GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Help - server getting hammered
Help - server getting hammered [message #144131] Fri, 05 October 2018 19:59 Go to next message
TimothyPaul is currently offline  TimothyPaul
Messages: 10
Registered: October 2013
Location: Naples, FL
Hi Folks - wondering if anyone can give me insight. Since my upgrade to 9.2.7 my server has been getting hammered with spam. It looks like they are authenticating using one of my aliases. I tried updating to the latest release, and that did not help.

I need the alias - it's an old email account that I forward to my new Kerio account.

I have looked through the log files but can't see where this is coming from.

Any thoughts?

THanks....Tim
Re: Help - server getting hammered [message #144173 is a reply to message #144131] Wed, 10 October 2018 19:00 Go to previous messageGo to next message
j.a.duke is currently offline  j.a.duke
Messages: 239
Registered: October 2006
TimothyPaul wrote on Fri, 05 October 2018 13:59
Hi Folks - wondering if anyone can give me insight. Since my upgrade to 9.2.7 my server has been getting hammered with spam. It looks like they are authenticating using one of my aliases. I tried updating to the latest release, and that did not help.

I need the alias - it's an old email account that I forward to my new Kerio account.

I have looked through the log files but can't see where this is coming from.

Any thoughts?

THanks....Tim


Tim,

Is this an alias of your current account or another full account that is set to forward to your current account?

If it's really an alias, then they shouldn't be able to authenticate with it, as only the primary account, at least in my experience, can be used for that.

As for nuking some of the spam, are you using any blacklists or the built-in spam filters (including Kerio Anti-Spam and SpamAssassin)?

Cheers,
Jon
Re: Help - server getting hammered [message #144180 is a reply to message #144173] Thu, 11 October 2018 16:34 Go to previous messageGo to next message
TimothyPaul is currently offline  TimothyPaul
Messages: 10
Registered: October 2013
Location: Naples, FL
Hi Jon,

It is a full account on an old domain. I just needed it to forward to my new email. It is the tim@americasgate.com that is an alias being forwarded to my regular account on the server - tim<_at_>havilah.media

[11/Oct/2018 10:14:42] Recv: Queue-ID: 5bbf5ace-000022ef, Service: SMTP, From: <tim@americasgate.com>, To: <ninjidebbie@gmail.com>, Size: 3862, Sender-Host: 61-228-24-38.dynamic-ip.hinet.net, User: tim<_at_>havilah.media, Subject: Re:
[11/Oct/2018 10:14:42] Recv: Queue-ID: 5bbf5ace-000022ef, Service: SMTP, From: <tim@americasgate.com>, To: <patricia.legere@gmail.com>, Size: 3862, Sender-Host: 61-228-24-38.dynamic-ip.hinet.net, User: tim<_at_>havilah.media, Subject: Re:
[11/Oct/2018 10:14:42] Recv: Queue-ID: 5bbf5ace-000022ef, Service: SMTP, From: <tim@americasgate.com>, To: <petra.sudbrack@gmail.com>, Size: 3862, Sender-Host: 61-228-24-38.dynamic-ip.hinet.net, User: tim<_at_>havilah.media, Subject: Re:
[11/Oct/2018 10:14:42] Recv: Queue-ID: 5bbf5ace-000022ef, Service: SMTP, From: <tim@americasgate.com>, To: <poshpetgroomer@gmail.com>, Size: 3862, Sender-Host: 61-228-24-38.dynamic-ip.hinet.net, User: tim<_at_>havilah.media, Subject: Re:
[11/Oct/2018 10:14:42] Recv: Queue-ID: 5bbf5ace-000022ef, Service: SMTP, From: <tim@americasgate.com>, To: <prescottmarilyn@gmail.com>, Size: 3862, Sender-Host: 61-228-24-38.dynamic-ip.hinet.net, User: tim<_at_>havilah.media, Subject: Re:
Re: Help - server getting hammered [message #144188 is a reply to message #144180] Fri, 12 October 2018 14:21 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
So if I get this right - your old mail address forwards all mails to your new mail address. Right?

In this case Kerio can't detect it as spam, because it's send in the name of your old mail account and not server/person actually sending the spam. So you basically bypass the anti spam system.

For this to work there are two ideas coming to mind.

1. I guess it's a private sytem without access to the server itself as admin. In this case, set up a "pop download" account in Kerio (admin > delivery), put in your mailbox account data to the old account and let kerio dl the mailbox like outlook. This way, Kerio will see the spam with the right sender and delete it.

2. If you host the server, you could set it out as an smtp relay and the kerio server get's the mails like the spammer would send them directly.


Re: Help - server getting hammered [message #144206 is a reply to message #144188] Fri, 12 October 2018 23:28 Go to previous messageGo to next message
TimothyPaul is currently offline  TimothyPaul
Messages: 10
Registered: October 2013
Location: Naples, FL
Hmm - I am not so much concerned with the spam, more that someone is able to log into the server with the email alias and use my server as a spam relay. I am not getting the spam - its going out to a zillions of weird random email addresses.

TP
Re: Help - server getting hammered [message #144218 is a reply to message #144131] Mon, 15 October 2018 15:50 Go to previous message
freakinvibe is currently offline  freakinvibe
Messages: 593
Registered: April 2004
The problem is this snipped from the log:

Quote:
User: tim<_at_>havilah.media


Someone is logging in with the user name tim<_at_>havilah.media and sends these emails. He or she is connecting from this ISP: 61-228-24-38.dynamic-ip.hinet.net

If that is not you, someone has got your password and is using it to send Spam. Change the password of the user tim<_at_>havilah.media and the Spam should stop.


Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch

[Updated on: Mon, 15 October 2018 15:51]

Report message to a moderator

Previous Topic: autoreply, User: Global deliver rule
Next Topic: KoffRtfWrapper.exe 99%CPU on RDS
Goto Forum:
  


Current Time: Tue Jun 06 08:19:37 CEST 2023

Total time taken to generate the page: 0.02288 seconds