CentOS Linux Server Installation , FAQ, Tips and Tricks

Postfix Mail System - Identify spam attack, clear Postfix mail queue

We experienced large volume of email transaction last year 2010. I look at my /var/mail/maillog and found a lots of connection from [email protected] This is not possible as my email server is not allow to relay gmail.com. Since,I confirmed that this is not an open relay. The most likely root cause will be spammer change his mail from:<[email protected]> and while using a valid SMTP AUTH connection.

Please find more information of the mail log below.

Dec 20 04:25:30 mail postfix/qmgr[9395]: AD3E3384D9: from=<[email protected]>, size=3206, nrcpt=50 (queue active)
Dec 20 04:25:31 mail postfix/smtp[9417]: connect to example.com[123.124.123.123]:25: Connection refused

Before your proceed, you might consider to stop the email services. we are using postfix at our organization, we stop both dovecot and postfix services

service postfix stop

service dovecot stop

Alternatively you can hold the mail queue.

postsuper -h ALL

Step1 : Identify user authenticating SMTP AUTH connection

To have a quick solution of who is actually performing SMTP Auth session, let us perform the following command.

cat /var/log/maillog | grep sasl_username | sort

This command tell Linux to display all row of a email log maillog that have sasl_username then sort it accordingly, so it will look like this.

I found that there are lots of session using [email protected] from IP 123.123.123.123 and other IP to connect. Please take note that example.com is my valid domain, and there is a valid user called abc

Dec 20 23:24:07 mail postfix/smtpd[6673]: 7253BC0589: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:24:07 mail postfix/smtpd[6678]: 961FFC058E: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:24:08 mail postfix/smtpd[6668]: 3C073C0594: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:24:08 mail postfix/smtpd[6680]: 6F7E5C0595: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:24:11 mail postfix/smtpd[6536]: 1F041C0599: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:24:28 mail postfix/smtpd[6657]: 6A84EC05A5: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=abc@exa[email protected]

Step2: Check the total sessions of SMTP AUTH of the victim connection

Next, let us check how many SMTP AUTH session has [email protected] perform.

cat /var/log/maillog | grep "sasl_username=abc@" | wc -l

3000

Step3: Confirm the compromised account from <mail from: >

Next, we know we know abc account sending 3000 mails for x time and recorded in /var/log/maillog, then we want to know if his account exploited by spammer at under specific time, we can perform to grep -A 10, which mean perform the content after 10 lines of line matched with Dec 20 23:17:32 mail.

You will se multiple lines of output, the only answer we look for is to reconfirm if the abc's email account has been compromised and the spammer use [email protected] as sender address.

..
Dec 20 23:17:34 mail postfix/smtpd[5491]: 4840FC0536: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:17:34 mail postfix/smtpd[5492]: 4BAA6C0537: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:17:34 mail postfix/smtpd[5502]: 4DB91C053E: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:17:34 mail postfix/smtpd[5493]: 500F2C0540: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:17:34 mail postfix/smtpd[5500]: NOQUEUE: reject: RCPT from unknown[123.123.123.123]: 450 4.1.2 <[email protected]>: Recipient address rejected: Domain not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<User>
Dec 20 23:17:34 mail postfix/smtpd[5501]: 9985CC0543: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]
Dec 20 23:17:34 mail postfix/smtpd[5494]: 9B833C0544: client=unknown[123.123.123.123], sasl_method=LOGIN, sasl_username=[email protected]

Step 4 : Suspend the exploited account from sending email

We should temporary stop the abc's email account. If you using Postfixadmin, please login to web based administration and stop his email. Or, you can change his password.

Step 5: Check Mail queue

We can have quick check on mail queue. I was not so lucky, we hit more than 10,000 email under our mailserver.

postqueue -p

I would suggest that you move all this email to another location and perform the housekeeping later. So that your email services will not affected.

To delete ALL email under mail queue (NOT Recommended)

postsuper -d ALL

Since the spammer might using multiple fake sender name <mail from: >. It is a bit difficult to delete email that belongs to spammer. I found the follwing scritpts is very useful and would like to share with you. The script is from cyberciti.biz

#!/usr/bin/perl $REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!"; @data = qx</usr/sbin/postqueue -p>; for (@data) { if (/^(\w+)(\*|\!)?\s/) { $queue_id = $1; } if($queue_id) { if (/$REGEXP/i) { $Q{$queue_id} = 1; $queue_id = ""; } } } #open(POSTSUPER,"|cat") || die "couldn't open postsuper" ; open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ; foreach (keys %Q) { print POSTSUPER "$_\n"; }; close(POSTSUPER);

To delete all email from a specific domain.

./postfix-delete.pl spammerdomain.com

To delete all email from specific user

./postfix-delete.pl [email protected]

CentOS Server Guide by http://www.1a-centosserver.com is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

All trademarks are the property of their respective owners.