sent spam #2

A year ago my server sent spam mails and I did not notice it for a long time. Only because a second spammer sent a massive 90k spam mails in a very short timeframe did we notice that because the server resources were maxed out.

After changing the probably-too-weak passwords on the affected mail accounts I added monitoring to the number of mails that the server sends per day, and set a warn limit of 600. Yesterday I received such a warn mail:

Subject: Munin notification ahso
Date: Mon, 13 Nov 2017 15:30:33 +0100 (CET)

ahso2 :: ahso2 :: Postfix statistics
CRITICALs: delivered is 1706.00 (outside range [:600]).

I immediately stopped postfix and checked the server to see what was going on. Munin's mails-sent-today chart showed a sudden spike from 1500 handled mails that day to 4500, clearly some spam wave:

munin mail server stats

The mail.log had a large number of mails sent by a single authenticated user, so that user's password was apparently not secret anymore. I changed it to a complicated one and cleaned postfix queue.

The problem is solved for now, but I guess I have to install something like policyd that limits the amount of mails sent by single users, so that such spam waves cannot get so big.

Written by Christian Weiske.

Comments? Please send an e-mail.