From: Jay Chandler (listssequestered.net)
Date: Wed Oct 03 2007 - 16:55:56 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eddy Ilg wrote:
> Hi,
>
> just wanted to say that deleting the mailq once (postsuper -d ALL)
> solved the problem. We had problems with a full disk some time before
> and it seems that as long as the disk was full, postfix accepted the
> mails it should not accept.
>
> Best regards
>

I'm going to go out on a limb here and say that you're wrong.

The headers you pasted earlier showed that the mail originated locally--
Postfix will likely allow local users to send as whomever they want.
Something's exploiting userid 1001, and if that's a "custom spam
script," I'm going to guess that it's vulnerable. It's also possible
that something else that userid touches is busted, or that it's got a
weak password that was bruteforced.

Doing a postsuper -d ALL will clear out your deferred queue, but what
happens the next time someone uses the compromised account? You haven't
really solved anything.

--
Jay Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: asynchronous inode failure

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]