Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: Loriel on October 19, 2018, 11:25:55 AM

Title: how to immediately disconnect certain missused account ?
Post by: Loriel on October 19, 2018, 11:25:55 AM
Hello All,
 we are facing a phishing attack at our site. A lot of users was hijacked. The attacker sends thousands of themaleficent mails via our Roundcube server.
So, I can realise which user account it was (roundcube DB, table identities -> user_id -> table users -> username).
But, even if I changed the user password the attacker was still sending via roundcube. Even if I removed a session_id from  session table it was still sending it's damned spams.
The only thing that finally stopped the evil session was restart of the server  :(

Could you please advice the better way to terminate the evil session, or maybe there exist some more elegant way to kick-off the attacker?

Regards
Loriel
Title: Re: how to immediately disconnect certain missused account ?
Post by: alec on October 20, 2018, 02:15:26 AM
Maybe you should just restart the smtp server.
Title: Re: how to immediately disconnect certain missused account ?
Post by: Loriel on October 21, 2018, 04:41:49 AM
It does not help  :( .
We are using delivery scheme postfix at localhost (roundcube server itself),without autentication -> postfix at relayhost. Relayhost allows to relay from the roundcube server.
May be I should set up authorized SMTP at roundcube server?