The Server is Being Used to Send SPAM
Check that the BM server is not an open relay
By default, Postfix is configured as an open mail server relay, which allows BlueMind services (webmail, EAS) to send emails. Through the admin console, you can add new trusted IPs which will be allowed to send emails through the BlueMind server, typically the internal IT server (holiday management software, monitoring, etc).
If one of these servers is compromised, a spammer can use the BM server to send spam.
If you have this issue, you'll find a large number of command lines such as:
Jun 21 08:34:30 centos7 postfix/smtpd[16863]: connect from gateway[192.168.122.111]
Jun 21 08:34:48 centos7 postfix/smtpd[16863]: 1C205316C411: client=gateway[192.168.122.111]
Jun 21 08:34:58 centos7 postfix/cleanup[16869]: 1C205316C411: message-id=<>
Jun 21 08:34:58 centos7 postfix/qmgr[16801]: 1C205316C411: from=<user1@domain.com>, size=233, nrcpt=1 (queue active)
Jun 21 08:34:59 centos7 postfix/smtp[16821]: 1C205316C411: to=<user2@anotherdomain.net>, relay=smtp.anotherdomain.net[XX.XX.XX.XX]:25, delay=20, delays=20/0/0.35/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 2F10238)
Jun 21 08:34:59 centos7 postfix/qmgr[16801]: 1C205316C411: removed
Jun 21 08:35:04 centos7 postfix/smtpd[16863]: disconnect from gateway[192.168.122.111]
The client line indicates the IP of the server that sent this e-mail, here 192.168.122.111. If it's not legitimate, this means that the server has been compromised and is being used to send spam
Take the following action:
- delete the IP for the server involved in the BM admin console and save the configuration.
Identifying the user used to send SPAM
Most of the time, the issue is that a spammer has found – often using brute-force – a user's password and uses their account to send SPAM.
You will spot smtp connections with many command lines such as:
May 5 00:08:55 hermes postfix/smtpd[27666]: 7E079B666CC: client=unknown[46.48.93.60], sasl_method=LOGIN, sasl_username=admin
Take the following actions:
-
change the user's password: either in BM, or in the directory.
-
close all sessions for this user with the command :
bm-cli user logout --email=login@domain.com -
nettoyer la queue postfix pour supprimer les mails en attente d'envoi, pour supprimer tous les mails en queue de l'utilisateur login@domain.net
postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /login@domain\.net/ { print $1 }' | tr -d '\*!' | postsuper -d -❗ This command will delete all mail in the user's queue, whether SPAM or legitimate mail sent by the user.
Preventing spam attacks
Limiting brute-force attacks
To try and avoid brute-force attacks, you can use the plugin password-bruteforce which blocks connection attempts for 20 minutes after 3 failed authentications.
Set up a password policy
Dans le cas où vous n'utilisez pas un annuaire pour gérer les utilisateurs, vous pouvez utiliser le plugin password-sizestrength qui permet de mettre en place une politique afin de forcer des règles pour les mots de passe.
How to spot this early?
A monitoring solution can help detect the issue quickly and react before your server becomes blacklisted by anti-spam services.
Bm-tick allows you to set up alerts based on a significant increase in the number of mails in the postfix queue. Vous pouvez configurer cette alerte via le alert builder ou directement utiliser le script suivant :postfix_queue.tick
Ce script va envoyer un mail d'alerte à admin@domain.net dès que la queue postfix atteint les 200 messages. These values can be configured to match your installation.