Skip to main content

SmarterMail - Clearing the Spool of a compromised email account's spam messages

Recently we had a spammer compromise a weak password on one of our SmarterMail installations. Over the course of a few hours, the spammer had racked up over 15,000 messages in SmarterMail's spool, not to mention the amount of messages that were delivered successfully. To get our server running normally while clearing out the spam messages we followed the following steps:

Empty the SmarterMail Spool

  1. First, change the password of the compromised account.
  2. Then, stop the SmarterMail service in the Services panel of the Windows server.
  3. Next, copy the active spool directory (C:\SmarterMail\Spool) to another location on the server.
  4. Once the copy is completed, empty all of the SubSpool directories within the main spool directory (C:\SmarterMail\Spool\SubSpool*)
  5. Then restart the SmarterMail service to get the server back running again.

Find legitimate messages in the cloned spool

I didn't want to manually go through 15K messages manually to find remove all of the unwanted spam, so I discovered this Powershell script (…).

  1. Put the PowerShell script from above onto the server.
  2. Be sure to change the $stringToFind and $spoolDir variables to match your setup.
    • In my case, $stringToFind was set to the compromised email account.
    • $spoolDir was set to the cloned spool and NOT THE RUNNING SPOOL
  3. Start the PowerShell to allow execution by running this command:
    powershell.exe -noprofile -executionpolicy bypass -file .\script.ps1
    (Thanks to this post:
  4. Once in the PowerShell, run your script. This will find all emails with your $stringToFind and remove the .hdr and .eml files.
  5. Lastly, move the legitimate messages back into the running Spool Directories.

Now that the server is running properly again it is a good time to check and make sure you haven't been listed on any blacklists.