Postfix SPAM Troubleshooting
1. Check Mail queue
mailq
2. To flush mail queue
postfix flush or postfix -f
3. View message content
postcat -vq xxxxxxxx
4. To remove all mails from the queue:
postsuper -d ALL
5. To remove all mails from queue
postsuper -d ALL deferred
6. To delete all queued messages from or to the domain called examplespamdomain.com
./postfix-delete.pl examplespamdomain.com
7. To delete all queued messages that contain the word “abc” in the e-mail address
./postfix-delete.pl abc
8. To know the number of messages sitting in the deferred queue
find /var/spool/postfix/deferred -type f | wc -l
9. To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list
mailq|grep ^[A-F0-9|cut -c 42-80|sort |uniq -c|sort -n|tail
To find which folder is sending emails using php script, use the following steps to find out:
1. Create a postfix script to add X-Additional Headers to the emails which will specify the folder involve in sending emails
* touch /usr/sbin/sendmail.postfix-wrapper * vi /usr/sbin/sendmail.postfix-wrapper Add the following content: #/bin/sh (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@" Note: this should be including #|/bin/sh
2. Create a log file and grant the appropriate permissions which will log the emails generating from the php scripts:
* touch /var/tmp/mail.send * chmod a+rw /var/tmp/mail.send * chmod a+x /usr/sbin/sendmail.postfix-wrapper * mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin * ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
3. Now wait for half an hour or so for the log file to build up and then change the sendmail back to where it was originally:
* rm -f /usr/sbin/sendmail.postfix * mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
4. Check /var/tmp/mail.send file and there should be lines starting with X-Additional Headers pointing to the domain folders which is being used
to send the spam emails from.
5. We can also extract all the folders from the /var/tmp/mail.send file which are sending emails using php scripts using this command
grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
6. If we see no results from the above command then we need to check if one of the mail accounts are hacked/compromised
* zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* /usr/local/psa/var/log/maillog:221000 /usr/local/psa/var/log/maillog.processed:362327 /usr/local/psa/var/log/maillog.processed.1.gz:308956 IF we see unusually high number of login attempts then we can check which accounts were brute forced using the following command: * zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head 891574 sasl_username=admin@example.com
To stop spam from being sent, change the password for the compromised account immediately and restart the postfix service.
Tags:
Linux