• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

[POSTFIX] Find source of spam

I

IonutG

New Pleskian
Hi!
My server: Centos 6.5, Parallels Plesk Pannels 11.5.30 and Postfix as MTA, OS checked with rkhunter;

This machine send many email spam but I have problem to find the source of spam, the source is not an php scripts (folowed instructions from: http://kb.parallels.com/en/114845 ), it's a compromised mailbox from one of may domains;
I have in queue 2132 Requests but i cannot figure out from which mailboxes was sended this emails.

Thanks in advance!
 
Delete everything in the queue and check /usr/local/psa/var/log/maillog (and maybe /var/log/secure ) to see if you can see who is connecting to send the messages.

You may find it beneficial to kill all postfix processes (restarting postfix is NOT enough) and then watch the log carefully to see a new authentication connection followed by lots of email going into the queue.

The key is not to panic and look at things slowly. Restarting postfix is not enough because it does not prevent an already authenticated IP from continuing to send messages via an existing established connection. The same goes for firewalling/changing the password once you find the offending mailbox and IP: changing the password will not prevent the offender from continuing to send messages through an existing established connection, and in many cases adding the offending IP to the firewall may not enough (it depends on the way the firewall works, but adding an IP sometimes only works on NEW connections from that IP).

I use qmail not postfix, but flushing the queue and other things seems to be described very well here:

http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html
 
Hi.

I'm having this issue right now.

I've stopped postfix meanwhile.

I've changed the account password beeing used for spam and restarted postfix, but the spam continues.

I've turned off authentcated relay also in general mais settings in plesk also without luck.

If I activate postfix the mail queue start to grow again.

Can anyone help pinpointing the issue?

Thank you.
 
Looking at the queue won't tell you enough about where the source of the spam is. You need to look at the mail headers of one of the spam messages.

1. Look at the mail queue using mailq
Code: 
mailq

2. Look at the mail headers from one of the spam messages (Assuming the message has the ID XXXXXXX (you can see the ID form the QUEUE)
Code: 
postcat -vq XXXXXXXXXX

Also note: Plesk will add a "X-PPP-Vhost" header to any PHP based form spam so you can tell what vhost any form spam is coming from.
 
Hi Danami,

Thank you for the info.

Meanwhile I've solved the issue. After killing postfix, cleaning up the queue, and changed the password, while living the service down for a few minutes, when I started the service again, sasl refused the connections with authentication failures.

It seems that the service needs to be down for a while.

Somehow the spammers got the password of one of the accounts, and caused me all this mess... Now I'm unblocking myself from spam lists.. :D

Anyway, the info you provide is great if this happens again.

Regards, and Happy New Year!
 
In Warden Anti-spam and Virus Protection 1.08 we added outbound scanning logging so you can track all this sort of stuff :)
 
You must log in or register to reply here.

Similar threads

Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
L
Issue Spam-/Mailproblems
Replies
1
Views
401
Peter Debik
P
A
Resolved Unwanted redirects to gmail, when receiving emails
Replies
5
Views
933
arunda2
A
D4NY
Issue Outgoing mail queue, how to find the source of the spam?
Replies
19
Views
3K
mow
M
L
Resolved Mails marked as Spam
Replies
6
Views
1K
tramvainqueur
tramvainqueur
Back
Top