On 10/15/2019 1:27 AM, Julien Michaux wrote:
Time to time, my server is attack and he sends spam. All spam are from a specific address "cy...@mydomain.com" <mailto:cy...@mydomain.com>. I tried many things but nothing works. I have to stop postfix for some hours and attack ends until next time.
You would need to provide the mail log where postfix is logging during the timeframe where the spam is being sent, so we can look for the method that they are using to get through your defenses.
One of the most common methods that spammers use is to find out the username and password of one of your users, and simply authenticate as that user and send their spam using that connection.
I work for a large hosting provider. I have only seen two methods that spammers are using when they manage to send spam using one of our servers. In most cases, they discover somebody's password and simply authenticate. Sometimes they find a vulnerability in a PHP package, typically some poorly written WordPress plugin, upload a script, and then call that script to send mail via the local server.
Your main.cf does have permit_mynetworks as lbutlr noted, but I don't see a definition for mynetworks, so my guess is that it's not as much of a problem as lbutlr thought.
Thanks, Shawn
