[POSTFIX] Find source of spam

[IonutG]

Hi!
My server: Centos 6.5, Parallels Plesk Pannels 11.5.30 and Postfix as MTA, OS checked with rkhunter;

This machine send many email spam but I have problem to find the source of spam, the source is not an php scripts (folowed instructions from: http://kb.parallels.com/en/114845 ), it's a compromised mailbox from one of may domains;
I have in queue 2132 Requests but i cannot figure out from which mailboxes was sended this emails.

Thanks in advance!

 

[Faris Raouf]

Delete everything in the queue and check /usr/local/psa/var/log/maillog (and maybe /var/log/secure ) to see if you can see who is connecting to send the messages.

You may find it beneficial to kill all postfix processes (restarting postfix is NOT enough) and then watch the log carefully to see a new authentication connection followed by lots of email going into the queue.

The key is not to panic and look at things slowly. Restarting postfix is not enough because it does not prevent an already authenticated IP from continuing to send messages via an existing established connection. The same goes for firewalling/changing the password once you find the offending mailbox and IP: changing the password will not prevent the offender from continuing to send messages through an existing established connection, and in many cases adding the offending IP to the firewall may not enough (it depends on the way the firewall works, but adding an IP sometimes only works on NEW connections from that IP).

I use qmail not postfix, but flushing the queue and other things seems to be described very well here:

http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html

 

[alvesjc]

Hi.

I'm having this issue right now.

I've stopped postfix meanwhile.

I've changed the account password beeing used for spam and restarted postfix, but the spam continues.

I've turned off authentcated relay also in general mais settings in plesk also without luck.

If I activate postfix the mail queue start to grow again.

Can anyone help pinpointing the issue?

Thank you.

 

[danami]

Looking at the queue won't tell you enough about where the source of the spam is. You need to look at the mail headers of one of the spam messages.

1. Look at the mail queue using mailq

mailq

2. Look at the mail headers from one of the spam messages (Assuming the message has the ID XXXXXXX (you can see the ID form the QUEUE)

postcat -vq XXXXXXXXXX

Also note: Plesk will add a "X-PPP-Vhost" header to any PHP based form spam so you can tell what vhost any form spam is coming from.

 

[alvesjc]

Hi Danami,

Thank you for the info.

Meanwhile I've solved the issue. After killing postfix, cleaning up the queue, and changed the password, while living the service down for a few minutes, when I started the service again, sasl refused the connections with authentication failures.

It seems that the service needs to be down for a while.

Somehow the spammers got the password of one of the accounts, and caused me all this mess... Now I'm unblocking myself from spam lists..

Anyway, the info you provide is great if this happens again.

Regards, and Happy New Year!

 

[danami]

In Warden Anti-spam and Virus Protection 1.08 we added outbound scanning logging so you can track all this sort of stuff