help my server is sending spam

Discussion in 'Installation/Configuration' started by Julian, Jul 8, 2016.

  1. Julian

    Julian Member

    hi all

    postqueue -p is huge
    tail -f /var/log/mail.log is going like crazy
    because this problem mysql fails please any ideas

    Please HELP!
     
  2. Julian

    Julian Member

    How can I see what user is sending spam?
    How can I limit sending emails per day?
    I really need help.

    Thank you very much
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Check a spam mail that is in the mailqueue, you can get the whole mail incl. headers that show who has send the email with the postcat command. If you search the forum for postcat, then you can find several threads that show what to do.
     
  4. Julian

    Julian Member

    Fix it!
    postqueue -p to get emails que
    postcat /var/spool/postfix/deferred/A/A4BB562D12DC
    to see what user is sending spam
    change user password
    delete Mail Queue
    postsuper -d ALL
     
    ganewbie likes this.
  5. Julian

    Julian Member


    Thank you for your reply

    How can I limit sending emails per day?
    There is a way to be notified when someone start sending spam?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You an e.g. use policyd to apply quotas on the number of messages a user can send.
     
  7. webguyz

    webguyz Active Member HowtoForge Supporter

    Till,
    Will policyd app work for spammers using hacked php files on website? Or only valid email clients?
    Thanks!
     
  8. sjau

    sjau Local Meanie Moderator

    will work for all emails.... since the emails has to go through postfix to be sent to others... so it won't matter if its php script or dedicated mail client or ....
     
    webguyz likes this.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    policyd will work for all mail traffic as you can set different limits by sender domain / email and so on. It's a nice tool but its web interface is a bit special :) The current version of policyd is named cluebringer /apt-get install postfix-cluebringer postfix-cluebringer-mysql postfix-cluebringer-webui) There is some additional configuration needed, but I don't have a tutorial for that, you might have to google for a tutorial to integrate cluebringer into postfix.
     
    florix.net and webguyz like this.
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That's effective, but quite possibly/likely kills some good mail along with the bad. You can usually identify something in the message or even in mailq output to pick out the bad ones and only remove those, eg. if the spam is all showing from the same email address in the mailq, something as simple as:
    Code:
    mailq | grep [email protected] | awk '{print $1}' | postsuper -d -
    might work, or to do a little better:
    Code:
    mailq  | awk 'BEGIN { RS = "" } / user@domain\.com\n/ { print $1 }' | tr -d '*!' | postsuper -d -
    Sometimes the sender address in the mail queue is random/changing, but they're all sent from the same compromised account so you look for the Authenticated sender header (and move all mail to the "hold" queue while doing this so new mail doesn't bog down):
    Code:
    # move all messages to hold queue
    postsuper -h ALL
    
    # cleanup
    for id in `mailq | grep '!' | cut -d'!' -f1`; do if (postcat -q $id 2>/dev/null | grep -q 'Authenticated sender: user@domain\.com') ; then echo $id; fi; done | postsuper -d -
    
    # move remaining messages back out of hold queue
    postsuper -H ALL
     
    Thaddeus likes this.

Share This Page