Check if Openrelay is enabled. Server will be susceptable to spam if open-relay is enabled.
------>http://www.spamhelp.org/shopenrelay/shopenrelaytest.php-------->
# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
--> You could find the maximum login attempt from this logs.
# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
--> You could find the email address with maximum login attempts. This could be hack attempt.
To disable spamming, disable all the emails in the queue using the following command:
# postsuper -h ALL
It is possible to delete emails in the queue using the following command:
# for i in `mailq | grep domain.com | awk '{ print $7 }' | sort -u` ; do pfdel.pl $i ; done
The perl script is:
#!/usr/bin/perl -w
#
# pfdel - deletes message containing specified address from
# Postfix queue. Matches either sender or recipient address.
#
# Usage: pfdel <email_address>
#
use strict;
# Change these paths if necessary.
my $LISTQ = "/usr/sbin/postqueue -p";
my $POSTSUPER = "/usr/sbin/postsuper";
my $email_addr = "";
my $qid = "";
my $euid = $>;
if ( @ARGV != 1 ) {
die "Usage: pfdel <email_address>\n";
} else {
$email_addr = $ARGV[0];
}
if ( $euid != 0 ) {
die "You must be root to delete queue files.\n";
}
open(QUEUE, "$LISTQ |") ||
die "Can't get pipe to $LISTQ: $!\n";
my $entry = <QUEUE>; # skip single header line
$/ = ""; # Rest of queue entries print on
# multiple lines.
while ( $entry = <QUEUE> ) {
if ( $entry =~ / $email_addr$/m ) {
($qid) = split(/\s+/, $entry, 2);
$qid =~ s/[\*\!]//;
next unless ($qid);
#
# Execute postsuper -d with the queue id.
# postsuper provides feedback when it deletes
# messages. Let its output go through.
#
if ( system($POSTSUPER, "-d", $qid) != 0 ) {
# If postsuper has a problem, bail.
die "Error executing $POSTSUPER: error " .
"code " . ($?/256) . "\n";
}
}
}
close(QUEUE);
if (! $qid ) {
die "No messages with the address <$email_addr> " .
"found in queue.\n";
}
exit 0;
http://kb.odin.com/en/114845
http://arcterex.net/blog/archives/2013/10/debugging-and-removing-a-spam-attack-through-postfix.html
http://www.ustrem.org/en/articles/postfix-queue-delete-en/