A client identified high server system load averages and a mail queue that was inaccessible through Plesk.
The first thing we should do is identify the MTA we’re dealing with–this will determine the tools we will use to view and interact with the mail queue.
1 2 3 4 5
Experience tells us this is qmail. You can verify this through other means, such as netstat.
So what’s the status of mail on the server? We’ll use a tool called qmHandle. If the MTA banner returns Postfix, use pfHandle.
1 2 3 4 5 6 7
550,000+ messages in the remote queue–definitely a spammer.
Although possible, asking qmHandle to list the contents of the remote mail queue (option -R) would take far too long to dump and scan.
Instead, we’ll catch a random spam message directly from the maillog–we’ll try the Google ISP and see if we get lucky:
Bam. First try we get a valid result. Try different destination mail providers if you didn’t get anything–AOL, Hotmail, Yahoo!, etc.
What’s important from that above string? The message ID number: 16451571
Using qmHandle -m, we can view the contents of this message:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
What’s important from that block? Two things:
- The first line ("invoked from network") indicates the spam message was accepted and delivered via SMTP--this user will therefore appear as an authorized user.
- The IP address it originated from: 22.214.171.124.
Armed with that data, we’re ready to identify the compromised mailbox:
1 2 3 4
The spammer logged in using the credentials for “[email protected]”.
You will need to disable this mailbox entirely (or change the mailbox password) and kill off any open, established SMTP auth connections, so that an active spammer (still connected) will be forced to authenticate yet again (and now fail).
If you don’t care about losing valid, legitimate messages from the mail queue, flush the mail queue–warning, you will lose the entire contents of the queue:
Add the spammer’s IP to your iptables INPUT chain and mark DROP:
Hope this helps! Educate your users about strong mailbox passwords! Until next time.