Re: Possible Mail server compromise ?

["Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>]

Dear Vicky (Hope this is correct),

Thanks for your input, please see comments inline :)

> - Are you employees allowed to check email through Outlook Web Interface
> integrated by MS Exchange Server? If Yes, then there is a problem.
The server is not directly reachable from the outside, we don't use OWI

> - Do you have Trust-Relationship with either employee who could be able to
> do such things? (Internal Threat)
Noted
> - 0day exploits will not be easily available to anybody until and unless you
> have connections with those people who work 24/7 over this.
They only have to be available to the attacker, I guess ;) Depends on who you
have against you, the level we protect ourselves against is
industrial espionage.  Let's say we are an interesting target.

> - This might be caused by some third-party application exploit present on
> your outgoing/incoming open network (internet - untrusted zone) gateway.
Noted, checks ongoing actually :)

> - Deploy/develop custom signatures (customize the Firewall/IDS rules for
> incoming email to check for any specific patterns) for similar spam emails
> to stop them from entering you mail server.
The data that went out were not your typical e-mails unfortunately :(

> While in consideration of above statements, there are many other dimensions
> to look at before approaching to the results of investigation directly.
>
> Good Luck!
Thanks :)