Opened 2 years ago

Closed 2 years ago

#12480 closed Bug/Something is broken (fixed)

mx1 sending spam - using old logins

Reported by: Jamie McClelland Owned by:
Priority: Urgent Component: Tech
Keywords: Cc:
Sensitive: no


Since has been moved off of mx1 these should all be delete-able.

Change History (4)

comment:1 Changed 2 years ago by Jamie McClelland

This particular compromise is:

comment:2 Changed 2 years ago by Jamie McClelland

I just took the following steps to disable sending from any laneta user name:

cd /etc/postfix/vhcs2/
cp sender-access sender-access.pre.lanteta.purge
cat sender-access.pre.lanteta.purge | grep -v > sender-access
postmap sender-access

And here's a check to ensure there are no more messages send from addresses sending email after this change went into affect at 9:00 Mexico City time:

0 mx1:/etc/postfix/vhcs2# grep "sasl_username=.*" /var/log/mail.log |tail
Feb  1 08:58:29 mx1 postfix/smtpd[7091]: 07DA42948D:[], sasl_method=LOGIN,
Feb  1 08:58:47 mx1 postfix/smtpd[6011]: EF309295D3:[], sasl_method=LOGIN,
Feb  1 08:58:48 mx1 postfix/smtpd[7091]: 3894A295EF:[], sasl_method=LOGIN,
Feb  1 08:59:19 mx1 postfix/smtpd[9149]: 9B11929611:[], sasl_method=LOGIN,
Feb  1 08:59:19 mx1 postfix/smtpd[9150]: 01B9C2961F:[], sasl_method=LOGIN,
Feb  1 08:59:26 mx1 postfix/smtpd[9149]: B0F6B294A6:[], sasl_method=LOGIN,
Feb  1 08:59:34 mx1 postfix/smtpd[9150]: EA701295EA:[], sasl_method=LOGIN,
Feb  1 08:59:39 mx1 postfix/smtpd[9149]: B92DC29697:[], sasl_method=LOGIN,
Feb  1 08:59:59 mx1 postfix/smtpd[9150]: 8C606296DF:[], sasl_method=LOGIN,
Feb  1 09:00:41 mx1 postfix/smtpd[9149]: 864B6292E4:[], sasl_method=LOGIN,
0 mx1:/etc/postfix/vhcs2#

comment:3 Changed 2 years ago by Jamie McClelland

Still deleting 27K+ messages from mailq...

comment:4 Changed 2 years ago by Jamie McClelland

Resolution: fixed
Status: newclosed

all messages deleted.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.