GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from

Home » GFI User Forums » Kerio Connect » Hijacked User Account (Hijacked User Account Loaded Outgoing Queue with SPAM)
Re: Hijacked User Account [message #134821 is a reply to message #134780] Tue, 28 March 2017 00:20 Go to previous messageGo to next message
talos4 is currently offline  talos4
Messages: 10
Registered: March 2014
I had this happen to me a couple of times. Believe me when I say KERIO is WELL AWARE of this issue. I don't know why they have not fixed it. Only to guess that the code is so buried down that it is too hard for them to fix. I have contacted so many "higher ups" in the admin chain of Kerio and NOTHING is being done.

Perhaps a large Kerio-using company will get hit when some employee password gets hijacked. Then their mail server sends hundreds of thousands of spam. Then they do major screaming at the powers that be. Maybe then Kerio will do something because no movement on this issue for years!

Someone else made a feature request before you so everyone should put some votes here. You can recall your votes and put them here too since it has more votes currently. Not that this will matter too much because I don't think Kerio engineering cares or can fix. Support is great but their hands are tied. This needs to come from engineering and engineering needs to get ordered by admin. But it isn't happening for whatever reason.

This is a big security risk. Doesn't matter how strong your password is. If an employee uses that email/password to register some other website (yes they shouldn't do it but they do) and it gets hacked this is a disaster waiting to happen. ions/3699739-user-based-smtp-limits
Re: Hijacked User Account [message #134855 is a reply to message #127410] Tue, 28 March 2017 20:43 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
Brian Carmichael (Kerio) wrote on Mon, 25 January 2016 18:27
In your case, as with previous cases I've seen, the offending host uses SMTP. This means that the messages were first injected into the queue via incoming SMTP. Therefore the security options in the SMTP server apply.

Honestly Brian, look it up with a programmer or test it locally. It shouldn't be possible that a user can send 50k msgs with a external SMTP over a Useraccount. And seeing the settings, it might be that the security limits are not working at all / as they should.

Maybe it was only one Mail with 10k recipients as BCC? How does kerio handle that? I can't really remember a limit for that. If the Spam Detection sees that as "one" mail and only after that it gets broken up to different mails into the queue...

Also BobH already said that he had randomly generated PW and the Kerio "hard PW Settings" enabled. But this advise is no use, if a keylogger got the login.

Btw. a abnormal behavior setting would be really appreciated - that means that if a user sends out over a set max. mails in a set time frame, the account should be blocked and the admin informed. This would be the case, if a local pc is infected with a trojan and sending the mails with outlook - the spam settings wouldn't work then (local group).
Re: Hijacked User Account [message #134856 is a reply to message #127363] Tue, 28 March 2017 20:46 Go to previous message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
BobH wrote on Thu, 21 January 2016 20:46
Brian Carmichael (Kerio) wrote on Thu, 21 January 2016 12:10
The mail log should identify which user account was compromised, and the protocol that was used. You will have to locate the log event that shows how the message(s) was first received by your server.

Here is an example:
[25/Jun/2014 10:39:19] Recv: Queue-ID: 53aaa6d7-000000f4, Service: Kerio Connect client, From: <user<_at_>domain>, To: <user<_at_>domain>, Size: 854, Sender-Host:, User: user@domain, SSL: yes, Subject: test, Msg-Id: <3533420989-24989@domain>

OK. I've been digging in the Mail.log file and I believe I've identified the first spam. I've attached a screen capture of that portion of the mail.log showing the transition for legitimate to spam. The thing that jumps out is the change from "Service: Kerio Connect Client" to "Service: SMTP"

Do you still have any of the send mails? The spam? Any way to get one?

Would be interesting to see the mail header from WHERE it was send. Maybe the local IP was spoofed? Maybe he send it via VPN over the local network, because he got the VPN cred. too?

Another idea is, that the the user was connected with VPN and kerio mail was used as over MAPI. That would count as local connection and no limitations.

But yeah, they really should add some additional security levels like max. mail / minute/hour with automated blocks and admin information. If a local outlook is cracked, it could send out mails without limitation.
Previous Topic: colors in shared outlook calendars
Next Topic: public folder max size
Goto Forum:

Current Time: Fri Mar 24 19:35:03 CET 2023

Total time taken to generate the page: 0.01818 seconds