Managing a Compromised Mailbox on Sophos XGS Firewall

When a mailbox is compromised, it can result in masses of spam or malicious emails being sent through your Sophos XGS Firewall. This scenario can degrade performance, blacklist your IP address, and jeopardise your reputation.

This was an approach I took to manage a scenario where a compromised Mailbox cause a bit of chaos.

Step 1: Stop the SMTP Service

The first action is to stop the SMTP service to prevent further emails from being processed.

service smtpd:stop -ds nosync

This command stops the SMTP daemon without syncing pending tasks, ensuring immediate halting of email processing.

Step 2: Clear the Exim Mail Queue

Once the SMTP service is stopped, clear the Exim mail queue to remove queued emails.

1. Clear Emails in the Queue:

   exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh

This command identifies and removes all emails in the Exim mail queue.

2. Delete Retry and Wait Files: Navigate to the database directory for Exim retry data:

   cd /sdisk/spool/output/db
   rm -f retry retry.lockfile
   rm -f wait-remote_smtp wait-remote_smtp.lockfile
   rm -f wait-static_smtp wait-static_smtp.lockfile
   rm -rf /sdisk/spool/output/db/retry*

3. Clear Input and Output Spool Directories: Remove all email files from the input and output directories:

   rm -rf /sdisk/spool/output/input/*
   rm -rf /sdisk/spool/output/output/*

Step 3: Clear the Email Queue in the Database

After handling the Exim queue, clear the email spool entries from the PostgreSQL database (iviewdb).

1. Count the Remaining Emails in the Spool:

   psql -U nobody -d iviewdb -p 5433 -c "SELECT count(*) FROM tblmailspool;"

2. Delete All Emails: If the number of emails is manageable, delete them all at once:

   psql -U nobody -d iviewdb -p 5433 -c "DELETE FROM tblmailspool;"

3. Batch Deletion for Large Queues: For a large number of emails, delete them in smaller batches:

   psql -U nobody -d iviewdb -p 5433 -c "DELETE FROM tblmailspool WHERE ctid IN (SELECT ctid FROM tblmailspool LIMIT 1000);"

Repeat this command until the spool is cleared.

Step 4: Handle Locked Tables

If the email spool isn’t clearing, it could be due to table locks.

1. Check for Locks:

   psql -U nobody -d iviewdb -p 5433 -c "SELECT * FROM pg_locks l JOIN pg_class t ON l.relation = t.oid WHERE t.relname = 'tblmailspool';"

2. Terminate Locking Processes: Identify and terminate processes causing the locks:

   psql -U nobody -d iviewdb -p 5433 -c "SELECT pg_terminate_backend(pid) FROM pg_locks WHERE relation = (SELECT oid FROM pg_class WHERE relname = 'tblmailspool');"

Step 5: Optimise the Database Table

1. Disable Triggers: Temporarily disable triggers to improve deletion performance:

   psql -U nobody -d iviewdb -p 5433 -c "ALTER TABLE tblmailspool DISABLE TRIGGER ALL;"

2. Truncate the Table (Destructive): If you need to clear all rows instantly, use:

   psql -U nobody -d iviewdb -p 5433 -c "TRUNCATE tblmailspool;"

3. Re-enable Triggers: After clearing the table, re-enable triggers:

   psql -U nobody -d iviewdb -p 5433 -c "ALTER TABLE tblmailspool ENABLE TRIGGER ALL;"

4. Vacuum the Table: Optimize the table to reclaim storage and update statistics:

   psql -U nobody -d iviewdb -p 5433 -c "VACUUM FULL tblmailspool;"

Step 6: Restart the SMTP Service

Once all operations are complete, restart the SMTP service:

service smtpd:start -ds nosync

By following these steps, you can efficiently clear an email spool on your Sophos XGS Firewall.