Friday 21 December 2012

Much spam

I was doing something fairly routine with one of my servers, and I found that I couldn't do it. A short investigation revealed why - the root volume was full. How come? I looked around, and I soon found a HUGE amount of email in one of my users accounts. But that was a user who lapsed long ago; what's all this email? So I had a look - it was all bounces from Google, Hotmail and so on. So I looked into what was going on.

I'll spare you the detective work, but the sequence of events I've found was this.

Someone got that user's password. Probably, they just gave it away; people are pretty casual about passwords. And about a dozen people (or at least, the logins were coming from a doxen different servers) were logging in to that account using ssh, and running a program that was sending out huge amounts of spam, and it was the sort of spam that sends out a jpg, so it was a couple of hundred kb each time. The receiving servers had noticed that this user was spamming, and was bouncing the messages back.

So, here's what I did about it.

1. Cancelled the password of that user. I don't think it's been used legitimately for many moons.

2. Change my firewall so that the only IP addresses that can log into my colocated servers, are mine. That means I won't be able to log in to them while I'm visiting my daughter (for example), or while on holiday, but I can work out a workaround for that.

3. Delete the retry queue, so that stuff that hasn't been delivered, won't be retried.

And I'll keep a particular eye on this server for a while, to check that this has had the desired effect.

No comments:

Post a Comment