Hello,
My server are currently under an attack.
It seems the attacker was able to get into one of my user machine (probably via a fake whatsapp desktop installer) - but unfortunately I cannot confirm this. This is a family server and the user is far from me and not technically competent.
As a result over 500 spam mails have been sent using his account today.
The spams are all with the title “Re: Business - Chase Working Capital Loan”
Attacks seems to be coming from the “Crowncloud US LLC” network (multiple IP). Though I am under a barrage of other attempts (way more than usual) from a lot of countries - maybe to make the logs less readable.
Only attack from the Crowncloud US LLC are successful as far as I can see.
The attacker always impersonate that one user - despite the password being changed multiple time and the server being rebooted. Logs show that SASL authentications are sucessful.
There seemed to have been a few specific API calls in the hour before the spam was sent. For obvious reasons I am not going to show them here. But even after upgrade to the lastest version (I was in 2025-05, I upgraded to 2025-07 latest) the attacker still managed to use the user account to send spam.
As of now the user is in a state of “login disabled” - but I think Mailcow maintainers and community members may be interested in knowing that something fishy is happening. I am willing to help if you need more information.