Category: General Linux

Postfix SPAM Troubleshooting

1. Check Mail queue

mailq

2. To flush mail queue

postfix flush
or
postfix -f

3. View message content

postcat -vq xxxxxxxx

4. To remove all mails from the queue:

postsuper -d ALL

5. To remove all mails from queue

postsuper -d ALL deferred

6. To delete all queued messages from or to the domain called examplespamdomain.com

./postfix-delete.pl examplespamdomain.com

7. To delete all queued messages that contain the word “abc” in the e-mail address

./postfix-delete.pl abc

8. To know the number of messages sitting in the deferred queue

find /var/spool/postfix/deferred -type f | wc -l

9. To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list

mailq|grep ^[A-F0-9|cut -c 42-80|sort |uniq -c|sort -n|tail

To find which folder is sending emails using php script, use the following steps to find out:

1. Create a postfix script to add X-Additional Headers to the emails which will specify the folder involve in sending emails

* touch /usr/sbin/sendmail.postfix-wrapper
* vi /usr/sbin/sendmail.postfix-wrapper

Add the following content:
#/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Note: this should be including #|/bin/sh

2. Create a log file and grant the appropriate permissions which will log the emails generating from the php scripts:

* touch /var/tmp/mail.send
* chmod a+rw /var/tmp/mail.send
* chmod a+x /usr/sbin/sendmail.postfix-wrapper
* mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
* ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

3. Now wait for half an hour or so for the log file to build up and then change the sendmail back to where it was originally:

* rm -f /usr/sbin/sendmail.postfix
* mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

4. Check /var/tmp/mail.send file and there should be lines starting with X-Additional Headers pointing to the domain folders which is being used
to send the spam emails from.

5. We can also extract all the folders from the /var/tmp/mail.send file which are sending emails using php scripts using this command

grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

6. If we see no results from the above command then we need to check if one of the mail accounts are hacked/compromised

* zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

IF we see unusually high number of login attempts then we can check which accounts were brute forced using the following command:

* zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change the password for the compromised account immediately and restart the postfix service.

 

Tags:

Linux

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count: