Different situations can compromise a server:
- The Kerio Connect server is slow.
- Users get bounced back emails they did not send.
- The Kerio Connect's server IP address (external IP) is getting blacklisted.
- A large email queue consists of multiple email messages sent to addresses that users in the domain do not normally send to. These messages may be sent to Yahoo, AOL, Hotmail, and so on.
A combination of these situations may suggest that someone’s password has been guessed, or a user’s machine has received a virus/Trojan that is mass emailing/spamming. This article covers the steps to determine if the server has been compromised.
Please click any images in this article to enlarge.
Step by Step Guide
Kerio Connect can display information on who sends messages and where these messages originated.
- In the administration interface, go to Status > Message Queue.
- Right-click any column header.
- Click Columns.
- Check Authenticated Sender and Sender IP.
- The Authenticated Sender can indicate that a user's password may have been compromised.
- The Sender IP can indicate if the email was sent internally (this can point to a virus or a Trojan on a local user machine), or external (this suggests a guessed password of an authenticated user). For example:
This message queue shows:
- The From address is continually changing.
- The Authenticated Sender is always jack@localhost. This could indicate that Jack’s password has been compromised/guessed.
- If the above behavior is experienced, proceed to:
- Change the user's password. As a precaution, change the passwords of all users.
- Run a virus/malware scan on any machine that the user has used. This should detect any possible compromise and stop spam emails from being sent via your server. For additional information, refer to Protecting Against Password Guessing Attacks.
For information about creating strong passwords, refer to Creating user accounts in Kerio Connect and to Requiring Complex Passwords for Local Users.
Various Sender/IP score reputation services help to identify Blacklisting. Most common are:
It is recommended to check all of these services to determine the frequency, exact timestamp, etc. of Blacklisting. The only blacklist that provides the timestamps and blacklist reason is the CBL.
In most cases, spamming does not originate from Kerio Connect, and the solution is to have the public IP address changed so that the server is no longer associated with the malicious sender. The sender will probably continue using the same IP to send spam email, but it will no longer be linked to the mail server/IP address.
It is advisable to contact the DNS (Domain Name System) provider and request a public IP address change for the mail server hostname.
It is recommended to set up an SPF (Sender Policy Framework) record for the domain so that the new IP address is bound to it. This will ensure that spammers may not spoof your email domain when sending emails to your Kerio Connect. It will also prevent spoofing of your domain for messages sent to other email servers that perform lookups against SPF or Caller ID records.
- The Message Queue no longer shows queued messages with the criteria of the From address continuously changing or the Authenticated Sender being the same.
- The mail server is no longer being blacklisted.