search cancel

Email server compromised using SMTP AUTH

book

Article ID: 174446

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Intermittent or Complete outbound email delivery failure. 

You may have received a notification from Symantec Email Security cloud support that the SMTP server has been compromised and is relaying spam.

 

 

553-you are trying to use me [server-X.tower-XXX.messagelabs
553-.com] as a relay, but I have not been configured to let
553-you [IP, server.address] do this. Please
553-visit www.symanteccloud.com/troubleshooting for more
553-details about this error message and instructions to
553 resolve this issue

Cause

A server registered on Services>Outbound Routes on Email Security cloud platform is being used to relay spam through the Symantec.cloud infrastructure. This can cause Symantec. cloud infrastructure to be blacklisted by various lists and potentially cause delivery problems for all Symantec.cloud clients.

This type of compromise can occur due to multiple reasons. The most common causes are poor password security for one or more of the user accounts, lack of anti-virus software, etc. Click here to know more about other types of Active and Passive attacks.

Due to aforementioned reasons, spammers are able to compromise a user account on your mail server utilizing SMTP Authentication to relay spam messages.

To avoid Symantec Infrastructure from getting blacklisted, compromised mail server IP may be removed from the Client Net Outbound Routes section. If the server IP is successfully removed, you may experience outbound email delivery failure.

Resolution

  • Your mail server(s) and/or firewall should ONLY allow TCP port 25 connections (SMTP) from Symantec. cloud IP range and SMTP AUTH should not be advertised on transactions with external IPs. 
  • Run a detailed virus scan on machines to determine if there are any infected machines found, ensure that the user credentials identified on your mail server/network are not weak.
  • Ensure that your mail server and webmail software are patched with the latest updates to prevent vulnerabilities from being exploited.
  • Enforce an effective password policy and force regular password changes.

Contact Technical Support after successfully securing the mail server and it will be added back to Outbound routes.