search cancel

Compromised Client - Abused User Account

book

Article ID: 162232

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You have received email notification from Symantec Email Security.cloud an individual end user account is sending spam through Symantec Email Security.cloud or a user is receiving a bounceback when trying to send outbound mail that indicates they are on the badmailfrom list. You seek next steps for resolution of this issue.

553 sorry, your envelope sender is in my badmailfrom list. Please visit www.symanteccloud.com/troubleshooting for more details about this error message and instructions to resolve this issue.(#5.7.1)

Cause

Full investigation needs to be performed to ascertain how this user account became compromised. It is usually a case that the user replied to an email which asked for their username and password. We would advise you check with the user in question to see if this is the case and, if it was, please send us the email which was replied to so we can add detection for it.
 

Resolution

Due to the reasons outlined we have had to put a block on this user from sending email through Symantec.cloud. Before we can re-enable this user account we will require the following information. Please copy and paste this list along with the answers into your technical support case.

* 1) Was a detailed virus scan of all machines on your network completed? 
* 2) Were any machines found to be infected? 
* 3) If any machines were infected, how have they been cleared of infection? 
* 4) Did you the user in question respond to an email with their user credentials? 
* 5) Did they follow a link requesting their user credentials? 
* 6) If you have answered 'no' to questions 2, 3, 4 and 5, please confirm how the user was compromised. 
* 7) Has the password for this user been changed, and is this a strong password which could not be easily guessed?
* 8) Please confirm the user cannot re-use any of their previously used passwords. 
* 9) Has the user been educated to not reply to emails asking for usernames and passwords? 
* 10) Have any other users responded to similar emails? 
* 11) If other users have responded to similar mails, what action is being taken to prevent further compromised accounts?
* 12) Please provide a copy of the phishing mail received by the user so we can add detection for it. 
* 13) Have you read our best practice guidelines located at http://www.symantec.com/connect/blogs/webmail-security-and-associated-best-practices?