[From Host=QMTA10.westchester.pa.mail.comcast.net, Size=2 KB, From=maxwells@nutn.net, To=awells@preparedresponse.com]
Tue, 15 Apr 2008 05:21:35 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:21:35 -> 209.147.114.2 -> Success: Action=[Received Hello], Details=[Host=YaUp]
Tue, 15 Apr 2008 05:21:35 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:21:54 -> 59.93.122.58 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:21:54 -> 59.93.122.58 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:21:55 -> 59.93.122.58 -> Success: Action=[Received Hello], Details=[Host=209.147.122.171]
Tue, 15 Apr 2008 05:21:56 -> 59.93.122.58 -> Success: Action=[Received Sender], Details=[auto_reminder@almaux.com]
Tue, 15 Apr 2008 05:21:57 -> 59.93.122.58 -> Success: Action=[Received Recipient], Details=[mdodson@preparedresponse.com]
Tue, 15 Apr 2008 05:22:01 -> 59.93.122.58 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:22:03 -> 59.93.122.58 -> Success: Action=[Complete Mail Transaction], Details=[From Host=209.147.122.171, Size=1 KB, From=auto_reminder@almaux.com, To=mdodson@preparedresponse.com]
Tue, 15 Apr 2008 05:22:04 -> 59.93.122.58 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:18 -> 61.94.58.15 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:22:18 -> 61.94.58.15 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:22:21 -> 61.94.58.15 -> Success: Action=[Received Hello], Details=[Host=mahmad]
Tue, 15 Apr 2008 05:22:26 -> 61.94.58.15 -> Success: Action=[Received Sender], Details=[linhapackmet@hapack.de]
Tue, 15 Apr 2008 05:22:26 -> 61.94.58.15 -> Success: Action=[Received Recipient], Details=[awells@preparedresponse.com]
Tue, 15 Apr 2008 05:22:26 -> 61.94.58.15 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:22:26 -> 88.251.100.9 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:22:26 -> 88.251.100.9 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:22:27 -> 88.251.100.9 -> Success: Action=[Received Hello], Details=[Host=88.251.100.9]
Tue, 15 Apr 2008 05:22:28 -> 88.251.100.9 -> Success: Action=[Received Sender], Details=[Epsojua2@nosa.us]
Tue, 15 Apr 2008 05:22:28 -> 88.251.100.9 -> Success: Action=[Received Recipient], Details=[info@preparedresponse.com]
Tue, 15 Apr 2008 05:22:28 -> 88.251.100.9 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:22:30 -> 88.251.100.9 -> Success: Action=[Complete Mail Transaction], Details=[From Host=88.251.100.9, Size=3 KB, From=Epsojua2@nosa.us, To=info@preparedresponse.com]
Tue, 15 Apr 2008 05:22:30 -> 88.251.100.9 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:31 -> 61.94.58.15 -> Success: Action=[Complete Mail Transaction], Details=[From Host=mahmad, Size=3 KB, From=linhapackmet@hapack.de, To=awells@preparedresponse.com]
Tue, 15 Apr 2008 05:22:32 -> 76.96.62.17 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:33 -> 61.94.58.15 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:35 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:22:35 -> 209.147.114.2 -> Success: Action=[Received Hello], Details=[Host=YaUp]
Tue, 15 Apr 2008 05:22:35 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:36 -> 77.122.71.192 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:22:36 -> 77.122.71.192 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:22:37 -> 77.122.71.192 -> Success: Action=[Received Hello], Details=[Host=loaning.permit.volia.net]
Tue, 15 Apr 2008 05:22:37 -> 77.122.71.192 -> Success: Action=[Received Sender], Details=[celiafafe@bancaimius.com]
Tue, 15 Apr 2008 05:22:37 -> 77.122.71.192 -> Success: Action=[Received Recipient], Details=[grants@preparedresponse.com]
Tue, 15 Apr 2008 05:22:37 -> 77.122.71.192 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:22:38 -> 77.122.71.192 -> Success: Action=[Complete Mail Transaction], Details=[From Host=loaning.permit.volia.net, Size=1 KB, From=celiafafe@bancaimius.com, To=grants@preparedresponse.com]
Tue, 15 Apr 2008 05:22:38 -> 77.122.71.192 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:38 -> 189.36.141.132 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:22:38 -> 189.36.141.132 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:22:39 -> 189.36.141.132 -> Success: Action=[Received Hello], Details=[Host=189.36.141.132]
Tue, 15 Apr 2008 05:22:39 -> 189.36.141.132 -> Success: Action=[Received Sender], Details=[mwanalogous@kanhunt.com]
Tue, 15 Apr 2008 05:22:40 -> 189.36.141.132 -> Success: Action=[Received Recipient], Details=[sales@preparedresponse.com]
Tue, 15 Apr 2008 05:22:40 -> 189.36.141.132 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:22:43 -> 189.36.141.132 -> Success: Action=[Complete Mail Transaction], Details=[From Host=189.36.141.132, Size=2 KB, From=mwanalogous@kanhunt.com, To=sales@preparedresponse.com]
Tue, 15 Apr 2008 05:22:43 -> 189.36.141.132 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:22:56 -> 85.109.3.161 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:22:56 -> 85.109.3.161 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:22:57 -> 85.109.3.161 -> Success: Action=[Received Hello], Details=[Host=85.109.3.161]
Tue, 15 Apr 2008 05:22:57 -> 85.109.3.161 -> Success: Action=[Received Sender], Details=[brook@cwes.net]
Tue, 15 Apr 2008 05:22:57 -> 85.109.3.161 -> Success: Action=[Received Recipient], Details=[cfroome@preparedresponse.com]
Tue, 15 Apr 2008 05:22:57 -> 85.109.3.161 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:22:59 -> 85.109.3.161 -> Success: Action=[Complete Mail Transaction], Details=[From Host=85.109.3.161, Size=10 KB, From=brook@cwes.net, To=cfroome@preparedresponse.com]
Tue, 15 Apr 2008 05:23:00 -> 85.109.3.161 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:23:10 -> 88.87.89.9 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:23:11 -> 88.87.89.9 -> Success: Action=[Received Hello], Details=[Host=JD]
Tue, 15 Apr 2008 05:23:12 -> 88.87.89.9 -> Success: Action=[Received Sender], Details=[ritalinfk7@icehockey2005.com]
Tue, 15 Apr 2008 05:23:12 -> 88.87.89.9 -> Success: Action=[Received Recipient], Details=[csparling@preparedresponse.com]
Tue, 15 Apr 2008 05:23:12 -> 88.87.89.9 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:23:13 -> 88.87.89.9 -> Success: Action=[Complete Mail Transaction], Details=[From Host=JD, Size=1 KB, From=ritalinfk7@icehockey2005.com, To=csparling@preparedresponse.com]
Tue, 15 Apr 2008 05:23:14 -> 88.87.89.9 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:23:31 -> 122.164.39.119 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:23:31 -> 122.164.39.119 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:23:35 -> 122.164.39.119 -> Success: Action=[Received Hello], Details=[Host=ABTS-TN-dynamic-119.39.164.122.airtelbroadband.in]
Tue, 15 Apr 2008 05:23:36 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:23:36 -> 209.147.114.2 -> Success: Action=[Received Hello], Details=[Host=YaUp]
Tue, 15 Apr 2008 05:23:36 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:23:36 -> 122.164.39.119 -> Success: Action=[Received Sender], Details=[shgxlmstv@bleijendaal.com]
Tue, 15 Apr 2008 05:23:36 -> 122.164.39.119 -> Success: Action=[Received Recipient], Details=[info@guidesafe.com]
Tue, 15 Apr 2008 05:23:36 -> 122.164.39.119 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:23:38 -> 122.164.39.119 -> Success: Action=[Complete Mail Transaction], Details=[From Host=ABTS-TN-dynamic-119.39.164.122.airtelbroadband.in, Size=1 KB, From=shgxlmstv@bleijendaal.com, To=info@guidesafe.com]
Tue, 15 Apr 2008 05:23:39 -> 122.164.39.119 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:23:41 -> 85.104.58.169 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:23:41 -> 85.104.58.169 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:23:42 -> 85.104.58.169 -> Success: Action=[Received Hello], Details=[Host=dsl85-104-15017.ttnet.net.tr]
Tue, 15 Apr 2008 05:23:43 -> 85.104.58.169 -> Success: Action=[Received Sender], Details=[weirdlysh67@liquidprofit.net]
Tue, 15 Apr 2008 05:23:43 -> 85.104.58.169 -> Success: Action=[Received Recipient], Details=[techassist@preparedresponse.com]
Tue, 15 Apr 2008 05:23:43 -> 85.104.58.169 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:23:47 -> 85.104.58.169 -> Success: Action=[Complete Mail Transaction], Details=[From Host=dsl85-104-15017.ttnet.net.tr, Size=1 KB, From=weirdlysh67@liquidprofit.net, To=techassist@preparedresponse.com]
Tue, 15 Apr 2008 05:23:48 -> 85.104.58.169 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:24:36 -> 209.147.114.2 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:24:36 -> 209.147.114.2 -> Success: Action=[Received Hello], Details=[Host=YaUp]
Tue, 15 Apr 2008 05:24:36 -> 209.147.114.2 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:24:42 -> 151.63.81.114 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:24:42 -> 151.63.81.114 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:24:42 -> 151.63.81.114 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:25:04 -> 200.35.48.79 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:25:04 -> 200.35.48.79 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:25:04 -> 200.35.48.79 -> Success: Action=[Received Hello], Details=[Host=acerc28991bd48]
Tue, 15 Apr 2008 05:25:05 -> 200.35.48.79 -> Success: Action=[Received Sender], Details=[LorachineseCarmichael@newadvent.org]
Tue, 15 Apr 2008 05:25:05 -> 200.35.48.79 -> Success: Action=[Received Recipient], Details=[rlugo@preparedresponse.com]
Tue, 15 Apr 2008 05:25:05 -> 200.35.48.79 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:25:05 -> 200.35.48.79 -> Success: Action=[Complete Mail Transaction], Details=[From Host=acerc28991bd48, Size=1 KB, From=LorachineseCarmichael@newadvent.org, To=rlugo@preparedresponse.com]
Tue, 15 Apr 2008 05:25:06 -> 200.35.48.79 -> Success: Action=[Close Connection]
Tue, 15 Apr 2008 05:25:08 -> 77.91.40.6 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (ZEN)'.]
Tue, 15 Apr 2008 05:25:08 -> 77.91.40.6 -> Success: Action=[Accept Connection], Details=[Port 25]
Tue, 15 Apr 2008 05:25:09 -> 77.91.40.6 -> Success: Action=[Received Hello], Details=[Host=user40-006.satfilm.net.pl]
Tue, 15 Apr 2008 05:25:10 -> 77.91.40.6 -> Success: Action=[Received Sender], Details=[kclazn@adelphia.com]
Tue, 15 Apr 2008 05:25:10 -> 77.91.40.6 -> Success: Action=[Received Recipient], Details=[fcollier@preparedresponse.com]
Tue, 15 Apr 2008 05:25:10 -> 77.91.40.6 -> Success: Action=[Start Mail Transaction]
Tue, 15 Apr 2008 05:25:13 -> 77.91.40.6 -> Success: Action=[Complete Mail Transaction], Details=[From Host=user40-006.satfilm.net.pl, Size=4 KB, From=kclazn@adelphia.com, To=fcollier@preparedresponse.com]
Tue, 15 Apr 2008 05:25:14 -> 77.91.40.6 -> Success: Action=[Close Connection]

I'm really at a loss. How can I find the compromised account if there is nothing in the logs?

by **ehavemann** » Fri May 02, 2008 6:43 pm

I was curious where the offending IP was coming from. A Sprint wireless user???? Info from IPTOOLS.COM:

IP Information for 99.200.67.21
IP Location: United States United States Los Angeles Sprint Pcs
Resolve Host: 99-200-67-21.area1.spcsdns.net
IP Address: 99.200.67.21 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Blacklist Status: Clear
Whois Record

OrgName: Sprint PCS
OrgID: SPCS
Address: 12502 Sunrise Valley Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 99.200.0.0 - 99.207.255.255
CIDR: 99.200.0.0/13
NetName: SPRINT-WIRELESS
NetHandle: NET-99-200-0-0-1
Parent: NET-99-0-0-0-0
NetType: Direct Allocation
NameServer: OSSCDNS01.SPCSDNS.NET
NameServer: OSSCDNS02.SPCSDNS.NET
Comment: PLEASE REPORT ABUSE ISSUES TO . Members of Law Enforcement
should contact Sprint Corporate Security Subpoena Compliance and Law Enforcement Assistance at
1-800-877-7330 and press option 1 for assistance.
RegDate: 2007-07-30
Updated: 2007-12-11

RAbuseHandle: SPAT-ARIN
RAbuseName: Sprint PCS Abuse Team
RAbusePhone: +1-888-211-4727
RAbuseEmail:

RTechHandle: DRW52-ARIN
RTechName: Williams, David R
RTechPhone: +1-913-315-4685
RTechEmail:

OrgAbuseHandle: SPAT-ARIN
OrgAbuseName: Sprint PCS Abuse Team
OrgAbusePhone: +1-888-211-4727
OrgAbuseEmail:

OrgTechHandle: SPAT-ARIN
OrgTechName: Sprint PCS Abuse Team
OrgTechPhone: +1-888-211-4727
OrgTechEmail:
A Name Intelligence Service

by **lbarlean** » Mon May 05, 2008 4:47 pm

Many of our employees use Sprint Mobile Broadband cards when on the road. that entry from the webmail ended 30 minutes before the offending email entry in our outmail log (the very first post).

by **rob** » Tue May 06, 2008 11:05 am

I can agree the log extracts that you showed me contained nothing. One tip I would offer on searching the logs is to do a keyword search and search all the files. Due to the nature of outgoing mail queue, mails can be inserted hours before the appear in the logs (or at least when they reappear on a redelivery attempt). What I could recommend that to help in future to find such mails, you could create a content filter generated log for all mails passing through the system. Basically use the Add Text to File action and use the field tags ####CURRENTTIME####, ####FROMIP####, ####FROMADDRESS####, ####TOADDRESSCOMMALIST#### and ####CUSTOMEVENTSCOMMALIST####.

Compromised Server? Can't figure out my logs!

Compromised Server? Can't figure out my logs!

Re: Compromised Server? How to tell from logs?

Re: Compromised Server? How to tell from logs?

Re: Compromised Server? Can't figure out my logs!

Re: Compromised Server? Can't figure out my logs!

Re: Compromised Server? Can't figure out my logs!

Re: Compromised Server? Can't figure out my logs!

Re: Compromised Server? Can't figure out my logs!

Who is online