spam attack - Urgent Help!

Discussion in 'ISPConfig 3 Priority Support' started by James A, Apr 10, 2014.

  1. James A

    James A Member

    Urgent help needed. One of our servers is being used to send spam on one account but whatever I do I can't seem to stop the user logining on via postfix/smtpd using sasl_method=LOGIN.

    I have changed the password on the account which stopped the original user from accessing things but I keep getting postfix/smtpd connections.

    I then disabled the domain which didn't stop things either.

    I have now stopped postfix as a last resort.

    I believe the user got a virus on their account but I don't know why other machines can still logon using this account. How can I simply block this account and all connection attempts using its sasl_username.

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Stop postfix.
    2) Chnage the password.
    3a) If you use dovecot, then restart dovecot
    3b) If you use courier, restart courier-authdaemon and saslauthd
    4) Start postfix again.

    If you have many connects in an attack, then it can happen that the old password remains in a cache in postfix / courier/doovecot or saslauthd. In such a case, use the procedure above to stop it.
  3. James A

    James A Member

    Hi Till

    Thanks for your reply. It does look as though the old password did get cached. We actually rebooted the server on this occasion which worked as I hadn't thought of simply restarting saslauthd and courier-authdaemon.

    Is there anyway I can setup things to monitor / limit the amount of outgoing mail on an account. This time I was lucky as the user got in contact to say they had had 700 email rejections. Clearly they had picked up a virus but If they hadn't notified us I'm not so sure where we would have picked it up from or how long it would have taken.

    Thanks once again for your quick response, I hope someone else finds this useful.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Email sending quotas can be implemented e.g. with policyd (cluebringer) in postfix.

Share This Page