Hi We're currently suffering from what may be a sort of DoS attack, where bad actors are sending emails with one of our user's email address in the "From" field. This is resulting in about 15 bounce messages - almos all from Google - every 9 minutes. I decided that the easiest way to stop this was to temporarily filter out 550-5.7.1 in the body of the bounce message (that's suspected spam). So in ISPConfig I created a Postfix Content filter, filtering on Body, containing /550-5\.7\.1/ with the action set to DISCARD. This doesn't work. I've tried it without the slashes at start & finish, with only one at the start or end, and I've tried simple text "/likely unsolicited mail/", also with every combination of slashes. I suspect I'm missing something trivial & will kick myself when I found out... but anyway, does anyone have any ideas?
I must have been very tired the other day when I posted the above. Of course you can't filter such email rejection messages - they're responses to an SMTP message sent from one server to another. I finally found that it is my server sending out spam. I haven't yet managed to track down how/why. I suspect a password has been cracked. As there's only a dozen mailboxes on the server, they're all being changed. If that doesn't stop it, I guess the actual server has been hacked and there malware installed causing it. Oh joy :/ Sorry for wasting people's time with my original post :/
That's quite unlikely nowadays. If your system has websites, too, it's more likely a website got hacked and not the server.
Thanks for replying, Till. I agree, it didn't seem likely. In the end, the solution was stupidly simple: it appears someone had got hold of a password & email address that matched and had some 40 connections, sending out one email with two recipients about every 10 minutes, on each connection. Changing the account password and restarting the IMAP service solved the problem. I also blocked the IPs of the originating machines in ConfigServer, A full password review is now in progress BTW, thanks yet again for ISPConfig - a superb piece of software. I've been using it now for at least 15 years, I think, and it's been brilliant. Which reminds me - I should restart my HowToForge sub
