GFI Forums: Kerio Connect » Flooded with spam in the last 24 hours

Home » GFI User Forums » Kerio Connect » Flooded with spam in the last 24 hours

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Flooded with spam in the last 24 hours [message #130783]

Mon, 11 July 2016 17:03

McIrish
Messages: 256
Registered: October 2011

Are any of you being flooded with spam recently? All the spam has a subject of "Mail Delivery Subsystem". They sort of appear to be non-delivery reports but I know for sure we are not an open relay. This is happening to a handful of users in the domain. We have the latest Kerio Connect and we are running the new anti-spam module from BitDefender.

Anyone got any ideas? We are getting hundreds per hour.

Report message to a moderator

Re: Flooded with spam in the last 24 hours [message #130785 is a reply to message #130783]

Mon, 11 July 2016 17:12

Pavel Dobry (Kerio) is currently offline

Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic

Maybe these messages are real DSN reports and someone is spoofing your email domain addresses in emails. Make sure you're using SPF so other servers can drop emails with spoofed sender email address of your domain.

Knowledge Base: http://manuals.gfi.com/en/kerio/home/Content/Home.htm.

Report message to a moderator

Re: Flooded with spam in the last 24 hours [message #130786 is a reply to message #130785]

Mon, 11 July 2016 18:48

McIrish
Messages: 256
Registered: October 2011

Thanks Pavel,
We are using SPF. I also have the SPF filter set to add 2 to the spam score.
I just had the users who are having this problem change their domain password. One person said it helped and another said it didn't fix the problem. So, I'm still trying to figure out what is happening.

Report message to a moderator

Re: Flooded with spam in the last 24 hours [message #130797 is a reply to message #130783]

Tue, 12 July 2016 12:20

lodewijk
Messages: 50
Registered: August 2005
Location: Amsterdam

sounds like "backscatter" indeed...

https://en.wikipedia.org/wiki/Backscatter_(email)

Report message to a moderator

Re: Flooded with spam in the last 24 hours [message #130812 is a reply to message #130783]

Tue, 12 July 2016 16:22

freakinvibe
Messages: 593
Registered: April 2004

Can you post the full header and content of such a message? That would help to analyse the problem.

Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch

Report message to a moderator

Re: Flooded with spam in the last 24 hours [message #130823 is a reply to message #130812]

Tue, 12 July 2016 17:54

McIrish
Messages: 256
Registered: October 2011

Unfortunately, I can't post any headers. I had setup a public folder for the effected users to copy the NDRs to. I used that yesterday to determine what was going on. Somehow, that public folder is empty now, which seems to be an issue all on its own. hmmmm
I had the users change passwords and I cleared the mail queue and cleared our server from being blacklisted. So far, no more problems. I'm still not quite sure how these particular users had their email user name and password stolen. The only common denominator between all those users was that they all have an iPhone and installed a recent IOS update. I wonder if after that update the next connection to the mail server was not secure and a hacker grabbed them by monitoring traffic at our public address. It's all speculation at this point. At least I got the problem to stop. It does worry me that this could happen.

Report message to a moderator

Previous Topic:	value of FDB files?
Next Topic:	kmsrecover complete domain

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Wed Jun 07 07:02:10 CEST 2023

Total time taken to generate the page: 0.02413 seconds