Re: Server accepting mails that are normally refused - hack?

• Previous message: mouss: "Re: PERM_FAILURE: SMTP Error (state 13): 554"
• Maybe in reply to: Eddy Ilg: "Server accepting mails that are normally refused - hack?"
• Next in thread: Eddy Ilg: "Re: Server accepting mails that are normally refused - hack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Eddy Ilg wrote:
> Hi,
>
> just wanted to say that deleting the mailq once (postsuper -d ALL)
> solved the problem. We had problems with a full disk some time before
> and it seems that as long as the disk was full, postfix accepted the
> mails it should not accept.
>
> Best regards
>

I'm going to go out on a limb here and say that you're wrong.

The headers you pasted earlier showed that the mail originated locally--
Postfix will likely allow local users to send as whomever they want.
Something's exploiting userid 1001, and if that's a "custom spam
script," I'm going to guess that it's vulnerable. It's also possible
that something else that userid touches is busted, or that it's got a
weak password that was bruteforced.

Doing a postsuper -d ALL will clear out your deferred queue, but what
happens the next time someone uses the compromised account? You haven't
really solved anything.

-- 
Jay Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: asynchronous inode failure

• Previous message: mouss: "Re: PERM_FAILURE: SMTP Error (state 13): 554"
• Maybe in reply to: Eddy Ilg: "Server accepting mails that are normally refused - hack?"
• Next in thread: Eddy Ilg: "Re: Server accepting mails that are normally refused - hack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]