EMERGENCY - need to secure my server against an ongoing SPAMMER
Paul Howarth
paul at city-fan.org
Fri Mar 11 10:48:29 UTC 2005
Bob Brennan wrote:
> Sorry for the brevity here but I woke this morning to find my
> mailserver sending 1000+ rejected email notices to postmaster@, and it
> was increasing by the minute. I have shut down Sendmail and am
> removing all relay permissions (I hope) but have a few issues that
> need to be resolved quickly before going back online - knowing the
> spammer will be retrying and my legitimate users are losing services.
What relaying permissions did you have?
> 1. There are 700+ emails sitting in the outgoing queue, I am using
> WebMin to delete them but at 20 at-a-time it is useless. I need a
> command line that will do it without causing more damage.
# cd /var/spool
# mv mqueue mqueue.spam
# mkdir mqueue
# restorecon mqueue
That should leave you with an empty queue, plus the spam messages saved
in /var/spool/mqueue.spam. You might want to look in there and see if
there are any non-spam messages before you go deleting them all. It
would also be useful to see an example of one of the "qf" files in
/var/spool/mqueue.spam to see how the message reached your outgoing mail
queue. That may indicate the vulnerability being exploited by the spammer.
> 2. MySql is shut down for some reason, I don't know if it's related to
> the attack. "service msqld status" returns "msqld dead but subsys
> locked"
Perhaps it collapsed under the load? Will "service msqld restart"
restart it?
Paul.
More information about the fedora-list
mailing list