How to detect and prevent postfix from dishing out spam email from compromised mail account

postfixspam

We host email and websites for numerous customers on a dedicated server running CentOS and configured through Virtualmin.

Email is handled through Postfix.

Over the weekend we noticed that a clients email account had been compromised and the server had been used to basically pump out spam. As a result our server was blacklisted, affecting every other account on the server. We believe that a desktop machine was infected with malware which allowed the spammers access to the SMTP login credentials to the account in question. From that point on it was open season.

My question is: is there anyway to put anything in place to automatically detect spam like activity of this nature?

Thanks

Best Answer

As I posted above as a comment, I also had the same problem. After doing some research, I came up with this quick solution (still under testing -use it at your own risk-):

at your postfix main.cf file:

smtpd_relay_restrictions =
    ...
    permit_mynetworks,
    reject_unknown_reverse_client_hostname,
    permit_sasl_authenticated,
    ...

Be aware the "smtpd_relay_restrictions" are available from postfix 2.10, but you can apply them as well before 2.10, please check the Documentation.

In my case, I needed to perform 2 changes:

  1. move "permit_sasl_authenticated" down in my rules. Before, I was trusting to much in my authenticated users.
  2. add the rule: "reject_unknown_reverse_client_hostname", as most of the "authorized-spammers" where reporting "unknown" host (unfortunately, some of them contained hostname information). I also added a white list (using: check_client_access rule) from some of my customer's servers that are known to not being resolving their IP -> hostname.

So far, so good. Even better, as it is showing as "rejected" in the mail log, now I can ban those clients using my current fail2ban configuration.

As side note, you could perform an extensive checking (like perhaps rbl checking, before permitting your auth users to send mails). I haven't tried that though.

It would be nice to add spamassassin into the game and be able to flag and block those SPAM mails before delivering them. However as spamassassin was not playing really nice with Japanese messages (all my customers are Japanese), I don't feel like giving it so much power for now.

I hope it can help you.

Related Topic