On Wed, 2010-04-14 at 21:15 +0200, Ignacio García wrote: > Hi there. Some days ago 1 of our postfix servers was abused by bot > networks using one of our customer's stolen credentials, inadvertently > done by a virus/keylogger probably. In few hours more than 20000 spam > messages were in our queue. Looking at the logs I realized all those > outgoing messages came authenticated with the same stolen user > credentials and from many different geolocations. Just changing the > password solved the problem. This is a very disturbing issue for us, > since it is hard to notice there's something going on until the server > is already puking spam all over. Does anybody know of an automatic way > of preventing this (or at least an automatic way of blocking it in early > stages)? We were thinking of something like a script monitoring the logs > for same-user authenticated connections from different IPs to create a > blacklist of some sort... > > Thanks in advance. > > Ignacio
This is very common problem. Search the archives for older conversations One of them is here http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/596a160388faba35/862d6abf348b8962
