Flushing PostFix outbound mail queue after servers hacked

Zombie Mail Servers will show constant disk activity without much processor consumption
Zombie Mail Servers will show constant disk activity without much processor consumption

After your server got hacked with SQL injection (perhaps via Drupageddon) you cleaned your Apache server and removed all malicious code, but your hard drive is still on fire and the disk I/O light never shuts off. You ran TOP but you don't see any process taking more than a few percent of processor time, what do you do?

Check your local SMTP server to see if it is flooded with outbound traffic. Your server has probably become a zombie for spammers, and your retry queue could have hundreds of thousands of outbound messages retrying continuously.

On Linux, if you are running PostFix, try using the mailq command. This will dump the retry queue to the screen so you can see it. If it just keeps rolling along, that's what's wrong. (If you want to read the queue for some sick reason, use mailq > myfile.txt to save it first.)

So then you want to postsuper -d ALL to dump the entire retry queue. Careful, this will dump the WHOLE queue... if you want to selectively remove outbound items there are ways, but if your server is indeed a spam drone I'd just dump the whole thing. You probably have a ridiculous number of messages queued up so picking off individual items would be exruciating.

>>> By the way, make sure to use ALL CAPS in the "ALL" for this command!

Hope this helps your afflicted server to stop being a hacker's SMTP relay!

Tags: