[BlueOnyx:14255] Re: Stopping User at localhost.localdomain Spam
Chris Gebhardt - VIRTBIZ Internet
cobaltfacts at virtbiz.com
Sun Jan 12 14:07:27 -05 2014
On 1/12/2014 12:38 PM, Chuck Tetlow wrote:
> It appears that someone has a valid username/password on your server,
> and is using the SMTP-Auth to relay e-mail.
>
> So, first and easiest thing to do to stop it is firewall out that
> address. At the command line, enter:
> iptables -I acctin 1 -s 200.111.101.0/24 -j DROP
> That will stop the scumbag from relaying any e-mail through you, even if
> he changes his IP to another in his network.
The /24 rejection may or may not be a bit severe (especially if there
are any other legitimate users from that range) but then again, if you
don't have any legitimate users using the ISP "EntelChile" in Santiago,
Chile then it will certainly be effective!
The only problem I have with this has nothing to do with Chuck's
suggestion, which is valid. It's the fact that if a user account is in
fact compromised, then there's a good chance there is a spam gang with
IP's around the world all using the account. Then it becomes an issue
similar to the Dutch boy sticking his fingers in the leaking dam.
That's where the next part comes in.
> Then you've got to figure out which account on your server is being
> used. That's a little harder - and takes time sorting through the logs
> to find. Although sometimes you can spot it by going through the
> management GUI and looking at USAGE reports on which domain/user is
> sending the most e-mail/using the network the heaviest.
And that's the key. You have to isolate the user account. Actually, if
the issue is indeed with a user account on the server, then you can find
out which user pretty quickly with this:
grep "200.111.101.6" /var/log/maillog
Then you should find some entries where the user has authenticated and
it will list the username.
Then you may as well see if there are authentications on that user
account from other locations as well with this:
grep "authid=USERNAME" /var/log/maillog
where USERNAME is the user account in question.
> Once you've figured out which account is being used, simply change the
> password. That should stop it. Worse case, delete that account. I had
> one just like it two weeks ago, and even suspending the account didn't
> prevent him from relaying through the server. So I just deleted the
> account which put a end to it.
Yes, changing the password would be my recommendation. Deleting the
account will be effective, but of course if it's attached to a legit
user and then you wipe out his account and all his email, webmail
settings, etc. you're likely to have a cranky customer on your hands.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
More information about the Blueonyx
mailing list