On 14th May 2026, I logged onto my server to clear some disk space, only to find out that my mail server was under attack: an attacker got access to a mail account with weak credentials and sent spam from my domain. My mail server was configured to use Linux system accounts instead of the commonly recommend virtual mailboxes. I created a user a while back called test with the password test for test reasons. Bots are trying to gain access to the mail server all the time by brute forcing usernames and passwords, and the attacker cracked these credentials during one of these attempts. Apart from sending spam, the attacker also managed to fill up my machine’s tiny little disk and cause chaos on my machine. The immediate mitigations were to delete the test user and clear the mail queue, which brought the machine back to regular functionality. Then I started looking into the logs to see what actually happened and think about further mitigations. Timeline The story begins two days earlier on…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.