One fine summer afternoon, you found that one of your users account has become compromised and it has been generating huge amount of
SPAM mails. In this article, we will discuss possible reasons, aspects so that we can decide what to do in that scenario.
It will be a series of articles and this is the first one in this series.
So let’s start the discussion.
Let’s try to understand the situation
One of your users’ account got compromised. It is generating huge amount of random unsolicited
SPAM mails. So within few minutes you will notice following things:
- You mail server will pass/forward thousands of unwanted emails to random destinations causing significant reputation damage to your IP address and domain.
- Due to very high amount of email, eventually your email server’s mail processing capacity will crash, resulting an interruption in mail transitions.
- As your server’s mail processing will stop working,
mail queuesize of your server will grow enormously and only adding to your trouble.
- Due to this heavy load, it is possible that your server may show less response to your troubleshooting activity
What can cause this ?
A compromised email account is the main reason for this kind of incident. But what causes an email account to be compromised:
- May be user’s workstation is infected with malicious application/software.
- Most of the time users save their credentials in the web browser, which is very much exploitable by the external threats
- May be user’s email account credential has been compromised
- User may have clicked/opened malicious infected email with attachment.
Besides these user specific reasons, there can be some other critical facts that can cause the spamming. Like,
- If your email server is an open relay then remote exploiters can use your server to relay their spam mails and it happens a lot.
It’s time for damage control
As soon as you find the the spamming incident, start your damage control immediately. If you are wondering how you can detect spamming before it does that much damage, check out our this article.
Check the current
mail queue status:
root@mail:~# /opt/zextras/libexec/zmqstat corrupt=0 hold=0 active=9058 deferred=5742 incoming=0 root@mail:~#
As you can see lot’s of emails in deferred and active queue which is quiet unusual.
Now let’s find out from which account the emails are generating:
zextras@mail:~$ mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail 1 email@example.com 1 firstname.lastname@example.org 1 email@example.com 1 firstname.lastname@example.org 1 email@example.com 2 firstname.lastname@example.org 13 email@example.com 5658 firstname.lastname@example.org 9117 email@example.com zextras@mail:~$
Now take a close look at the
/var/log/carbonio.log to find out the originating IP and block it from connecting to your server.
Also, if needed change the compromised user’s email account credential. Make your server from open relay to closed authenticated relay server.
Now, put all mails of the queue on hold.
root@mail:~# /opt/zextras/common/sbin/postsuper -h ALL postsuper: Placed on hold: 14805 messages
Now we need to clear these unwanted mails from the
mail queue to make the whole system functional again. To do that, we will use
postsuper to delete all hold mails from the mail queue.
root@mail:~# /opt/zextras/common/sbin/postsuper -d ALL hold postsuper: Deleted: 14805 messages
Now as you have deleted all mails from the mail queue, re-queue all current emails so that your email transaction becomes normal again.
What could have done to prevent this?
You can take many approaches to prevent spamming in your server. Let’s take a look at some of them:
- Keep your user accounts secure by using complex passwords. Make a habit of changing password at a regular interval.
- Make sure that your users workstation and application are safe and not affected by any malware.
- Don’t let your email server be an open relay. Only pass authenticated messages.
- Set mail sending rate limit in your server so that in case of violation of previous approaches, your server can block spam mail flood.
- If there is a firewall in your network, place your email server behind the firewall.
- Use email security appliances to protect your server from any mail borne threats.
- Enforce necessary policy at your server’s firewall, MTA to strengthen it’s robustness.
- Keep your server updated with latest software version and patches specially those are related to security.
So these are the basic facts that you should consider during an ongoing spamming incident. Your timely initiative can reduce the damage significantly. For that, you have to collectively use all of these approaches.
Hope this information is helpful to you.
That’s it for today.