|
| | | Forum Newbie
Group: Forum Members
Last Login: 7/30/2004 2:45:00 PM
Posts: 1, Visits: 1 |
| I have the daily reports being emailed to me and all of a sudden the remote deliveries went from ~400 per day to around ~5000 a day the last 2 days. I also find myself blocked from by users of spamcop.net. I am looking through the logs which are now in debug mode. What should I look for as to where these messages are being sent from? I have the server set to No Mail Relay. All my users have to authenticate to send mail. Thanks in Advance. Joe |
| |
| | | Time Traveler
Group: Forum Members
Last Login: 6/15/2005 1:07:00 AM
Posts: 217, Visits: 1 |
| You should first find the top authenticators; since everyone needs to authenticate, it is likely that an account password has been guessed or stolen. Look for 'authenticated <username>, session treated as local' in the logs. If there's an account with a very high relative number of authentications in a given day, that is probably the culprit. Change the password and see if that alleviates the abuse, and if the password does not appear easy to guess, also run a full system audit to make sure the IMail server has not been compromised. There are also other methods of forensic log analysis, but try the above first. --Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc. Defuse Dictionary Attacks: Turn Remote Mailboxes into Aliases on your IMail MX!
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ |
| |
|
|