Postfix SPAM Troubleshooting#

1- Check Mail queue


2- To flush mail queue

postfix flush
postfix -f

3-View message content

postcat -vq xxxxxxxx

4- To remove all mails from the queue:

postsuper -d ALL

5- To remove all mails from queue

postsuper -d ALL deferred

6- To delete all queued messages from or to the domain called


7- To delete all queued messages that contain the word “abc” in the e-mail address

./ abc

8- To know the number of messages sitting in the deferred queue

find /var/spool/postfix/deferred -type f | wc -l

9- To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list

mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail

To find which folder is sending emails using php script, use the following steps to find out:#

1- Create a postfix script to add X-Additional Headers to the emails which will specify the folder involve in sending emails

* touch /usr/sbin/sendmail.postfix-wrapper
* vi /usr/sbin/sendmail.postfix-wrapper

Add the following content:
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Note: this should be including #|/bin/sh

2- Create a log file and grant the appropriate permissions which will log the emails generating from the php scripts:

* touch /var/tmp/mail.send
* chmod a+rw /var/tmp/mail.send
* chmod a+x /usr/sbin/sendmail.postfix-wrapper
* mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
* ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

3- Now wait for half an hour or so for the log file to build up and then change the sendmail back to where it was originally:

* rm -f /usr/sbin/sendmail.postfix
* mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

4- Check /var/tmp/mail.send file and there should be lines starting with X-Additional Headers pointing to the domain folders which is being used to send the spam emails from.

5- We can also extract all the folders from the /var/tmp/mail.send file which are sending emails using php scripts using this command

grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

6- If we see no results from the above command then we need to check if one of the mail accounts are hacked/compromised

* zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*

IF we see unusually high number of login attempts then we can check which accounts were brute forced using the following command:

* zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

To stop spam from being sent, change the password for the compromised account immediately and restart the postfix service.

Back to Linux

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 24-May-2017 15:30 by Hyve Support
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X

All Pages

Page views: 3761

Private Tomcat




SQL Server




Web Mail

Windows Plesk

Linux Plesk




Persits ASPUpload

Wiki Help

Referring Pages:

JSPWiki v2.8.1