Enviroment: Plesk v12, latest Windows Server 2012 SmarterMail
My web hosting provider told me that someone hacked into my server a couple of weeks ago and was hitting various mail servers (Gmail, Yahoo, etc).
I worked with the company to cure the problem, basically: * Change all passwords * Update server and all software to latest version * Turn on Windows firewall, was somehow disabled
Doing these tasks and waiting a couple of weeks finally took me off all the blacklists and restored my MXToolbox rating.
I found out today that Microsoft blacklisted my IP (not reported by the free version of MxToolbox). They said that a few days ago (8/28 and 8/29) that there was still Namespace Mining going on, but offered no information on how they know, how to prevent, or anything else that I asked. They wrote me back to my questions a few minutes ago that upon further investigation that they will lift the block.
Questions:
How does Namespace mining occur? Is that the result of a hacker finding out or hijacking an email account?
Aside from inspecting the logs, how can I determine if there is Namespace mining occuring?
How do I prevent Namespace mining beyond what I did? Would that be by installing a professional security software (e.g. third party Antivirus / Firewall / Email security software)?
I resolved the current problem, but I would like to know how to find out if I have the problem. In this case, I tried to send an email to a Microsoft account of mine and received a failure report. There should be a better way to go about a check then accidentally discovering the problem.
As best as I can tell, the term "namespace mining" refers to generating random email addresses at a domain and attempting to send mail to see if the email address actually exists. I found the definition in this blog post.
So you have a hacker who has compromised your server and is running a script on that server, trying to find addresses to send spam to at Hotmail.
What you have done so far is to change your passwords, update your software and turn on your firewall but you haven't yet tried to delete the script or evict the hacker. Your issue is not specific to namespace mining. It really doesn't matter what the hacker is doing, the instructions on how to get rid of him are the same. Running AVG is unlikely to work and even if it does it is even less likely to have fixed the hole that allowed him in or find any backdoors he might have created to allow him back in.
The advice in that linked question is good.
It occurs to me that you asked three questions in your question and I answered only one of them.
It does not involve an email account on your server. There is no requirement for your server to even have email capabilities. It's just a script running on your server that can generate plausible "local parts" of an email address and then communicate with Hotmail to test the generated email address out.
Inspecting TCP traffic would be what I would try. If you have a monitoring system such as Cacti, Zabbix, Munin, Nagios or many others set up, there will be bandwidth graphs available and possible even breakdowns by target IP address. You can also run network sniffing software such as Wireshark on your server to see what traffic is being sent. The namespace mining will look much like normal SMTP traffic to Hotmail but it won't show up in the normal SMTP logs. You will probably see lots of errors from Hotmail saying that the requested user does not exist.