Help! My server is drowning in bounce messages


#1

One mail account of many is accumulating many bounce messages 1000’s per hour.

I’m surprised that so many mailservers out there are bouncing mails, reporting them as Spam or defective in some way. I thought it better to just dump them.

I am presuming the original mails are sent spoofing the mail account on my box. Although they don’t complain about DKIM being wrong, so maybe they are originating from my box?

I have shutdown any clients for the account that might have been hacked. I’m not sure if the miab is being used as an open relay, as I can’t find any bounce messages that say the DKIM was OK (although I thought I had seen this earlier)

Please any suggestions on how to make MIAB suspend a user account, and also how to figure out what is going on.


#2

If someone is spoofing you, you would not get the bounce backs. Changes everyones password. Someones account was hacked it seems like.


#3

Yes, I have just come to that conclusion. Thanks for you response, good to know there is someone there that can help!

I’ll detail what I did in case someone else gets that panicky feeling.


#4

Also FYI - MIAB does not allow open relay so you can rule that out (unless you manually changed a config somewhere)


#5

Some notes about recovering from a mail account that is sending out spam as a result of the mail account password becoming known.

As a short term fix to stem the flow, you could block a remote IP from accessing the webserver.
find the offending IP using netstat -tn, and do iptables -I INPUT -s -j DROP

You can, via admin, set the account to ‘Archive’ which will stop incoming email being accepted, but allows the account to be reactivated (with a new password!) simply by adding the account address again.

You will probably need to get rid of the backlog of deferred messages. In my case some 17000
postsuper -d ALL deferred and postsuper -d ALL defer (at the risk of losing some belonging to other accounts)


#6

I seem to have recovered except for munin. The spamming started around 12pm, and by the time I noticed it and stopped it, it was about 5pm.
Some of the graphs continue to about then, others stop around 2pm.
I’ve restarted nginx and munin-node, to no effect.
I cant see anything helpful in the log files.
I’ve connected to port 4949 and get responses to the commands. However the config and fetch commands say ‘Unknown Service’
Any ideas how to recover?


#7

OK munin is back.
After many hours. I guess the log files had grown so big it was taking forever for it process them.