spamming hack

Portal Home > Knowledgebase > Articles Database > spamming hack

Posted by irfan-EyHost, 10-30-2012, 09:59 PM
Hello All, I see that one account was hacked and the hacker doing spamming using the account. I see there is too many email in queue it is 1784541 . I have deleted the hacked account, but still the email in queue. Our server load is also high. Please tell me what can I do now on the server? what should check and what security need implement to prevent.
Posted by JohnStern, 10-30-2012, 10:08 PM
Clear the message queue and implement proper passwords.
Posted by irfan-EyHost, 10-30-2012, 10:14 PM
I have try to clear by this command exiqgrep -i -f user@domain.com | xargs exim -Mrm but it taking too time to clear, I am waiting for 2 hours still it is not done.
Posted by JohnStern, 10-30-2012, 10:38 PM
On a low-horsepower server it will take a long time, especially with a piped command.
Posted by bear, 10-30-2012, 10:50 PM
For 1-3/4 million messages, I'm not surprised. We've had a few accounts compromised recently, with the highest managing to queue about 11K before it was spotted. Rate limited per hour so only about 3K actually left the server, so it could have been a bit messier. Generally we change the password on the affected account and get in touch with the owner, killing the mail on the queue the same way as you. Remind them they need to have complex passwords and to change them occasionally. Rarely helps.
Posted by JohnStern, 10-30-2012, 11:24 PM
Bear hit it on the nose. Sad that many email servers do not have a built-in limitation settings to prevent any user sending more than XX emails in XX period of time.
Posted by BestServerSupport, 10-31-2012, 11:39 AM
I would advise you to disable nobody user to send emails. Only use SMTP authentication scripts to send emails. Also, regularly update the version of any third party installed softwares and choose strong passwords for email accounts and control panels.
Posted by kevincheri, 10-31-2012, 03:21 PM
Yes, you will need to wait to get the queue cleared. No shortcuts I believe. In future, you may need to implement some monitoring tools that alerts you if mailqueue goes over a limit, say 1000 mails, and you can take a look whats hanging.
Posted by kpmedia, 10-31-2012, 03:49 PM
that are not used anywhere else! I recently had a friend get his email account "hacked" -- on my server -- because he used the same password everywhere. On forums, for the pizza website, etc. He's now using a unique password from email, separate of any other website. Only a few thousand got out, and I was notified of it immediately due to server notifications and feedback loops. I also tightened his account to ceiling at a few hundred outbound emails per day. What was interesting was watching the botnet login from so many different locations to send no more than a 300 or so messages at a time, in a interval of exactly 10 minutes for about 90 minutes.
Posted by HyperStreet, 11-06-2012, 06:58 PM
Hey there, I do something like this to watch the mailqueue and if it goes over a particular number of waiting messages - which generally indicates that something is up. #!/bin/bash ## check qmail queue for overlimit and send to admins qlimit=400; notifyemail=queuealert@someAdminEmail.com; qcount=`/var/qmail/bin/qmail-qstat | grep "messages in queue:" | awk -F ":" '{print $2}'` if [ $qcount -ge $qlimit ] then echo "queue is OVERLIMIT at $qcount"; subject="QUEUEALERT - $qcount Messages" mail -s "$subject" $notifyemail<