Postfix seems to send spam

email spam freebsd postfix smtp

Does it mean that someone is using my username ([email protected]) to send spam?

YES

This log line was the proof of it.

Aug  4 11:09:17 mail postfix/smtpd[71597]: 1AE3B7EC3D: client=unknown[59.88.35.206], sasl_method=PLAIN, [email protected]

As you have permit_sasl_authenticated in main.cf, then you authorize anyone who knows your credential to send email via your server.

If so, then how is it possible?

There many ways to make your credential leaked.

  • Keylogger planted in your computer
  • Worm sends sensitive information (including your credential)
  • Weak password was retrieved via brute-force or guessing
  • Phising email
  • And many others...

and how do I fix it?

First disable the account, either change its status in postgre database or change the password into random one. Identify how your credential was leaked and fix that hole too.

Additional notes:

Your postfix configuration was fine. Although it's little bit overlapping each other as you repeat some of the restriction in each stage. You should also verify that each rhsbl/rbl provider was still active maintaining the blacklist to avoid false-positives.


The log shows that someone has obtained the password for the mail account [email protected] and is using it to send SPAM through the server.

  • The entry at time 11:09:17 shows a successful SASL authentication from IP address 59.88.35.206 with username [email protected].
  • The entry at 11:09:30 shows reception and queuing of a message with sender address [email protected] with twenty declared recipients over that connection.
  • The entries timestamped 11:09:31 show these twenty copies being first forwarded internally within Postfix and then sent out to the recipients.

The most frequent cause for that kind of incident is a user falling for a phishing mail telling him or her to enter his or her mail address and password on some credentials harvesting web form.

To fix:

  • Change that account's password immediately.
  • Choose a (more) sensible password, specifically one not used anywhere else.
  • Be (more) careful not to reveal that password to anybody, specifically do not enter it on any website.

Related

Script for getting last reboot timestamp (2008r2)
Want to understand XFS strangeness
TLS 1.2 Not showing by default in Windows Server 2012 R2
DHCP: Create a scope within a scope
RHEL Nginx SSL versus non SSL performance huge difference.
Yum is interrupted and now gives conflicts
HP ProCurve 5412zl warm-boots on power failure while attached to UPS
Can I tell MySQL to store specific databases in specific folders?
Inserting elements in multidimensional Vector
Fortran array cannot be returned in function: not a DUMMY variable
How to remove gaps between *images* in matplotlib?
How do I set the runtime classpath in Eclipse 4.2?