Home / server / Questions / 1061798
Accepted
philolegein
Asked: 2021-04-28 21:51:06 +0800 CST

What to do if a specific postfix/dovecot user's account is hacked and being used to send spam?

  • 772

I'm running a postfix/dovecot mail server. This morning, I discovered it was unresponsive. Turned out, /var/log was full. It appears one of the users has had their account hacked and it's being used to send spam.

There are about half-a-million entries like this:

Apr 28 04:12:06 ip-10-0-200-85 postfix/qmgr[3813]: E49F58330A: from=<[email protected]>, size=2353, nrcpt=20 (queue active)

I've temporarily turned off postfix and dovecot, which is fine for the moment as there are only 6 of us using it. But, what steps should I take beyond having the user's password reset? Might there be things in the outbound postfix queue from this user that I should delete (and how would I do that?)? Any other steps I should take?

spam postfix email-server dovecot

1 Answers

  1. Best Answer

    Find a ID of one of the mails in the queue with mailq
    Then check the headers to see how it was sent with postcat -q ID (where ID is the ID of the message). This way you can check wether the email is sent by a authenticated user or a rogue script.

    Delete all emails from that user in the queue with:

    mailq | tail -n +2 | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2
{ if ($7 == "[email protected]")
print $1 }
' | tr -d '*!' | postsuper -d -

    Where [email protected] is the mailbox that's sending out spam.

    After that, change the password of the hacked user and start Postfix and Dovecot.

    • 2