So the story begins like this... I'm minding my own business one day when Pause logs on and tells me that he's getting several thousand bounced spam emails a day in his business' email inbox. Naturally this concerned me since it meant that my VPS, which is used to host this forum as well as several other websites (including Pause's BluLine Tech business site), was being used to send out spam emails.
After entering the shell and running $ /var/qmail/bin/qmail-qstat, I discovered that my VPS had 600,000 email messages in the queue waiting to be sent out. I immediately contacted my hosting provider and had them shut down and re-build the VPS. As a result, the CiX forums suffered a few weeks of data loss (which was just painful for all of us here at CiX). Since then I was still noticing several hundred emails in the mail queue on my server at any given time. I verified time and time again that no malicious scripts were being ran.
Yesterday, I decided to update the phpBB installation for the CiX forums and also updated the Plesk installation on my server. This morning I logged into the VPS to handle a few things pertaining to the Plesk updates, and while I was in there I saw several hundred emails in the mail queue. I determined that this crap was going to stop here and now.
Using the suggestions from this blog post, I quickly discovered that everything pointed to poor Pausiepooh. It turns out that Pause's BluLine Tech email address was responsible for sending out over 1 million spam emails over the past month. Someone was using his POP3 login credentials to send out tens of thousands of spam emails a day via SMTP, and they simply modified the header information to make it look like it came from a different email address. Upon realizing that this was in fact the problem and as soon as I was able to get off the floor from laughing so hard, I simply changed the password for Pause's BluLine Tech email account, and almost immediately the email message queue for the server went down to zero.
How, when, or where Pause's POP3 login credentials got compromised is something I may never know, but it makes for quite an amusing story.
