+27861 222 887

Compromised Email account

Sections

    What does it mean when your mail account(s) have been compromised?

    The short answer is this:
    Someone has obtained your Email account password, due to (one or more of) the following reasons.

    1. You are sending and receiving without ENCRYPTION (SSL).  Red Cactus always recommends the use of SSL for both incoming and outgoing mail.  Please view the recommended settings by navigating to our webmail tool.
    2. You have used a simple password such as Admin.123 or even used a part of the domain name in your password, and this password has been figured out.
    3. You signed up on various online platforms using the same Email password for banking, social media sites, etc.
    4. If you have used the same Email password for all your other mail accounts on your mail domain, those accounts might also be at risk.

    What are the signs of a compromised Email account?

    For some reason you are not able to access your mail account via the webmail and receive an “unknown or disabled user” message upon login as per below screenshot

    Your Outlook is also requesting that you enter your password, and even if you have entered the correct password the pop-up continues to request your password

    You also receive multiple (hundreds) of “undelivered” notices from mail accounts you have never sent any mail to previously and upon accessing the logs we notice that multiple IP’s are connecting to your account and for this reason it is impossible to block them as the culprit(s) can use over a 1000 IP’s in a single day.

    How do we resolve this issue and what is the way forward?

    1.  It is important to leave the account locked (it will automatically unlock after 45 minutes), seeing that the script that runs will simply continue to attempt access, once the account is unlocked again and will only force the account to lock (again) within a few minutes, leaving you stranded once more, screaming at the top of your lungs “YOU HAVE GOT TO BE KIDDING ME!”
    2. The ONLY alternative is to create a new account, similar to the existing one and then add a FORWARDER (Redirect) for Mail Enable to the existing account when it has unlocked.  You will then continue to receive your mail, although this will include the undelivered mails as well, but at least you can respond to clients from the new Email and whether they respond either by 1) creating a new mail and sending it to your existing account or 2) reply to the new address, you will receive the communication.
    3. When it seems the account is no longer under attack and being locked continuously, you can remove the new account, and then simply create it as an “ALIAS”, which is then linked to your existing account.  An alias is not an actual Email address with it’s own inbox and any mail that is sent there is received in your existing mail account’s inbox.  Any mail sent and received from the new account will have to be forwarded to your existing account, should you wish to keep record of those mails.

    Frequently asked questions:
    1.  Can a single IP be blocked?
    No.  There are multiple IP’s that change randomly.
    2.  Can a country or region be blocked?
    No.  We wouldn’t know where the IP’s originate from.
    3.  Will it help to adjust the SPAM filter?
    No.  The “Undelivered” mails are not seen as spam, but bounce backs from mail accounts that do not exist.
    4.  Can I unlock the account?
    No.  The account is automatically unlocked after 45 minutes.

    We understand your frustration, realize the importance of your mail account to function correctly and trust the above work around will suffice for the interim.  

    Related Articles

    in EmailFAQ
    Did this article answer your question?