1
I run a CentOS server with postfix 2.6.6-6.el6_5 (just updated to 2:2.6.6-6.el6_7.1 a few minutes ago). I use the mail server to do aliasing and to send out some email from localhost to users for the various websites I host.
I have a lot of virtual aliases that all point to my gmail.com address (that way I can give each website I use their own email alias and track down where spam might be coming from). For example:
facebook.com.234526@mydomain.com -> me@gmail.com
ebay.com.985798@mydomain.com -> me@gmail.com
amazon.com.473929@mydomain.com -> me@gmail.com
However, in the last week, I've started receiving a TON of spam that is making it through gmail's spam filters, and it's the same piece of spam going to each of my different aliases. So, I'll receive Blah Blah Commits Financial Fraud spam to facebook.com.234526@mydomain.com and ebay.com.985798@mydomain.com and amazon.com.473929@mydomain.com, on and on with each of the virtual aliases in my system. It would be unlikely that the same spammer was able to grab my various email aliases from around the web and rapid fire spam me, so the only logical option is that they got it directly from me.
My first worry was that my server was hacked, but as far as I can tell I'm not seeing any strange logins or processes running.
Is it possible that an external malicious user was able to expose my virtual alias table via postfix or something? Or should I really be worried that my server has been hacked?
Kenny Wyland
Posted 2016-05-23T22:06:48.847
Reputation: 131
Or you could be victim to standard spam attack.. which is try every single combination of letter and numbers that can be used as an email (a@domain.com, b@domain.com, until zzzzzzzzzz.zzzzzzzzzz@domain.com)... which is pretty common for any spammer to do. In regards to your server been hacked.... I can't say for sure - I'll let others comment/answer that. – Darius – 2016-05-23T22:12:35.793
1There's just no way they could be hitting all of these aliases with a permutation attack and get them this quickly. I'm getting 100+ per day and the addresses are like the ones included above. They aren't next to each other in a permutation ordering. – Kenny Wyland – 2016-05-23T22:22:49.853
2I've added a new alias to my virtual alias table which I'm not giving out to anyone outside the server. If I start getting email via that alias, then I think that's a definitive test that they are somehow accessing my alias list either from inside the server or via postfix. – Kenny Wyland – 2016-05-23T23:20:09.647