{"id":73,"date":"2015-05-12T08:36:43","date_gmt":"2015-05-12T08:36:43","guid":{"rendered":"http:\/\/www.smtp-server.net\/?p=73"},"modified":"2015-05-04T20:34:51","modified_gmt":"2015-05-04T20:34:51","slug":"auth-smtp-easy-steps-to-stop-smtp-auth-relay-attack-and-identify-compromised-email-account-for-postfix","status":"publish","type":"post","link":"https:\/\/www.smtp-server.net\/cs\/auth-smtp-easy-steps-to-stop-smtp-auth-relay-attack-and-identify-compromised-email-account-for-postfix\/","title":{"rendered":"Auth SMTP - Snadn\u00e9 kroky k zastaven\u00ed \u00fatoku SMTP AUTH Relay a identifikaci kompromitovan\u00e9ho e-mailov\u00e9ho \u00fa\u010dtu pro Postfix"},"content":{"rendered":"<div style=\"float:left\">https:\/\/youtube.com\/watch?v=IaGV9l_3xZM<\/div>\n<p>Dnes je mnoho e-mailov\u00fdch aplikac\u00ed, jako je Sendmail, Postfix nebo dokonce MS Exchange, p\u0159epracov\u00e1no tak, aby se sn\u00ed\u017eila mo\u017enost, \u017ee se stanou \u2018spam-relay\u2019. Podle na\u0161ich zku\u0161enost\u00ed je v\u011bt\u0161ina \u00fatok\u016f SMTP AUTH relay zp\u016fsobena kompromitac\u00ed slab\u011b zaheslovan\u00fdch u\u017eivatelsk\u00fdch \u00fa\u010dt\u016f. Jakmile jsou \u00fa\u010dty objeveny a kompromitov\u00e1ny. Spamme\u0159i se ov\u011b\u0159\u00ed pomoc\u00ed u\u017eivatelsk\u00fdch pov\u011b\u0159en\u00ed, je jim umo\u017en\u011bno relay prost\u0159ednictv\u00edm serveru, kter\u00fd je n\u00e1sledn\u011b vyu\u017eit k rozes\u00edl\u00e1n\u00ed spamu.<\/p>\n<p><!--more--><\/p>\n<p>Below are the easy steps to stop these spam emails quickly and identify which account(s) has been compromised.<\/p>\n<p><strong>Step1: Stop on on-hold mail queue<\/strong>.<\/p>\n<p>Large amount of spam emails keep queueing your mail spool. What even worst is all the spam it fill up all your \/var. Thus, it is always to hold the mail queue for temporary until you find out the which account has been exploited by spammer and send a large amount of emails.<\/p>\n<p><strong>Step2: Check your mail log.<\/strong><\/p>\n<p>Go to \/var\/log\/maillog to have a quick look on the line with from:. You might see lots of email domain name there are not belong yo your organization. This is due to the spammer is faking the mail from:.<\/p>\n<p><strong>Step 3: Identify compromised account authenticating SMTP AUTH connection<\/strong><\/p>\n<p>Next, let us check those email accounts that has been exploited. Run a have cat grep sasl_username and sort it. You should see a long list of the login attempt and session for those exploited account. You can also do a quick calculation by running wc -l command to see total sessions for a particular user.<\/p>\n<p><strong>Step4: Disable the exploited email account.<\/strong><\/p>\n<p>Once, we have SASL_username string, which is the user account. You are advised to disabled or change the password to complex password.<\/p>\n<p><strong>Step 5: Move the mail queue or delete the spam email<\/strong><\/p>\n<p>Now, we have to deal with our mail queue. Easier and fastest way is to move your mail queue and do the housekeeping later. Or, you can delete those spam email using Bash script.<\/p>\n<p><strong>Step 6: Release Mail queue<\/strong><\/p>\n<p>Remember to release mail queue after our housekeeping process and keep on monitoring of the mail traffic.<\/p>","protected":false},"excerpt":{"rendered":"<p>Today lots of the email application such as Sendmail, Postfix, or even MS Exchange has been re-designed to reduce the possibility of become an &#8216;spam-relay&#8217;. From our experience, most of the SMTP AUTH relay attack is caused by the compromised of the weakly password protected user accounts. Once the accounts discovered and been compromised. Spammer <a href=\"https:\/\/www.smtp-server.net\/cs\/auth-smtp-easy-steps-to-stop-smtp-auth-relay-attack-and-identify-compromised-email-account-for-postfix\/\" rel=\"nofollow\"><span class=\"sr-only\">Read more about Auth SMTP &#8211; Easy Steps to Stop SMTP AUTH Relay Attack and Identify Compromised Email Account for Postfix<\/span>[...]<\/a><\/p>","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-73","post","type-post","status-publish","format-standard","hentry","category-smtp-servers"],"_links":{"self":[{"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/posts\/73","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/comments?post=73"}],"version-history":[{"count":1,"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/posts\/73\/revisions"}],"predecessor-version":[{"id":74,"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/posts\/73\/revisions\/74"}],"wp:attachment":[{"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/media?parent=73"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/categories?post=73"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.smtp-server.net\/cs\/wp-json\/wp\/v2\/tags?post=73"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}