How to deal with mail spammers & hackers using the Postfix Queue

If you manage a server with multiple domains, for sure, you experienced some similar situation related to mail spamming using holes in softwares, password hacking and so on.

Usually is a good practice to setup some monitoring services in order to prevent this from happening or at least to act immediately as the problem arises.

Another good practice is to setup a mail rate limiting service that allows you to establish some limits to the amount of email the system can send globally and for a single specific domain or account.

For the less technical guys I suggest to use the blacklist monitoring service of MXToolbox.

But let's dive into the moment when you need to deal with the Postfix Queue to understand what's going on your server's strange behaviour.

In this post you can find some useful tips to manage the queue and I will sytethize some of them here that can cover the common scenario.

Show the mail queue

To show a simple list of all the pending emails you simply need to write

mailq

or

postqueue -p

that will output something like the following table filled with data

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

Show the message content

After executing the previous command you can get a very important info in order to go deeper in your investigation. The importat info is the message ID that will help you to determine which kind of messages are being sent.

Simply running

postcat -vq XXXXXXXXXX

You will get the message content where you can understand from where the mail has been sent.

Removing messages from the queue

The classical scenario here is that someone sent lot's of mails in a short period of time filling completely your queue and usually it can come from an hacked account.

In that case you cannot use a "remove all" command like the following

postsuper -d ALL

cause you risk to also remove legit messages. So, in this case, an interesting command line combination can help solve all your headaches:

postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } / sender_or_reveiver@removeit\.net/ { print $1 }' | tr -d '*!' | postsuper -d -

In that way you can selectively remove all the spammy messages postfix is sending out.

A good practice is to stop Postfix until you cleaned up all the spammy mails with the following command:

postfix stop

and then restart it

postfix start

Hope it helps.