100 non-existant E-Mails have just been sent by [useraccount]

[hmniels]

Hello Directadmin forum,

Today i got a bit of a strange message from one server:
"100 non-existant E-Mails have just been sent by [useraccount]".

The user account has no email-accounts, just plain html as a landingspage.
The phpmail.log file is empty. There are no email forwarders.
The (user) log show me the following:
Nov 9 00:10 [email protected] useraccount ip-address 6.02 KB [email protected] 1kbskt-0001TT-DM
Nov 9 00:10 noreply@ foreigndomain.com useraccount ip-address 6.02 KB [email protected] retry 1kbskt-0001TT-DM
++


The general mail log shows me:
pa A=login:useraccount S=595 T="test smtp useraccount.be-useraccount-useraccount123" from <[email protected]> for [email protected]
2020-11-08 19:26:32 1kbpOa-00088i-7g <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=596 T="test smtp useraccount.biz-useraccount-useraccount123" from <[email protected]> for [email protected]
2020-11-08 19:26:33 1kbpOa-00088l-SB <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=596 T="test smtp useraccount.com-useraccount-useraccount123" from <[email protected]> for [email protected]
2020-11-08 19:26:33 1kbpOb-00088o-IL <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=595 T="test smtp useraccount.eu-useraccount-useraccount123" from <[email protected]> for [email protected]
2020-11-08 19:26:34 1kbpOc-00088s-5E <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=597 T="test smtp useraccount.info-useraccount-useraccount123" from <[email protected]> for [email protected]
2020-11-08 19:26:34 1kbpOc-00088x-P1 <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=596 T="test smtp useraccount.net-useraccount-useraccount123" from <[email protected]> for [email protected]
2020-11-08 19:26:35 1kbpOd-000890-CB <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=596 T="test smtp useraccount.org-useraccount-useraccount123" from <[email protected]> for [email protected]

Now is my big question, since there is nog email-account in place: How did they manage to get the email through the email authentication without having the right credentials ? And/ or how can i prevent this ?

Thanks, Niels

 

[kristian]

2020-11-08 19:26:32 1kbpOa-00088i-7g <= [email protected] H=(WIN-HJ7HS4240QQ) [ip-address] P=esmtpa A=login:useraccount S=596 T="test smtp useraccount.biz-useraccount-useraccount123" from <[email protected]> for [email protected]

The system user can also send mail using SMTP login, and this seems to indicate that's what has happened here. The A=login:useraccount tells you that useraccount has authenticated against the system, so this password is known to the attacker. Change the password for the account, and the system should be secure.

As for the wording in the alerts, I don't know why they are classified as "non-existant".

 

[hmniels]

@kristian Thanks a lot for the quick reply.
I was really banging my head on this one.
The strange thing is, this is an old account -+ 8 years, nobody has access to it, nobody has the right credentials to login.
So how did the manage to get the right password for the account. If they did that by bruteforcing, that would show up in the log files.
Strange.
Password changed, lesson learned! Thanks again @kristian

 

[Richard G]

So how did the manage to get the right password for the account.

Might be older bruteforcing, but it might also be that they got the password via malware on the pc of the owner or somebody else who has the password.

 

[LawsHosting]

Or they tried passwords from leaked/hacked password lists.....

 

[factor]

OH dang,

Or they tried passwords from leaked/hacked password lists.....

let me go change my passwords...

this is an old account -+ 8 years, nobody has access to it, nobody has the right credentials to login.

If it's on the INTERNET everyone has access to it. . For sure Google..