Lately, some of our clients have begun to see some of their users’ email accounts sending spam. This can range up to tens of thousands of messages a day, and it can cause an organization’s entire domain name to be blocked by services such as Office 365 or spam filterers like Symantec. This is a very unfortunate consequence that can raise quite an uproar from users. So I thought I’d pass on what we’ve learned about what to do.

BTW, I’ve written this post for IT managers, but end users might enjoy the explanation of how your account can end up sending spam. If this happens to you, contact your IT manager ASAP.

The Symptoms

You can discover that one or more of your email accounts is spamming in a few different ways. Users may report non-delivery reports (NDRs) about messages they didn’t send. Other people on your local network may report strange messages from familiar users that don’t look genuine. You may also be notified by other organizations, ranging from partners to folks like Microsoft or Symantec, that email addresses in your domain are sending spam and have been blocked. Sometimes, some of these folks may block your domain.

Diagnosis

Usually, people start seeing spam from an email account for one of three reasons:

1. Spoofing
2. Hijacking
3. Malware

Spoofing means that some server has started putting one of your users’ email addresses into their messages, and you usually find out about it by seeing NDRs. Usually, this kind of attack is not of huge volume and does not last that long, because spoofers like to switch the email addresses they use quickly to avoid detection.  You can tell it’s spoofing by examining the IP address in the original message headers returned in the NDR and see if it’s yours or your email provider’s. The usual response is to wait a few days and see if the NDRs stop coming.

Hijacking comes when a spammer has acquired a user’s email credentials. This can happen because of malware, which we discuss below, or it can happen in one of the many other ways that credentials can be stolen, such as

1. Getting a user to type them into a response to a clever phishing message.
2. Getting a user to type them into a form on an infected website.
3. Intercepting sign-ins while on an unprotected public wireless connection.
4. Getting credentials off a lost or stolen computer or mobile device.

Discriminating between hijacking and the effects of malware can be difficult. In some cases, the hijacker may not use a user’s client machine to send the messages but will use the credentials from elsewhere. For example, you can gain access to Exchange Online with the proper credentials from any computer connected to the Internet. Regardless, the first response is to change the credentials, both the username and password, if possible. After all, if the hacker still has the username, it’s possible to discover the new password with password cracking software. In addition, you may also want to employ some of the tactics mentioned below to combat malware.

Malware

The most serious, and, unfortunately, the most frequent way evildoers get access to a user’s email is by getting malware onto the user’s computer and taking control of its credentials, to, in effect, become its user, or administrative user. At this point, hackers can get the computer to do anything they want.

The malware usually gets on the computer because the user has fallen for a phishing email or because the user has accessed an infected website and clicked on something. It is possible to get malware onto clients in other ways, such as through a badly configured network with unprotected ports or other vulnerabilities, but this is less frequent.

Once it has taken control of the user’s email client, the malware often goes through its address book and sends messages to the addresses listed there. The messages contain malware, and the aim is to get friends or associates of the user to also get infected by clicking on links or attachments in the messages. Often, this is when an administrator finds out that something bad is happening, since users may report these emails.

The first response, in this case, is to block the computer that has the email account sending these emails. This involves closing SMTP ports like port 25, as well as other ports your email client may use. The second thing to do is to remove the offending malware. How you do this depends on your preferred incident response. In a lot of cases, it may mean wiping the machine and reinstalling everything. Hopefully, there was not a lot of data stored locally, which will be lost. Here’s a definite reason to back up “My Documents” to a server.

When you’ve cleaned up the computer, be sure to give the user new credentials for all applications, particularly email. The previous ones may already be known to the hacker, who may try, one way or another, to use them again.

Prevention

Once you’ve dealt with the threat, how do you keep from having it happen again? Better yet, how do you keep it from happening in the first place?

On a technical level, you want to do whatever you can to keep malware off your users’ computers. This means keeping your patches up to date, having anti-virus on all machines, and maybe even employing application whitelisting, so that the malware can’t execute.

Safeguarding your users’ credentials can be improved by employing multi-phase authentication. This is becoming more important as credential theft increases. It’s a little inconvenient to users, but they are going to have to get used to it sooner or later, so why not now?

The best thing you can do is to train your users. Since most of the malware is getting let in by careless users, make them less careless. Train them about phishing and infected websites. Train them to use strong passwords, while you’re at it. Of course, anything involving users means it won’t work with some of them, but the net effect of training is very good.