Hi trickykid,

I saw you were wondering why he is using squirel mail.
I'am thinking of setting up webmail for a corporate environment and i don't know what to use. Is there any problem with squirel mail? Are there better options for webmail?

thanks

well as I said both nodes were sending spam I could switch from one to another all day long but because they share the /home directory where our users are stored they both sent spam. I have already rebuilt the first machine and am getting ready to cut over to the next one. You have to remember that the way you think is far from the way an average person thinks...all they care about is that they aren't getting mail and thats an issue add 15k people complaining and then you'll get my situation.

I think you'll find a lot of people here can sympathize with your situation, but as an IT professional, you occasionally have to distinguish between what is right and what is expedient. And many of us recognize that the Big Boss Man can get in the way as well. Certainly having 15K people yelling about their email is a gigantic pain, and very unpleasant. But compare that to having to explain to 15K people that it is going to be a few weeks before their email is really back to normal because you've been blacklisted for spamming the planet and you have to try and get those blacklistings lifted.

I think more than anything, this highlights some shortcomings in how that system is set up. You might want to put a plan together for the Big Boss Man that outlines any tools needed and processes that need to be put in place so that the next time this happens, you're in a much better position to take care of it quickly.

Oh, and you did identify the hole that allowed the user account to be cracked, didn't you?

But what happens when those 15000 people find that there emails are being rejected because your mail servers are blacklisted?

How much business is lost by that?

Your boss does not seem to appreciate the level of things. Surely you could have dropped the mail servers for an hour and stuck up an urgent maintenance notice on your company website, or taken one down, restored your main OS backup, brought it back online and then done the same for the other server.

Ask your boss whether he'd be happy if the company had a name for being hackable and a good easy target for spammers. The company name is actually worth something, and will win or lose its owner business in todays world.

heh yeah I did actually find the security hole redhat came in to setup the server clusters and left our host.allow file blank and the old administrator had an account called test with pass as test.... I know I should of saw this but it was overlooked but 2 of us that are admins here and wont happen again.

the old administrator... is not responsible anymore... or is he...?

I know how such users think. I worked at Time Warner long ago, think about having your 15k users expanded to 400k thousand plus users with cable tv thrown on top of their internet access, I know how such things worked and I wouldn't have hesitated to yank that plug right when the issue was found or cuaght, trust me I know all about making customer happy.

Yeah, it's not fun to be responsible for a server that has been compromised so your pain is felt.

If your user "test" was allowed ssh access from the world it is more than likely that you suffered from an automated brute force attack. Be sure to tighten down (on the fresh server) sshd (using PAM and sshd_config) so that only trusted users with good passwords are allowed access. That's a good start if you haven't already done or considered that.

Agreed 100%

If the system has been compromised you may never know what all has been changed.