So, for the third time in about two weeks (maybe less), one of our customers has had their password compromised, and a spammer was sending mail with their username and password using our webmail. As a result, our outgoing mail server has been listed at Spamhaus, and a lot of our outgoing mail is being rejected.
I can't think of any way to prevent this from happening (although now our webmail server is using Sendmail instead of SMTP, but that just limits the scope of the problem), yet the big ISPs never seem to have a problem like this.
Our anti-spam system has the option of scanning our outbound mail-stream for exactly this kind of problem. We have over 20,000 students, so using webmail to send spam from our system is a problem we absolutely had before we moved them all to WindowsLive@Edu. We had the same problem you did, our outbound mailers were getting their IP reputation besmirched. Once we outsourced the email system and got off of SquirrelMail, the problem went away.
E-mail hygiene is a two-way street now that web-mail portals are ubiquitous. You need to scan your outbound stream just as hard as you scan your inbound stream. You need to actually pay attention to spam-detections in your outbound stream because they can point to problems like phishing victims.
We didn't have to outsource to fix this problem, it was just the cheapest way to handle 20K users. There are off the shelf products that will do this, they just cost per-seat like anything else.
My question is where is the spam coming from that it's going through your webmail interface?
Are you only allowing email to be sent by your customer via the webmail interface if they're not inside one of your own network blocks?
Are you locking down who can or can't relay?
And what is your password policy? Are you allowing simple passwords that are easily cracked? Encryption in the transfer of data?
Are you throttling the amount of mail that can be transferred from a particular user? Most users don't send email in volumes that constitute spam proportions without triggering a few alarm bells.
Are you sure they are using your webmail ? Webmail is a web interface used to send emails, we agree on that ?
I advise you to remove your webmail asap because someone is most likely using some sort of vulnerability in your webmail software. Upgrade it and put it back online. If the spamming continues, try to see which user is sending email and disable their account.
Check if someone hasn't inserted a malicious web page that sends out email. I had this exact situation 2 weeks ago. If so, delete it asap and seriously reconsider reinstalling your server.
Also, is the webserver local to the webmail ? If so, are you sure you're not an open relay ? There are tests that allow you to test this.
Big ISPs only allow the IPs of their clients to send email via their mail servers. If you are not an ISP, you want to force your clients to authenticate (see SASL authentication for Sendmail) or allow specific IP which you know are good.
There are a few ways to address this issue.
First of all, make sure that you are required to have an outgoing relay server. These days, it seems like the proper protocol is to force users to use their ISP's outgoing email server to send any messages. Some ISPs even block outgoing connections on port 25 for this very reason.
In your situation it sounds like the webmail portion is what was compromised. You need to have password authentication enabled but you have that as well. So what can you do?
I would recommend a software package such as CSF/LFD (Config Server Security and Firewall/Login Failure Daemon). This software looks at your logs and will flag when a threshold is met. In the servers that I run, I have it set to alert me if any more than 100 messages are sent in more than 5 minutes. This is a relatively safe number to rely upon. If a spammer wants to throttle to get around this limit they could, but there are plenty of other servers out there with weaker protocols in place.
Having caught a few accounts that do this (they were paying customers) I pulled out the TOS and it's anti-spam clause and terminated them. In your case, it would just have alerted you that their account was sending spam and then you could have them change their password. And, just so you know, the "my password was compromised" excused is one of the #1 reasons spammers will give you to try to continue using your services! Make sure you double check to ensure your customer is legitimate.
The others are right. If you are going to have customers using your server to send emails, it is very important to scan the outgoing messages just as you would the incoming ones to ensure they are legitimate. The penalties of having your server blacklisted are just too great.
Simple: we scan both inbound and outbound email with the same spam/antivirus ruleset(s), no exceptions. We do this to protect our customers and vendors for the very same reason that you are currently being blacklisted in spamhaus - because it makes your email into a business liability if something goes wrong.
How was the password compromised?
What is the password policy?
What webmail provider are you using?
Is the webmail website using SSL?
Can/do you filter outgoing mail, if so you could set a filter for obvious outbound spam?