No mispelling, just playing ‘new internet lingo’ game.  Did I win?

Let’s get serious…

This week, multiple customer accounts were breached.  Starting approximately 3 weeks ago, a phish was sent out that some of our customers responded to, giving out their account information.

We looked through our mail logs and found the users who had been phished and we changed their passwords.

Along the way, we either missed some users who were phished, or another phish was done that we did not detect.

On Monday, 2 accounts that had been phished at some time were used to send spam through our outbound email servers.  By default, our outbound email servers require SASL authentication.  The abusers authenticated to our servers, and over the next couple of hours, we were thoroughly abused, and our servers started slowing down.  Not enough to trigger monitoring, though.  Kudos for performance tuning, spankings for not noticing this until a customer told us.

On Wednesday, we got hit again, by a single account this time, and 18,640 connections later, our servers were again getting exercised.

All this preamble, what is it for, Mike?

I’ll tell you – on Monday our outbound mail servers got onto some of the anti-spam lists, including Yahoo, Hotmail, Comcast.  We did what we could to remove the IPs of our servers from the lists, but Hotmail (in particular) has a 72 hour period for removal.  Ah well.  72 hours does suck, but it is survivable.

Then came Wednesday…and another account was abused, putting us back on those same lists we just got off of, and while still on the Hotmail list, our 72 hours got reset.  Oh that is frustrating.

More >