What e-mail service do you use?
posted by alms at 1:38 PM on May 29, 2014

Firstly, look at some of the bounce messages - findone that includes the headers of when your system allegedly made contact with their system. Check your logs to see if you did at that time (pay attention to timezones). Your logs will be /var/log/mail.log* (if you've received 20k in the last few hours, you'll likely only care about today's log).

I guess some needed info is what level of familiarity do you have; do you know where your mail logs are? Do you know at a cursory level how to read these logs?
posted by nobeagle at 1:50 PM on May 29, 2014

To stop the mail coming in, Do the messages have a common subject? If you're using header_checks , you could put in a line like:

/^Subject: Undelivered Mail Returned to Sender/ HOLD 20140529 stop the deluge

This will route all messages with that similar subject to the hold queue instead of delivering. You can go through them later to possibly find any which might be needed, or if they're all not needed "cd /var/spool/postfix/hold && ls | postsuper -d -"

Note, check the headers, are the messages being generated by your own server, or are they coming from third parties?
posted by nobeagle at 1:58 PM on May 29, 2014

That screenfull of stuff indicates that the message ID actually matches the message id's in your log files.

the sasl_user stuff indicates that unless you were in ZA earlier today, yes, your password for account XXX is compromised.

What you want to do is change your password. then you want to clean up your mail queue's (there might be a lot of messages in your active , incoming and deferred queue's ).

This might catch them: (assuming you're running bash as your shell)

cd /var/spool/postfix
for i in active incoming do
cd $i || break 5
grep -m1 "Authenticated sender: xxx" * 2> /dev/null | cut -f 3 -d ' ' | postsuper -h -
cd .. || break 5 
done
cd deferred || break 5
grep -m1 "Authenticated sender: xxx" ?/* 2> /dev/null | cut -f 3 -d ' ' | cut -f 2 -d/ | postsuper -h -
postfix reload

On my systems* (freebsd and debian) that should work. Assuming that you replace xxx with the user. This won't delete anything, but it will put everything into /var/spool/postfix/hold for you to check out later.

Then rerun the commands (except for the postfix reload) again; because there might have been some processes still allowing the relaying of messages after you changed the password, but before you ran the reload.
posted by nobeagle at 2:27 PM on May 29, 2014

In the near future, be prepared for Google, Barracuda, and other blacklists to start bouncing legitimate mail from your server -- had this happen last year, compromised password sent a bunch of spam from that account, and even six months later we still had one business who bounced everything sent to them. Mostly, we were able to resolve it, but it required going through whatever reporting process each blacklist needed to get removed from their list.
posted by AzraelBrown at 7:18 PM on May 29, 2014

Going forward, some of the policy add ons may let you put harder limits on accounts (such as number of IP's accessed within a time frame). As I have about 0.5% of my accounts compromised yearly I have a 10 minute cron examining the last ~1 hour worth of log (specifically looking at webmail access and sasl based authentication from IP's we don't allow relaying from). I have limits if there's 5 or more different IP's I get notified. If there's 15 or more IP's the account is auto suspended (in the database; active='N'). If there's 200 messages, I get notified; if there's more than 800 it's auto suspended.

For cases where I'm notified, I'll take a look at the logs. I'll grep the mailid's with the sasl_user=xxx into a file and then grep -f $file . As the last two lines of our header checks file are:

/^subject:/ WARN
/^from:/ WARN

I can see obviously spammy subjects and randomly generated forged from headers with the mailid grep results. Additionally, I'll see how many people are addressed with each message. It's very quickly obvious if it's a user being a bit more active than usual, or a compromised account.

If you only have 10 users, it might be enough to see when you're getting a ton of bounce messages, and keep this fresh in your memory. If you have 30k, then you go the periodic scripts route.

Note, fail2ban is useless for me for pop3/imap account scanning. I can watch my logs for failed password attempts, and it's obvious that a distributed botnet is making a run, as the same user will have a failed attempt from one IP. 10 seconds later, from a new IP, 10 seconds later, a new IP etc. Never multiple failed attempts from the same IP, unless its one of our IP's (I.E. we don't want to ban it). As I don't have a particularly sophisticated user base, it's not uncommon to regularly see 10-20 failed attempts before a successful access from a user's IP.
posted by nobeagle at 7:33 AM on May 30, 2014

This thread is closed to new comments.