• Community Support
  • USEnglish

  • Someone hacked one of the mailboxes and now spam emails keep going out.

Someone hacked into one of the mailboxes and using it to send spam all over the internet!
And now over 5000 messages failed to be dilevered, and a now , this mailbox keep recieving bouncing back messages from MAILER-DAEMON@mail.domain.
Please help me to stop these messages from MAILER-DAEMON@mail.avivir.ru, I already deleted them from the queue manager, but they keep coming back!

The second puzzle here is that this mailbox got 2fa turned on on the Sogo page and on the mailcow ui page, so how did this hacker get in? and how can i stop things like this from happening in the future?

Thanks in advance!

    astech how did this hacker get in?

    IMAP and SMTP does not require 2FA.
    Best practice therefore is: Disable ALL protocols in the mailcow UI (login as that user) under “General” (especially SMTP and IMAP!!). Use 2FA only in mailcow UI, and login to SOGo via mailcow UI. This way there is no need for 2 different 2FA codes.
    Then enable for each client (Outlook desktop, thunderbird, smartphone etc) an app password activating only the protocols needed.

    And change the passwords for that user…

      Have something to say?

      Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      DocFraggle Yes, changing the password of the affected mailbox, was the first step i took. Apparently, those bouncing reports about undilevered mails, kept coming retroactivly after i changed the password.

      [unknown] Thanks a lot of explaining that to me) I imediatly changed the password of the affected mailbox? but apparently, those bouncing reports about undilevered mails, were just coming retroactivly. It’s okay now.

      [unknown] Thanks a lot of explaining that to me) I imediatly changed the password of the affected mailbox? but apparently, those bouncing reports about undilevered mails, were just coming retroactivly. It’s okay now.

      [unknown] Thanks a lot of explaining that to me) I imediatly changed the password of the affected mailbox? but apparently, those bouncing reports about undilevered mails, were just coming retroactivly. It’s okay now.

        If you delete them from the queue and they keep respawning, that means that someone is still sending messages… is it possible that a host whcih is whitelisted as forwarding server is sending these mails? You could manually check the headers of the mails in the queue

        Check /var/spool/postfix/defer inside the Postfix container

        No one is typing