Detecting Outgoing Bulk Email Activity

From MxUptime Wiki
Jump to: navigation, search

Monitor and Detect Outgoing Bulk Email Activity


MxScan has always been designed primarily as a security tool for stopping and blocking INCOMING bulk Email. However, we noticed that quite a number of users also depend on MxScan for blocking OUTGOING bulk email. While this is possible, in our opinion spam checking for outgoing SMTP email is a task better left to the built in authenthication or throttling (ME Enterprise) functions of the MailEnable server. A major portion of spam checking relies on checking the IP address and naturally this will not be effective for checking outgoing Email for Spam.


In version 2.0 of MxScan we introduced a new module call "SMTP Outbound Queue Monitor" (accessible from MxScanConfig->Tools->Smtp Outbound Queue Monitor). Working on the idea that when a server is compromised you will find a lot of emails queued for outgoing delivery, the [SMTP Outbound Queue Monitor] checks the MailEnable outbound queue for the number of pending messages scheduled for outbound delivery. By monitoring the outbound queue you can set MxScan to send you an email alert when the message queue exceeds the preset notification limit. This simple method can be used as an early outbound antispam/bulk email notification system for spam sent from users or compromised accounts on the local MailEnable server.


Once you have been notified of a possible bulk email activity taking place, the following are recommended steps that you can peform after logging into the MailEnable server.

1. Navigate to the "C:\Program Files\Mail Enable\Queues\SMTP\Outgoing" folder. You should see a lot of message queued here. Open up the messages to see which postOffce or account has been used. The pattern should be very obvious with message having sent from the same postOffice, or with similiar subjects or content.

2. Then review the MailEnable SMTP Raw log files for further evidence

3. Manually suspend or inform the owner of the account that has been compromised


SMTPOutboundQueueMonitor.jpg