GW2012 - ton of mail in Defer

Still on GW2012 for various reasons

I have about 65K emails in GWIA Defer folder

Looking at several dozen these seem to come from Outside - external IP

with sender being sales@mydomain.com
Sending client seems to be Outlook Express!

The Server is NOT open relay
Both IMAP and POP are NOT enabled

Only GW and Webaccess

any ideas / where to look would be appreciated

Tags:

Parents
  • In article <bhrt60.8i2rio@no-mx.forums.microfocus.com>, Bhrt60 wrote:
    > Still on GW2012 for various reasons

    You aren't the only one, I have one client left on it, so I still have
    to limit myself to that level of client, sigh

    > I have about 65K emails in GWIA Defer folder

    Step one is to move them all to somewhere else for evaluation. You may
    have some legit mail tucked in there that we will need to find.

    > with sender being sales@mydomain.com
    > Sending client seems to be Outlook Express!

    Likely filters to extract the bad ones from the collection you moved out
    of deferred so that you can then find any legit ones to move them back
    in to defer.

    > The Server is NOT open relay

    It is possible that one of your user passwords was compromised and those
    were all sent via authenticated relay. Make sure your GWIA logs are at
    least at verbose and look for those authentication requests, then you
    will likely find the ID to change the PW on.

    Do you have an antiBadStuff filter in front of your GWIA? If so, then
    it is a good thing to set your GWIA to only see incoming from that
    filter and not from everywhere else.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

Reply
  • In article <bhrt60.8i2rio@no-mx.forums.microfocus.com>, Bhrt60 wrote:
    > Still on GW2012 for various reasons

    You aren't the only one, I have one client left on it, so I still have
    to limit myself to that level of client, sigh

    > I have about 65K emails in GWIA Defer folder

    Step one is to move them all to somewhere else for evaluation. You may
    have some legit mail tucked in there that we will need to find.

    > with sender being sales@mydomain.com
    > Sending client seems to be Outlook Express!

    Likely filters to extract the bad ones from the collection you moved out
    of deferred so that you can then find any legit ones to move them back
    in to defer.

    > The Server is NOT open relay

    It is possible that one of your user passwords was compromised and those
    were all sent via authenticated relay. Make sure your GWIA logs are at
    least at verbose and look for those authentication requests, then you
    will likely find the ID to change the PW on.

    Do you have an antiBadStuff filter in front of your GWIA? If so, then
    it is a good thing to set your GWIA to only see incoming from that
    filter and not from everywhere else.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

Children
  • Andy,

    On 30.05.2018 18:58, Andy Konecny wrote:
    > It is possible


    95% likely..

    > that one of your user passwords was compromised and those
    > were all sent via authenticated relay. Make sure your GWIA


    ....POA...

    > logs are at
    > least at verbose and look for those authentication requests, then you
    > will likely find the ID to change the PW on.


    The logins along with the userid will be recorded in the POA logs, not GWIA.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • In article <L4_PC.1658$VM7.1159@novprvlin0913.provo.novell.com>, Massimo Rosen
    wrote:
    > The logins along with the userid will be recorded in the POA logs, not GWIA.


    Thank you my friend
    So shows how my head is still not fully back in the game, her staples came out
    today. The value of several of us helping in here.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please show
    your appreciation by clicking on the star below. Thanks!