Forum Home


Somehow Xeams is compromised Tom
    Somehow Xeams is compromised Tom
        Somehow Xeams is compromised Synametrics Support

From: Tom
Date: 8/27/18 7:17 AM
Topic: Somehow Xeams is compromised
Type: General Discussions
Post a follow up

Today Xeams was stopped, it had to process 20K E-mails from an single IP from Spain 77 IP Address see screenshots. Those Mails are not pointed to E-mail addresses for my Exchange "Accepted Domains" policy. Somehow Xeams has 'forwarded' those 20K E-mails to the exchange server. The Exchange server (I'm unsure why) starts trying to send the 20K mails to the internet. A smart Host SMTP connecto5r from my provider intercepted and stopped the SPAM spreading.

Exchange Spam

My Question, why did those 20K messages went trough XEAMS to the Exchange server? Most of the time Xeams stops and filters / labels Spam perfectly.. Where can I look?

 

Best Regards Tom

 

Below a conversation  logs/SMTPOuboundConversation.log from Xeams to Exchange

2018-08-27 12:54:41,640 - [ 102341] C --> 250-AUTH
2018-08-27 12:54:41,640 - [ 102341] C --> 250-8BITMIME
2018-08-27 12:54:41,640 - [ 102341] C --> 250-BINARYMIME
2018-08-27 12:54:41,640 - [ 102341] C --> 250 CHUNKING
2018-08-27 12:54:41,640 - [ 102341] S 220 W12-Exchange.odb.local Microsoft ESMTP MAIL Service ready at Mon, 27 Aug 2018 12:56:18 +0200
2018-08-27 12:54:41,641 - [ 102340] ************ New (secure) connection to: 192.168.5.13
2018-08-27 12:54:41,642 - [ 102335] C --> 220 2.0.0 SMTP server ready
2018-08-27 12:54:41,642 - [ 102341] C --> 220 2.0.0 SMTP server ready
2018-08-27 12:54:41,642 - [ 102335] ************ New (secure) connection to: 192.168.5.13
2018-08-27 12:54:41,643 - [ 102340] S 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,647 - [ 102342] C --> 250-SIZE 36700160
2018-08-27 12:54:41,647 - [ 102342] C --> 250-PIPELINING
2018-08-27 12:54:41,647 - [ 102342] C --> 250-DSN
2018-08-27 12:54:41,647 - [ 102342] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,647 - [ 102342] C --> 250-STARTTLS
2018-08-27 12:54:41,647 - [ 102342] C --> 250-AUTH
2018-08-27 12:54:41,647 - [ 102342] C --> 250-8BITMIME
2018-08-27 12:54:41,647 - [ 102342] C --> 250-BINARYMIME
2018-08-27 12:54:41,647 - [ 102342] C --> 250 CHUNKING
2018-08-27 12:54:41,647 - [ 102342] S 220 2.0.0 SMTP server ready
2018-08-27 12:54:41,649 - [ 102342] ************ New (secure) connection to: 192.168.5.13
2018-08-27 12:54:41,650 - [ 102342] S 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,951 - [ 102339] C --> 250-SIZE 36700160
2018-08-27 12:54:41,951 - [ 102339] C --> 250-PIPELINING
2018-08-27 12:54:41,951 - [ 102339] C --> 250-DSN
2018-08-27 12:54:41,951 - [ 102339] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,951 - [ 102339] C --> 250-AUTH
2018-08-27 12:54:41,951 - [ 102339] C --> 250-8BITMIME
2018-08-27 12:54:41,951 - [ 102339] C --> 250-BINARYMIME
2018-08-27 12:54:41,951 - [ 102339] C --> 250 CHUNKING
2018-08-27 12:54:41,951 - [ 102339] S
2018-08-27 12:54:41,951 - [ 102334] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,951 - [ 102334] C --> 250-SIZE 36700160
2018-08-27 12:54:41,951 - [ 102334] C --> 250-PIPELINING
2018-08-27 12:54:41,951 - [ 102342] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,951 - [ 102342] C --> 250-SIZE 36700160
2018-08-27 12:54:41,951 - [ 102334] C --> 250-DSN
2018-08-27 12:54:41,951 - [ 102334] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,951 - [ 102334] C --> 250-AUTH
2018-08-27 12:54:41,951 - [ 102334] C --> 250-8BITMIME
2018-08-27 12:54:41,951 - [ 102341] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,951 - [ 102341] C --> 250-SIZE 36700160
2018-08-27 12:54:41,951 - [ 102341] C --> 250-PIPELINING
2018-08-27 12:54:41,951 - [ 102341] C --> 250-DSN
2018-08-27 12:54:41,951 - [ 102341] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,951 - [ 102341] C --> 250-AUTH
2018-08-27 12:54:41,951 - [ 102341] C --> 250-8BITMIME
2018-08-27 12:54:41,951 - [ 102341] C --> 250-BINARYMIME
2018-08-27 12:54:41,951 - [ 102341] C --> 250 CHUNKING
2018-08-27 12:54:41,951 - [ 102341] S
2018-08-27 12:54:41,951 - [ 102337] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,951 - [ 102337] C --> 250-SIZE 36700160
2018-08-27 12:54:41,951 - [ 102337] C --> 250-PIPELINING
2018-08-27 12:54:41,951 - [ 102337] C --> 250-DSN
2018-08-27 12:54:41,951 - [ 102337] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,951 - [ 102337] C --> 250-AUTH
2018-08-27 12:54:41,951 - [ 102337] C --> 250-8BITMIME
2018-08-27 12:54:41,952 - [ 102337] C --> 250-BINARYMIME
2018-08-27 12:54:41,952 - [ 102337] C --> 250 CHUNKING
2018-08-27 12:54:41,952 - [ 102337] S
2018-08-27 12:54:41,952 - [ 102336] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,952 - [ 102336] C --> 250-SIZE 36700160
2018-08-27 12:54:41,952 - [ 102336] C --> 250-PIPELINING
2018-08-27 12:54:41,952 - [ 102336] C --> 250-DSN
2018-08-27 12:54:41,952 - [ 102336] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,952 - [ 102336] C --> 250-AUTH
2018-08-27 12:54:41,952 - [ 102336] C --> 250-8BITMIME
2018-08-27 12:54:41,952 - [ 102336] C --> 250-BINARYMIME
2018-08-27 12:54:41,952 - [ 102336] C --> 250 CHUNKING
2018-08-27 12:54:41,952 - [ 102336] S
2018-08-27 12:54:41,951 - [ 102342] C --> 250-PIPELINING
2018-08-27 12:54:41,952 - [ 102342] C --> 250-DSN
2018-08-27 12:54:41,952 - [ 102342] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,952 - [ 102342] C --> 250-AUTH
2018-08-27 12:54:41,952 - [ 102342] C --> 250-8BITMIME
2018-08-27 12:54:41,952 - [ 102342] C --> 250-BINARYMIME
2018-08-27 12:54:41,952 - [ 102342] C --> 250 CHUNKING
2018-08-27 12:54:41,952 - [ 102342] S
2018-08-27 12:54:41,952 - [ 102339] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:41,952 - [ 102339] S
2018-08-27 12:54:41,952 - [ 102338] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:41,952 - [ 102338] C --> 250-SIZE 36700160
2018-08-27 12:54:41,952 - [ 102338] C --> 250-PIPELINING
2018-08-27 12:54:41,952 - [ 102338] C --> 250-DSN
2018-08-27 12:54:41,952 - [ 102338] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:41,952 - [ 102338] C --> 250-AUTH
2018-08-27 12:54:41,952 - [ 102338] C --> 250-8BITMIME
2018-08-27 12:54:41,952 - [ 102338] C --> 250-BINARYMIME
2018-08-27 12:54:41,952 - [ 102338] C --> 250 CHUNKING
2018-08-27 12:54:41,952 - [ 102338] S
2018-08-27 12:54:41,952 - [ 102341] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:41,952 - [ 102341] S
2018-08-27 12:54:41,953 - [ 102337] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:41,953 - [ 102337] S
2018-08-27 12:54:41,953 - [ 102336] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:41,951 - [ 102334] C --> 250-BINARYMIME
2018-08-27 12:54:41,953 - [ 102336] S
2018-08-27 12:54:41,953 - [ 102342] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:41,953 - [ 102342] S
2018-08-27 12:54:41,953 - [ 102334] C --> 250 CHUNKING
2018-08-27 12:54:41,953 - [ 102334] S
2018-08-27 12:54:41,953 - [ 102338] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:41,953 - [ 102338] S
2018-08-27 12:54:41,953 - [ 102336] C --> 250 2.1.5 Recipient OK
2018-08-27 12:54:41,954 - [ 102336] S 250 2.1.5 Recipient OK
2018-08-27 12:54:41,954 - [ 102337] S 250 2.1.0 Sender OK
2018-08-27 12:54:41,954 - [ 102334] S
2018-08-27 12:54:41,954 - [ 102337] C --> 354 Start mail input; end with .
2018-08-27 12:54:41,954 - [ 102334] C --> 250 2.1.5 Recipient OK
2018-08-27 12:54:41,954 - [ 102334] S 250 2.1.5 Recipient OK
2018-08-27 12:54:41,955 - [ 102341] S 250 2.1.5 Recipient OK
2018-08-27 12:54:41,955 - [ 102342] S 354 Start mail input; end with .
2018-08-27 12:54:41,955 - [ 102339] C --> 250 2.1.5 Recipient OK
2018-08-27 12:54:41,955 - [ 102339] S 250 2.1.5 Recipient OK
2018-08-27 12:54:41,955 - [ 102338] S 354 Start mail input; end with .
2018-08-27 12:54:41,957 - [ 102342] C --> 354 Start mail input; end with .
2018-08-27 12:54:41,958 - [ 102339] C --> 354 Start mail input; end with .
2018-08-27 12:54:41,958 - [ 102338] C --> 354 Start mail input; end with .
2018-08-27 12:54:41,987 - [ 102341] C --> 354 Start mail input; end with .
2018-08-27 12:54:42,025 - [ 102340] C --> 250-W12-Exchange.odb.local Hello [192.168.5.145]
2018-08-27 12:54:42,025 - [ 102340] C --> 250-SIZE 36700160
2018-08-27 12:54:42,025 - [ 102340] C --> 250-PIPELINING
2018-08-27 12:54:42,025 - [ 102340] C --> 250-DSN
2018-08-27 12:54:42,025 - [ 102340] C --> 250-ENHANCEDSTATUSCODES
2018-08-27 12:54:42,026 - [ 102340] C --> 250-AUTH
2018-08-27 12:54:42,026 - [ 102340] C --> 250-8BITMIME
2018-08-27 12:54:42,026 - [ 102340] C --> 250-BINARYMIME
2018-08-27 12:54:42,026 - [ 102340] C --> 250 CHUNKING
2018-08-27 12:54:42,026 - [ 102340] S
2018-08-27 12:54:42,026 - [ 102340] C --> 250 2.1.0 Sender OK
2018-08-27 12:54:42,027 - [ 102340] S
2018-08-27 12:54:42,027 - [ 102340] C --> 250 2.1.5 Recipient OK
2018-08-27 12:54:42,027 - [ 102340] S

 
Top
From: Tom
Date: 8/27/18 7:19 AM
Topic: Somehow Xeams is compromised
Type: General Discussions
Post a follow up

Unable to add a URL with some Pictures from Xeams, I use the "insert edit Link" button :( 

 

 
Top
From: Synametrics Support
Date: 8/28/18 7:20 AM
Topic: Somehow Xeams is compromised
Type: General Discussions
Post a follow up

Tom,

Try just copy/pasting the image in your browser rather than inserting a link to display image.

I have a feeling your Xeams is configured as an open relay. Run Diagnostic Check - Inbound under Tools to confirm Open Relay does not fail. If you're using the SMTP Proxy server, you have to configure Exchange NOT to accept relay from the machine where Xeams is running.

 
Top