Blacklisted and email spam

[drew]

Two days ago our Ability Email server showed over 4000 outgoing emails in queue for an organization that has 25 employees. We've been blacklisted by several email authorities. The emails are all spam. I've been trying to figure out how these emails are being sent with our IP as the source. SMTP authentication is enabled. Our users access their email via web mail and via Outlook installed on a terminal server.

We have a sonicwall that I've tried to monitor connections over port 25, and all it tells me is that the emails are being generated from the Ability mail server. The windows firewall on the Ability mail server says the same thing.

Is there some way to tell where and/or who's account is spamming all of these outgoing emails? If an account has been compromised, how could I tell? The logs for the mail server don't say much. All they give is an external email address as the source and an external email address as the destination.

[Code Crafters]

If your SMTP authentication is enabled then only one of your users with valid login credentials can relay mail to external email addresses unless you've added any relaying safe IPs in SMTP relaying settings.

First of all you should limit the number of mails that can be sent per IP per day in the SMTP security settings and per user per day in the user group settings.

To track down who is sending them you need to check your logs and possibly enable debug logging for some services but this will generate a lot of logs fast so don't leave this on long.

You should start with the outgoing mail logs to see if any particular sender address that is hosted on your AMS shows up. Next check the SMTP and WebMail logs to check for any particular user or IP sending lots of emails and block that user / IP. You can also check the POP3 retrieval logs as this is the only other place that emails can get in to AMS.

Either one of your users is SPAMing but more likely because of the fake sender addresses this is probably a virus that got on someones system. With only have a small number of users I'd change all passwords and let people request them from you to stop any virus that may have guessed their passwords.

[drew]

After combing through logs for days and not finding anything useful, we just went ahead and changed everyone's password after running multiple av scans on all machines in the network. It's been 2 days without any spam incidents. Now to get them off the blacklists...

[Code Crafters]

You need to actually email the black lists and explain the situation and they should then remove you no problem.