Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

E-mail locks out every day, something attempts to log in with the wron


  • Please log in to reply

#1
Katia Q

Katia Q

    New Member

  • Member
  • Pip
  • 3 posts

I start to believe aliens do exist.

 

My husband's work e-mail gets locked out almost every day, saying that someone attempted to log in several times with the wrong password. He works at the university, and it's been already 4 months their IT specialists can't fix this problem. Almost every day he has to ask them to unblock his e-mail, although it was not him who attempted incorrect log-ins! At first we thought it was somebody's bad joke, but after 4 months it looks more like a bug. We need to find this "something" that automatically tries to log into his e-mail. He uses only two computers and never saves his passwords anywhere. Windows 7, Office 365.

We desperately need your help... We appreciate your time!

 

Katia


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,016 posts
  • MVP

I would think the IT guys should be able to monitor the sources of logins to their email server and block the IP address of the offender.  Are they saying it is from one of his PCs? 

If that's the case we can probably help but I'll have to get this moved to the malware forum.

 

 

If all else fails I would ask them to assign a new email address.  See if that one gets attacked too.


  • 0

#3
Katia Q

Katia Q

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

I would think the IT guys should be able to monitor the sources of logins to their email server and block the IP address of the offender.  Are they saying it is from one of his PCs? 

If that's the case we can probably help but I'll have to get this moved to the malware forum.

 

 

If all else fails I would ask them to assign a new email address.  See if that one gets attacked too.

 

They did not even try to identify the source, they only said to check if we logged out on other computers (which we are). Just different IT people come every day, unblock his email, and nobody wants to do anything beyond it... If you could recommend us what to do to check our computers somehow it would be very helpful...


  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,016 posts
  • MVP

They come to your PC to unlock the email?  They should be able to do it at the server.

 

Do you have admin rights on your PCs?  If so:

  • Get FRST from http://www.bleepingc...very-scan-tool/You need to download the appropriate tool for your PC.  If you don't know if you have a 32 or 64 bit system get them both.  Only one will work and that's the right one.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Check the Addition.txt box
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here.
  • It will generate another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


 


  • 0

#5
Katia Q

Katia Q

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

Thank you so much for your reply! We'll try to do it, and here what we've just got from the IT guys:

 

Hi, Ryan: Unfortunately all we have is where you are getting locked out: "r.karkkainen","UMADFS02","9/14/2018 11:21:46 AM" "r.karkkainen","UMADFS02","9/14/2018 1:07:37 AM" "r.karkkainen","UMADFS02","9/13/2018 5:33:15 PM" "r.karkkainen","UMADFS02","9/13/2018 3:42:03 AM" If we go to that server it does not capture lockout information so we don’t know where it’s happening. The only thing I can tell you is that it’s O365 related. So it’s either email or one of the Office 365 applications where you’ve saved your credentials and it keeps trying to login.

 

r.karkkainen is my husband's name... I have no idea what UMADFS02 means, something University-of-Miami-related...

He already checked O365 for possible saved old credentials...


  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 21,016 posts
  • MVP

Probably the second of Active Directory Federation Services (AD FS), "a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. "   Is the UM the one in Florida?

 

Expect if they knew what they were doing they could capture the IP with something like Snort 

https://www.snort.org/

That's what I would have used back when I was a working network engineer.

 

Look at the times from the lockout log.  Which computer was on at the times that the attempts were made?  That's the one we want to look at.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP