Possible hack, my server sends spam

Maintenance
1

Checking the logs I see a bunch of this lines

Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: E49196CA29: from=<MaryHudson@censoreddomain.com>, size=3487, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: E050E6D3B1: from=<HeidiCarter@censoreddomain.com>, size=2670, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: E46886D397: from=<Nickolasklaus@censoreddomain.com>, size=2625, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 797BC6CF36: from=<lopezpuri@censoreddomain.com>, size=2631, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 7EDD66D385: from=<JaniceTang@censoreddomain.com>, size=2789, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 7C88F6D0CC: from=<mightbwrong@censoreddomain.com>, size=2719, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 786966D293: from=<RobertoRamirez@censoreddomain.com>, size=2814, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 7EC0F6CEDA: from=<AdamUSmaN@censoreddomain.com>, size=2558, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 71E456D223: from=<NabrittDeWitt@censoreddomain.com>, size=2673, nrcpt=16 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 7D4586D395: from=<SueBansen@censoreddomain.com>, size=2651, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 715CB6CE8D: from=<steveross@censoreddomain.com>, size=2668, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 7CB1A6D287: from=<ClaudetteCampbell@censoreddomain.com>, size=2783, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 7AE336D092: from=<ColeClines@censoreddomain.com>, size=2597, nrcpt=20 (queue active)
Jan  6 17:53:44 ubuntu postfix/qmgr[29704]: 72DD36AF57: from=<QuianaAdams@censoreddomain.com>, size=2610, nrcpt=20 (queue active)

Those accounts don’t exists, only one account under that domain. At first I thought that the users PC was hacked and was sending spam and I changed the password and flushed the queue (postfix flush). One day later, 10.000 emails more were sent, now the log is so big that it’s very hard to follow.

Can someone point me how can I debug this and get rid of spam ?

Thanks.

2

As a first step, if you haven’t acted yet, shutdown your mail server altogether, and actually all services that your machine is running. For two reasons: one you don’t want to get your server flagged as spam relay, because it’s a nightmare to get out of the blacklists, and second because you cannot look at the situation with the logs running and being flooded.

service postfix down
service dovecot down
service opendkim down
service postgrey down
service nginx down
service php5-fpm down
service mailinabox down
service nsd down

At this stage, having all services down is better than disrupted, until it’s proven that you’re right or you’re just being paranoid.

Then you’ll have to have a better look at your configuration and double check that postfix is correctly setup so it is not an openrelay (you can find online services to do that, so you can start only postfix and check it).

Looking at your logs, I believe that you’re reading it the wrong way around: you’re just being the target of a spambot which is trying to send to you a haystack of requests, in case it’s working.

If I’m right — which means you’re being paranoid, then carefully check all your configuration, use the system check panel from MIAB and other online tools, to make sure everything’s fine and running smoothly. And bring each service back up as you’ve checked it.

It’s better to be too careful than not. But tsunamis happen all the time on Internet.