Most servers will use postfix. So I will concentrate on postfix centric commands.
How to check your mail queue:
# postqueue -p
This will all mail that is in the queue waiting to be delivered. This is usually the first place I go to check if someone is sending spam from my server.
Once you find a domain that is sending out spam, you should probably stop your mail server.
Shutdown postfix:
# /etc/init.d/postfix stop
At this point you should probably "plug the hole". What I mean by that is that you should locate the compromised email account and change the password, and notify the user.
If is being generated by the site itself, it will usually say the mail is from "PHPMAILFUNCTION@xzy.com". In that case, you will need to contact the site administrator for that site, and disable the MAIL function in the .htaccess file (if your server supports it).
One you plug the hole, you'll want to delete all the mail in the queue that is coming from that site. Use the following command (replacing example.com with the offending domain):
# find /var/spool/postfix/* -type f -exec grep -irl "example.com" {} \; -exec rm -vf {} \;
Re-run # postqueue -p to double-check you've got it all.
Once you are satisfied your eliminated all the spam in the queues, you can restart the mail server with:
# /etc/init.d/postfix start
That's it, you are good to go. Next I will write an article about accessing the damage done to your IP reputation.
No comments:
Post a Comment