I have a windows 2008 R2 server. I am using mailenable proffessional version 7.59.
I noticed on MTA logs that random (non-existing) mail accounts are sending spam email. The emails are from a NULL postoffice, but the domain extensions are correct.
for example. The domain abc.com is configured in mailenable as a post office. and it has only info@abc.com user. However, in the logs I am seeing randomuser_87@abc.com which is sending out emails using smtp-out(2)
I tried everyting to trace these emails to see how they originate but I've had no success. Since it is smtp-out(2), I am assuming they are being sent out by a script on the server. But I might be wrong.
I logged phpmail, I scanned the server for stealth programs, I tried mailenable message trace. But I could nopt find anything.
Has anyone had a similiar experience? Can anyone suggest a way to catch this?
Below is a report I got from /m.usgoabuse.net/ apparently this email has given the spammer away. can anyone tell how this email might have generated?:
Received: from [209.143.155.230] by usgo.net
(USGO MTA v5/:PGRlaWRyZS5yaXR0ZXJAcG93ZXJmaW5hbmNldGV4YXMuY29tPjxqa2lzY2hAbW5pbnRlci5uZXQ_)
with SMTP id <20141125073414002607200015> for <jkisch@mninter.net>;
Tue, 25 Nov 2014 07:34:14 -0600 (CST)
(envelope-from deidre.ritter@powerfinancetexas.com, notifiable emailhost server.powerfinancetexas.com)
Received: from localhost (localhost [127.0.0.1])
by server.powerfinancetexas.com (Postfix) with ESMTP id A556B39852EE
for <jkisch@mninter.net>; Tue, 25 Nov 2014 07:15:44 -0600 (CST)
X-Virus-Scanned: amavisd-new at powerfinancetexas.com
Received: from server.powerfinancetexas.com ([127.0.0.1])
by localhost (server.powerfinancetexas.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id g8EjglQmmqU3 for <jkisch@mninter.net>;
Tue, 25 Nov 2014 07:15:44 -0600 (CST)
Received: from domaininmyserver.com (ns2.myserver.net [MYSERVERIP])
by server.powerfinancetexas.com (Postfix) with ESMTPSA id 2055639852D5
for <jkisch@mninter.net>; Tue, 25 Nov 2014 07:15:44 -0600 (CST)
Date: Tue, 25 Nov 2014 16:15:32 +0300
To: jkisch@mninter.net
From: WhatsApp Messaging Service <deidre.ritter@powerfinancetexas.com>
Reply-To: WhatsApp Messaging Service <deidre.ritter@powerfinancetexas.com>
Subject: 1 New Voicemail(s)
Message-ID: <92448898bcaeb02b41ce6d783c32762d@domaininmyserver.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.6 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_92448898bcaeb02b41ce6d783c32762d"
Content-Transfer-Encoding: 7bit
--b1_92448898bcaeb02b41ce6d783c32762d
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
WhatsApp
You have a new voicemail!
Details:
Time of Call: Nov-24 2014 06:19:22
Lenth of Call: 50sec
Play
*If you cannot play, move message to the "Inbox" folder.
2014 WhatsApp Inc
--b1_92448898bcaeb02b41ce6d783c32762d
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<!doctype html>
<html>
<body style=3D"font-family:Arial, Tahoma, sans-serif;">
<div style=3D"width:500px; height:274px;">
<div style=3D"margin:0px; padding:0px; height:85px; background:#27262b;
line-height:75px; font-size:26px; color:#FFFFFF; padding-left:82px; font-=
weight:bold;">
WhatsApp
</div>
<div style=3D"position:ralative;top:100px;background:#34af23; height:8px;=
width:500px;"></div>
<div align=3D"center" style=3D"font-size:18px;color:#5b5f62">
<br>
<br>
You have a new voicemail!
</div>
<div style=3D"padding:20px;">
<font color=3D"#40a9d8"><b>Details:</b></font>
<div style=3D"padding:10px;">
<font color=3D"#00000">Time of Call:</font> Nov-24 2014 06:19:22<br>
<font color=3D"#00000">Lenth of Call:</font> 50sec<br>
<br>
</div>
</div>
<div style=3D"margin:0px; padding:0px; height:180px;" align=3D"center">
<a href=3D"http://phamhongson.net/config.php?w=3DgV82A2+BchVQpCFkL3Jve9P3=
0KzpgPVhGeVFNBdjU9A=3D"=20
style=3D"display:block; width:167px; height:41px; line-height:41px;=20
font-size:26px; color:#ffffff; text-align:center; font-weight:bold;
border-radius:20px; -moz-border-radius:20px; -webkit-border-radius:20px;
background:#67c332; text-decoration:none;">Play</a>
<div style=3D"height:67px; margin:0px; padding:10px;font-size:12px">
<font color=3D"#5b5f62">
*If you cannot play, move message to the "Inbox" folder.
</font>
</div>
<p style=3D"height:30px;margin:0px;padding:10px;color:#FFFFFF;
background:#393e43;font-size:12px">
2014 WhatsApp Inc
</p>
</div>
</div>
</body>
</html>
--b1_92448898bcaeb02b41ce6d783c32762d--
Best Answer
This probably isn't practical to actually do, but here's a strategy that would work:
Enable process tracking auditing to track processes starting / stopping to the Security Event Log.
Install Microsoft Network Monitor and capture traffic with a filter for destination TCP port 25.
Review the captures and correlate with your logs to pinpoint the anomalous email traffic.
Network Monitor will capture the process ID of the program sending the traffic. You can determine, using the Security Event Log, how the process that's sending the offending traffic is getting started.