Finding a Compromised Email Account

Spam listsA few months ago we put up a post about some steps you can take to avoid having your mail server blacklisted on various RBLs and other anti-spam lists. This is a great preventative measure, but it doesn't mean an email account can't get compromised. So, what do you do if you DO have a compromised account on your mail server? In addition, how can you find which account was the one compromised?

Before we look at how to find a compromised account, let's look at some signs that point to possibly having an account that's being used for spamming. These indications include:

  • Having email deliveries rejected to popular mail services like GMail, Yahoo! or Live.com
  • Having email deliveries rejected from other ISPs and/or hosting providers
  • Seeing a lot of email filling up your spool
  • And, of course, having customers call in complaining of delivery delays
Thankfully, SmarterMail makes it very easy to find an email account that is potentially compromised. All you need to do is check your Message Traffic report. To do this:
  1. Log in to SmarterMail as the system administrator
  2. Go to the Reports area
  3. Expand System Summary Reports, then Traffic Reports
  4. Click on Message Traffic
    1. This report lists all domains on the mail server, and also displays the total incoming and outgoing messages for those domains. The domain with the compromised account will more than likely be the one with the most outgoing messages.
  5. Click on the domain you suspect to have the compromised account to display all of the users of that domain. Again, the one that is compromised is more than likely the one with the most messages sent.
  6. Click on the user to take a look at their message traffic from the past week. Generally, you'll see a large increase in outgoing messages that will probably coincide with when the account was hacked.
So, now that you found the account, what recourse do you have?

First and foremost, you should disable the account. You can do this one of two ways:

  • Simply change the user's password, or
  • Actually disable their account. When disabling the account, you can elect to disable outgoing while allowing the user to continue to receive incoming mail, or disable the account completely. Disabling doesn't delete the account, it simply keeps it from being able to send, and possibly receive, email.

Once the account is disabled, your spool should start clearing up. If you haven't verified whether the domain, or possibly the mail server as a whole, was blacklisted, you will want to do that now. A simple check over at http://www.mxtoolbox.com will help determine which, if any, blacklists you're on. From there, you will want to contact each, using whatever contact methods they prefer, to let them know what steps you've taken to not only stop this spammer, but also what you've done to protect your mail server from future issues. That's where our previous blog post, 5 Ways to Avoid Being Blacklisted, will come in handy.

As you can see, it's pretty easy to find a potential hacked account within SmarterMail. The hope is you won't ever need to find one, but, if you do, we try to make it as simple as possible. Go ahead and bookmark this post, or, if you'd rather, we've condensed some of this information down into a knowledge base article, also entitled Finding a Compromised Account. Thanks for reading!