0

I'm running a postfix/dovecot mail server. This morning, I discovered it was unresponsive. Turned out, /var/log was full. It appears one of the users has had their account hacked and it's being used to send spam.

There are about half-a-million entries like this:

Apr 28 04:12:06 ip-10-0-200-85 postfix/qmgr[3813]: E49F58330A: from=<user@mmydomain.com>, size=2353, nrcpt=20 (queue active)

I've temporarily turned off postfix and dovecot, which is fine for the moment as there are only 6 of us using it. But, what steps should I take beyond having the user's password reset? Might there be things in the outbound postfix queue from this user that I should delete (and how would I do that?)? Any other steps I should take?

philolegein
  • 409
  • 4
  • 12

1 Answers1

2

Find a ID of one of the mails in the queue with mailq
Then check the headers to see how it was sent with postcat -q ID (where ID is the ID of the message). This way you can check wether the email is sent by a authenticated user or a rogue script.

Delete all emails from that user in the queue with:

mailq | tail -n +2 | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2
{ if ($7 == "user@example.com")
print $1 }
' | tr -d '*!' | postsuper -d -

Where user@example.com is the mailbox that's sending out spam.

After that, change the password of the hacked user and start Postfix and Dovecot.

Thom
  • 71
  • 2