sent spam #2

A year ago my server sent spam mails and I did not notice it for a long time. Only because a second spammer sent a massive 90k spam mails in a very short timeframe did we notice that because the server resources were maxed out.

After changing the probably-too-weak passwords on the affected mail accounts I added monitoring to the number of mails that the server sends per day, and set a warn limit of 600. Yesterday I received such a warn mail:

Subject: Munin notification ahso
Date: Mon, 13 Nov 2017 15:30:33 +0100 (CET)

ahso2 :: ahso2 :: Postfix statistics
CRITICALs: delivered is 1706.00 (outside range [:600]).

I immediately stopped postfix and checked the server to see what was going on. Munin's mails-sent-today chart showed a sudden spike from 1500 handled mails that day to 4500, clearly some spam wave:

munin mail server stats

The mail.log had a large number of mails sent by a single authenticated user, so that user's password was apparently not secret anymore. I changed it to a complicated one and cleaned postfix queue.

The problem is solved for now, but I guess I have to install something like policyd that limits the amount of mails sent by single users, so that such spam waves cannot get so big.

Written by Christian Weiske.

