Postfix SPAM Troubleshooting#

1- Check Mail queue

mailq

2- To flush mail queue

postfix flush
or
postfix -f

3-View message content

postcat -vq xxxxxxxx

4- To remove all mails from the queue:

postsuper -d ALL

5- To remove all mails from queue

postsuper -d ALL deferred

6- To delete all queued messages from or to the domain called examplespamdomain.com

./postfix-delete.pl examplespamdomain.com

7- To delete all queued messages that contain the word “abc” in the e-mail address

./postfix-delete.pl abc

8- To know the number of messages sitting in the deferred queue

find /var/spool/postfix/deferred -type f | wc -l

9- To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list

mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail

To find which folder is sending emails using php script, use the following steps to find out:#

1- Create a postfix script to add X-Additional Headers to the emails which will specify the folder involve in sending emails

* touch /usr/sbin/sendmail.postfix-wrapper
* vi /usr/sbin/sendmail.postfix-wrapper

Add the following content:
#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Note: this should be including #|/bin/sh

2- Create a log file and grant the appropriate permissions which will log the emails generating from the php scripts:

* touch /var/tmp/mail.send
* chmod a+rw /var/tmp/mail.send
* chmod a+x /usr/sbin/sendmail.postfix-wrapper
* mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
* ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

3- Now wait for half an hour or so for the log file to build up and then change the sendmail back to where it was originally:

* rm -f /usr/sbin/sendmail.postfix
* mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

4- Check /var/tmp/mail.send file and there should be lines starting with X-Additional Headers pointing to the domain folders which is being used to send the spam emails from.

5- We can also extract all the folders from the /var/tmp/mail.send file which are sending emails using php scripts using this command

grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

6- If we see no results from the above command then we need to check if one of the mail accounts are hacked/compromised

* zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

IF we see unusually high number of login attempts then we can check which accounts were brute forced using the following command:

* zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change the password for the compromised account immediately and restart the postfix service.

Back to Linux

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 24-May-2017 15:30 by Hyve Support
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X
    

All Pages

Page views: 3508

Private Tomcat

Linux

MySQL

Email

SQL Server

ASP

JSP

C#

Web Mail

Windows Plesk

Linux Plesk

PHP

Gaming

ASP.NET

Persits ASPUpload

Wiki Help

Referring Pages:
...nobody

JSPWiki v2.8.1