Question Spammer in the server, how to find him

[SalvadorS]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.55

Hello,

I have these lines in mail mail.info log:



Oct 17 09:46:35 dv7 postfix/smtpd[4021867]: connect from localhost[127.0.0.1]
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxx.server.com>
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: lost connection after RCPT from localhost[127.0.0.1]
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3

So I think localhost is webmail, but how can I find which mailbox is doing this? As from header is false....

 

[SalvadorS]

I have no clear what these logs means exactly, I don´t know if anyone can help me

 

[Peter Debik]

It's a website script that is sending these mails. If it was webmail, it also comes from 127.0.0.1, but then you'd see a login, too. Mails without logins can only be website scripts.
It can be a challenging task to find the source. Lots of advice is available through a Google search, e.g.

plesk how to find the source of spam - Google Suche

 

[SalvadorS]

Hi Peter,

Thanks for your reponse, always useful.

The problem here is that the mail queue is empty and I check all the POST headers in the logs and I don´t find anything.

So I don´t know if that log is telling that a mail is sent from the server, as I see rejected. What is your opinion?

 

[Peter Debik]

Please check this KB article, it can help you to find the source: https://support.plesk.com/hc/en-us/articles/12377887555479

 

[SalvadorS]

Dear Peter,

Thanks a lot, I did it without success....

 

[Peter Debik]

If you are sure that no script is sending the mails through the regular mail server, you can check the process list of Linux whether you find a suspicious process. Especially on systems where /tmp has not been secured against script execution one attack vector is to place a stand-alone mailer like Exim there and run it. This will bypass all stats and the regular Postfix mailer. The mailer does not necessarily have to be named Exim, it can have any name, but it will need to use port 25, so there is your next step for a deeper analysis.

 

[mow]

If you are sure that no script is sending the mails through the regular mail server, you can check the process list of Linux whether you find a suspicious process. Especially on systems where /tmp has not been secured against script execution one attack vector is to place a stand-alone mailer like Exim there and run it. This will bypass all stats and the regular Postfix mailer.

However in that case they wouldn't show up in the maillog.

The problem here is that the mail queue is empty and I check all the POST headers in the logs and I don´t find anything.
So I don´t know if that log is telling that a mail is sent from the server, as I see rejected. What is your opinion?

Something tries to send a mail but gets rightfully rejected. Thankfully they're stupid (if they used a local mail address for the From, it wouldn't get blocked as Relaying).
As it gets rejected right at the start of the SMTP dialog, even before the body data is sent, the mail doesn't even reach the queue, so it can't show up in `postqueue -p`.