6 Easy Steps to Stop SMTP AUTH Relay Attack

6 Easy Steps to Stop SMTP AUTH Relay Attack

Today, many email applications such as Sendmail, Postfix or even MS Exchange have been redesigned to reduce the possibility of becoming a “spammer”. In our experience, the majority of SMTP AUTH relay attacks result from the compromise of weakly password-protected user accounts. Once the accounts have been found and compromised. Spammers authenticate with usernames, they are forwarded through a server, which is then used to send spam.

Below are easy steps to quickly stop these spam emails and identify compromised accounts.

Stop the email queue on hold.

A large number of spam emails are queued up in your inbox. What’s even worse is that spam fills all /var. Therefore, the mail queue should always be held temporarily until you find out which account the spammer has taken advantage of and send a large number of emails.

Check your email log.

Go to /var/log/maillog to quickly see the from:<> line. You may see a lot of email domains that don’t belong to your organization. This is because the spammer pretends to send the email from:<>.

Identify the compromised account authenticating SMTP AUTH connection

Next, we check the e-mail accounts that have been exploited. Run have cat grep sasl_username and Sort it. You should see a long list of login attempts and sessions for those exploited accounts. You can also do a quick calculation by running wc -l to see the total number of sessions for a given user.

Disable the exploited email account.

Once we have the string SASL_username which is the user account. We recommend disabling the password or changing it to a complex password.

Move email queue or delete spam

Now we need to deal with our mail queue. The easiest and fastest way is to move the mail queue and do the cleaning later. Or you can use a Bash script to delete spam messages.

Release the email queue

Remember to release the mail queue after our cleaning process and monitor mail traffic.

Leave a Comment

Your email address will not be published. Required fields are marked *