Help identifying sender

[Willy92]

We have had a bad week with hammer attacks on our pop3 and webmail. We have locked that down but it appears at least one account has been compromised. We see traffic in the outmail log that shows mail being sent, but need to identify what account is sending it. Is there any easy way, without enabling debug mode in logging. In debug mode re rapidly get overloaded with huge log files.

Maybe the better way to ask is this--> If we feel that an account has been exploited - either by virus or poor password, whats the easiest way to check which accounts are sending which mail - we have a couple hundred accounts on about 30 domains.

[rob]

If you suspect an account has been comprised you need to trace the suspicious mail through the outgoing mail logs. First, examine the contents of the outmail logs and identify which are the suspecious addresses (usually this is revealed by large volumes of recipients being sent to the same domain, often to email services such as yahoo/hotmail/aol/msn/gmail). You then need to identify in the smtp logs those addreses when they first arrived in the mail server, once you have done this, you will now have the source IP addresses and also the option of looking at what user is logging to send these addresses.

In the meantime and to reduce the impact of this type of attack, it is probably worth enablign the mail sending limits in your group settings. This will prevent any one user from sending too many mails via your system.

[Willy92]

Thanks. We had done that, it helped to quickly see that someone was sending way too much mail. Many of the emails sent were returned with 500 series errors, account did not exist...They went back into the outgoing queue and hept getting retried. Is there a way to have bounces from non existant addresses not retried?

[rob]

Presently the outgoing mail system will retry to redeliver bounced mail for the entire queue length regardless of the error message. In the future we will be adding an option to give up on mails that receive permanent error messages but presently there isn't a way to set the system to do this now.