2

I have had this problem before with crap wordpress sites on my server but it was always easy to find the source, a php script by looking at the spam header and see the php scripts name. But this time I got something different.

The spam isn't being sent actually, it's being dropped by postfix but it originates from localhost and I need to find where it comes from.

Dec 8 13:02:29 myserver postfix/smtpd[22018]: NOQUEUE: reject: RCPT from myserver.local[127.0.0.1]: 550 5.1.0 <[email protected]>: Sender address rejected: User unknown in virtual mailbox table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<domainonmyserver.tld>

As you can see it tries to send under a phony account so it gets dropped. Before I fixed my postfix settings it was actually trying to send these out so I got a look at the spam itself and it didn't have a header in indicating a php script somewhere (that was a first, they always did before). Another strange thing is that it doesn't try to flood postfix with spam, instead it is sending them out one or two a minute.

Any idea how to track the source down would be appreciated. Thanks.

Improve this question

2 Answers 2

Reset to default
1

Auditd Logging

Assuming this is not occuring through a network socket (given your php header is not working), I would log all access to postfix itself. Create auditd rules that log all access to the postfix binaries.

Get a list of all the postfix files

rpm -ql postfix | egrep "postfix|sendmail" | grep bin

then generate an audit.rules file (that will likely go in /etc/audit/audit.rules, but this varies from distro to distro) that looks something like

-w /usr/sbin/sendmail -p wra -k postfix_access -w /usr/sbin/sendmail.postfix -p wra -k postfix_access

...etc

You may have to run this to update your rules:

augenrules

To send this output to syslog/splunk:

sed -i -e 's/^active.*/active = yes/g' /etc/audisp/plugins.d/syslog.conf

Then restart auditd.

This may give you more clues about what is calling postfix at the time the emails are being generated.

Improve this answer
0

First, you should add mail.add_x_header option to your php.ini

mail.add_x_header = On

It will add a header to your emails, which will contain name of the script that called mail() function.

If that won't help, you can follow this tutorial to create a wrapper to sendmail, which will also log everything.

Improve this answer
1
  • It is enabled, and it usually works too, but not this time as I said in the OP. Commented Dec 8, 2016 at 12:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.