[BlueOnyx:17394] Re: Detecting compromised mail accounts

[Tigerwolf]

On Wed, 1 Apr 2015, Ernie wrote:

> line, and use the mailq as root or sudo to see if a mass of spam is going
> out, as a rule it will be choking the mail queue. Then you examine the
> headers in /var/spool/mqueue to see who send the spam so you can figure out
> the compromised user.

Often, spammers will upload an entire self-contained spam system and list 
of target addresses and spew from that.  Local logs will show NOTHING as 
none of the local mail programs are being used.  To further complicate 
things, the spam system self-erases itself and leaves no trace once it's 
finished.  FTP logs also may not show anything if they used SSH for 
transfer.

If you have an older BX version, I'd recommend installing "vnstat" which 
makes nice historical graphs of a designated network interface with 
hourly, daily, and monthly use both in and outbound.  You can look at 
in/out traffic with a browser using a companion program that reads the 
data and makes the graphics for a simple web page.  Newer BX versions 
already include a similar program as part of the GUI, but I forget the 
name.

Another quick-look kind of program is "iftop" which shows traffic on all 
ports of an interface.  It's good for spotting something that's spewing 
outbound, or attacking inbound.