Wouldn’t restarting dovecot/postfix clear the connection and force the account to re-authenticate? Because I did that…
Jeff > On Jul 6, 2016, at 12:35 PM, Ben Greenfield <b...@cogs.com> wrote: > > >> On Jul 6, 2016, at 1:21 PM, SH Development <listacco...@starionline.com> >> wrote: >> >> Here’s a strange one. In my normal routine of glancing at the maillog file, >> and subsequently the queue, I noticed several hundred emails queued up, all >> with some bogus email variation on one of my domains. So for instance: >> >> abj...@mydomain.com >> lwoei...@mydomain.com >> >> And so forth. >> >> I traced it back to a particular IP address, and as a temporary stop-gap >> measure, blocked that IP in the firewall and changed the passwords on the >> two email addresses that use that domain. The spam stopped. > > When I have seen this someone’s email password has been phished. > >> >> The strange thing is, that as soon as I unblock that one IP, it starts up >> again. I’m not sure how this one IP is managing to spoof email, and I am >> not having any issues with any of my other 40 domains. I can very clearly >> start and stop the abuse by blocking the IP. >> > > What usually happens to me is that when the spam starts again the first > login of the spammer using the compromised address will show up. After the > initial login I believe it keeps the connection open and continues to write > to new emails using the bogus addresses > >> abj...@mydomain.com >> lwoei...@mydomain.com > > >> I’m not sure what I’m looking for, or how to find out how they are dumping >> this spam on my server, I thought I had it locked down pretty well and I >> haven’t had any problems for a couple of years until this week. >> > > I believe I usually grab the message id and search the logs for the submitter > and eventually I can usual catch the initial login. > > I’m no expert but that is how I cope with this. It has only happened twice. > > Ben > > >> Jeff >> >>
