Thursday, June 11, 2026
Latest:
Qmail

How to deal with spammer who attack SIT SMTP server

kumind

If you are notice one of the account compromised and it tried to sent mass mail from our SMTP server, please follow below procdure :

1. Find exact account which is compromised.
2. Change the password of the suspected account on the Plesk server ( IF the account is admin contact, you will need to save it first the password )
3. Stop qmail service on the SMTP server, and make sure all the services stop when you do “qmailctl stat”.
If the qmail-remote won’t stop, you can use below command to force kill the process :

# killall -9 qmail-remote qmail-smtpd qmail-remote.orig

4. Remove “authentication database” file on /tmp/smtpauth.db and /tmp/__db.00*

# rm -f /tmp/__db.00*
# rm -f /tmp/smtpauth.db

OR for steps 2 & 3 just run below command :

CHEAT CODE : 

# qmailctl stop ; killall -9 qmail-remote qmail-smtpd qmail-remote.orig;rm -f /tmp/smtpauth.db ; rm -f /tmp/__db.00*; /root/qfixq live; qmailctl start ; qmailctl stat

** This steps is important to cut authentication sessions between the sender IP and the SMTP server. Even you changed the account password on POP server, sometime you will find the spammer still able to send spam email because they never close the session.

5. Remove all spam email from the queue using qmail-remove command.

# qmail-remove -p'spam pattern' -r

Spam pattern means that any pattern that hacker have it such as IP, Subject email and ext

6. Fix the qmail queue to make sure it not corrupted using qfixq tool.

# /root/qfixq live

7. Start qmail service.
8. Monitor “/var/log/qmail/smtpd/current” file and make sure you find the spammer not able to authentication to the SMTP server anymore. i.e.
@400000004e9b55e92e5912fc qmail-smtpd: pid 15588 Reject::ORIG::Failed_Auth: P:ESMTPA S:113.94.26.107:unknown H:cgkotxbfj ‘login’ ?= ‘[email protected]
@400000004e9b55ea04e954f4 tcpserver: end 15588 status 256
@400000004e9b55ea04e95cc4 tcpserver: status: 8/150

9. Notify the admin contact of the affected domain.
You can use the template at

http://wiki.signetique.com/index.php?title=Email_compromised

You May Also Like

Qmail: Install qmail remove + qfixq

kumind

[How to] Install qmail-remove on CentOS 7

kumind

Qmail: deferral: TLS connect failed; connected to

kumind