Irregular email activity notification

Forums › One New Zealand (including Vodafone, WxC, Farmside) › Irregular email activity notification

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#101237 27-Apr-2012 12:14

Hi Team,

We had an email from Vodafone this morning advising there was unusual email activity from our IP address. 4 sender's domain names were mentioned, 3 of which we use and one of which we've never heard of. The unexpected domain was @swissmail.net

Shortly after I get an email from a client with a similar warning, but the only sender's domain was the @ swissmail.net (their own domain name was not listed - possibly because they send directly rather than via Voda's SMTP servers)

I had a quick check of their Exchange server just in case I'd set it to send out via my exchange server in the past, but this was not the case.

I gave Vodafone a quick call and let their first level support person know I felt this was unusual enough that someone should have a quick look into it, and left it at that.

Clients and our antivirus is up to date. Different antivirus vendors. I changed our Vodafone password.

This is just a heads-up in case others get similar messages.

Cheers
Mike

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Demeter

709 posts

Ultimate Geek

Trusted

One NZ

#616013 27-Apr-2012 13:52

Hi Mike,

We monitor our SMTP server for high volume senders - in your case, the presence of an invalid sender address triggered a filter and obviously that's why the warning was sent. Are all of the recipient addresses in the warning message valid?

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#616027 27-Apr-2012 14:09

Hi Demeter

The recipient email addresses all seem properly formed but are all international domains that we would never do business with.

The recipient email addresses in the warning our customer received are all international addresses similar to those in our warning. This customer does deal internationally but the addresses are very clearly not typical of their customer base.

Elisabeth the Vodafone "Email Support Specialist" just emailed me back and suggested an email enabled Trojan was the likely cause. For both our network and a well maintained customer network with 2 different antivirus products in place to get the same Trojan that has yet to be detected is a pretty odd event in my book.
Right now we are no closer to identifying the source. I have checked all 6 machines behind our router and all have up to date AV and NETSTAT shows no SMTP connections on any of them.

What are the chances Demeter of getting the headers of an outgoing message to identify the source IP address?

Cheers
Mike

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Demeter

709 posts

Ultimate Geek

Trusted

One NZ

#616065 27-Apr-2012 14:57

PM'ed you. I'll check back on the account for further alerts. Sorry I couldn't do more. :(

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#616071 27-Apr-2012 15:05

We get these from time to time, but VF can't give us specific information, other than to say it was another ISP who complained but no response as to who. I've already been locked once from their SMTP server and had to be unblocked. I am as sure as I can be, that it's legit activity only, but without useful information it's hopeless.

Perhaps VF could make some changes to allow more specific information to be recovered.

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#616147 27-Apr-2012 16:43

Thank you Demeter for having a look. No additional information was easily available.

The customer has a decent firewall. I've blocked outgoing port 25 for all internal addresses except for the server, and set the logging to flag any dropped port 25 packets to my attention. Will see what develops. Right at the moment I would still be surprised if there was a machine on the customer network generating emails.

On our network I'm not going to make any more moves, and see whether the issue continues.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

mattwnz

20141 posts

Uber Geek

#616157 27-Apr-2012 16:52

This must be a difficult and costly situation for the ISP to handle, in terms of staff time. You do hear of this sort of thing happening with websites or web servers that get a trojan from an unsecured script such as Joomla, where the hacker will upload a script, and then send our spam through that server. So anything is possible, and just becuase an antivirus package didn't pick it up, doesn't mean that there isn't a trojan, it just depends where it is located.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#616382 28-Apr-2012 02:16

just keep working through the tests etc, we had the same issue awhile back, using proxys, blocking ports etc. i was able to be sure it wasn't actually coming from our ip... but the system reported it did.

really can be painful, especially when you get told everything is fine.. connection drops randomly and your forced onto a ip with STMP blacklisting on.

after about 2-3 weeks of us dealing with this, vodafone told us it has dropped under levels of possible spam reports and that was the end of it. haven't heard of the issue again :L

have to say it does help once your issue is being dealt with by one of the upper team members, they tend to keep track of your case and when you talk to them its not like speaking to CSR (gotta love having to start from the start again...)

-hio77

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.