Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: ber on October 24, 2017, 09:21:58 AM
-
:-( :-(
Hi Ive got A sme 9 server thats been compromised and its pushing out SPAM and the email output is about 200 every 5 minutes.
I'm unsure which email account has been compromised and would like to act urgently to deal with the issue before the ISP closes my connection.
Is there any contribs that can show which account is causing the unusuallyy high emails being sent.
I'm getting a lot of rejected spam notices from the server and also through a contrib (sme9admin) notifying of the high emails being sent.
My IT guy who deals with this is away on holiday and cant get hold of him.
Any help appreciated... maybe to stop the qpsmtpd??
Thanks
-
Think it probably best to disconnect it from the internet while you fault find. That way your ISP will not get annoyed with you.
The mail logs should show you who is sending email. But before you do anything else, I would turn off all your other machines on your network, may well be one of them that is infected. With any luck your IT person would have enabled SMTP proxy which should have dealt with that.
But anyway, log files first and I am sure someone in here with more knowledge will help you, they are a great bunch.
Regards Paul.
-
in addition to DRifting recommendation you could use https://wiki.contribs.org/Qmhandle_mail_queue_manager
this way you will be able to:
- list email in queue and identify the spam
- use the id of the messages / FRom header / to header to trakc in the qmail and qpsmtpd logs the origine
- use a filter to delete only SPAM and save your HAM
be carefull tha tt he SPAM may not come from a SME account but also from:
- an infected computer
- a malicious script introduced because of not up to date php webapp
-
Been there. Added a user scanner back in the SME5 times with a simple password.
This user was used to connect by SSH and perform some magic like pushing out spam.
After disabling this account, the spam stopped.