MBF Knowledge Base

How do I find a compromised account in SmarterMail?

The following method applies to SmarterMail 8.x - 12.x

When an account is compromised by a spammer the spammer will try to send as much spam as possible though the server. This can cause a number of issues, including getting a domain or IP address blacklisted. Accounts can get compromised a number of ways, the most common of which is when the account is using a weak, insecure password.

An indication that an account is compromised is when a domain or system administrator notices that the mail server's spool is filling up, causing both incoming and outgoing messages to be delayed. When this happens, there is a simple way to help determine the compromised domain and then the actual account being used to send the large amount of email.

Login to SmarterMail as the system administrator.

Click on Reports.

Expand System Summary Report and then Traffic Reports, and click on Message Traffic.

This report will list all domains on the server and display the number of incoming and outgoing messages for each. The domain with the compromised account will generally be the one with the most outgoing messages.

Clicking on the domain will display its users. From here, the system administrator can narrow down the one (or more) user(s) sending the largest amount of email.

The next steps are generally up to the administrator. They can either Manage the domain and change the user's password, disable the user or delete the account entirely to stop the spammer from relaying though the server.

For more information on how to handle and prevent compromised accounts, please read our paper at the following link: Handling Compromised Accounts.