postfix smtp has been hacked

My sever is being used as a relay. Need stop postfix from responding to people trying to exploit my mail out going mail server.

Any ideas?

Thanks

Wayne

Status: 
Active

Comments

Howdy -- Postfix can't be used as an open relay by default. What we do frequently see is that if an attacker discovers a user's password, that attacker can use that account to send email.

Also, if there's a vulnerability in a web app on the system, that can often be used to send email.

Here's a few things you can test --

First, to verify that your system isn't an open relay, you can use one of the services on the web that test for that. One example of such a service is at this URL:

http://www.abuse.net/relay.html

If you run the command "mailq | tail -1", what output do you receive? That'll show how many emails are in your mail queue.

If you see a lot there -- can you open one of those messages, and post the mail headers from it here?

That will show some details about where the email is coming from.

Received by mail01.redbirdtechnologies.com (Postfix) id 0001F4E7291; Sun, 10 Mar 2013 19:30:00 -0400 (EDT) Date Sun, 10 Mar 2013 19:30:00 -0400 (EDT) From MAILER-DAEMON@ns1 (Mail Delivery System) Subject Undelivered Mail Returned to Sender To wonghelen50@yahoo.com.hk Auto-Submitted auto-replied MIME-Version 1.0 Content-Type multipart/report; report-type=delivery-status; boundary="7422D4E727B.1362958200/mail01.redbirdtechnologies.com" Message-Id 20130310233001.0001F4E7291@mail01.redbirdtechnologies.com

Received from SERVER (static-64-246-158-159.bbr0.cxscny.statetel.com [64.246.158.159]) (Authenticated sender: demo) by mail01.redbirdtechnologies.com (Postfix) with ESMTPA id 000264EBBC7 for academy71@hotmail.com; Sun, 10 Mar 2013 20:51:59 -0400 (EDT) From "Helen Wong" wonghelen50@yahoo.com.hk Subject Message for academy71@hotmail.com To academy71@hotmail.com Content-Type multipart/alternative; charset="ISO-8859-1"; boundary="SXVK5=_7ZB8UdIGdWso0QAtss0aUpdEQp80" MIME-Version 1.0 Reply-To helenwong2@qq.com Date Sun, 10 Mar 2013 20:46:11 -0400 Message-ID <86036759026533875@205.133.238.81>

Received from SERVER (static-64-246-158-159.bbr0.cxscny.statetel.com [64.246.158.159]) (Authenticated sender: demo) by mail01.redbirdtechnologies.com (Postfix) with ESMTPA id 001594EB23C for toni028@hotmail.com; Sun, 10 Mar 2013 20:40:04 -0400 (EDT) From "Helen Wong" wonghelen50@yahoo.com.hk Subject Message for toni028@hotmail.com To toni028@hotmail.com Content-Type multipart/alternative; charset="ISO-8859-1"; boundary="SXVK5=_7ZB8UdIGdWso0QAtss0aUpdEQp80" MIME-Version 1.0 Reply-To helenwong2@qq.com Date Sun, 10 Mar 2013 20:34:16 -0400 Message-ID <577636687507831822@205.133.238.81>

some examples

30872 messages in the Queue

The first one of those is a bounce message, those next two are definitely spam.

And one thing I notice in those headers is that an authenticated user sent them -- the user who sent them is "demo".

I suspect what may be happening is that a malicious user guessed the password for the user "demo" and began using that account to send spam.

What I'd recommend doing is the following --

First, change the password for the "demo" user.

Second, delete all the emails currently in your mail queue. It may get a few legitimate messages, but there's likely so much spam there that trying to find legitimate email would take quite some time and effort.

To delete the entire mail queue, you can run this command as root:

postsuper -d ALL

After performing those steps, does your queue appear normal?

I will keep posted but I think that may have fixed it.

fixed

Thanks It was the demo account