Some how our server is being over run by outgoing emails, which we think are spam. We normally use plesk to administer it but it is currently crashing.
If we do a
ps aux | grep 'qmail'
We get about 200 of these
qmailq 25340 0.0 0.0 2640 408 ? D 11:18 0:00 bin/qmail-queue
How do we identify why this mail queue is so big? Im guessing it could be a compromised PHP script on one of the domains or something like that.
Can someone give us an indication of where to start looking to get to the bottom of this. I realise this is a massively open ended question but any direction would be greatly appreciated.
Best Answer
Someone is connecting, but how? Run
netstat -tp.This might show if someone is forwarding mail directly through a misconfigured mailserver acting as an open relay (port 25), or if they're pushing stuff through your scripts (port 80/443).
If you find one traffic source and can't get the underlying fix made quickly, getting a block in ASAP, either via application configuration or iptables. Keep it a priority though, because whatever one spammer finds, another one will in short order.
Have you looked at the mail content directly? It should be in the filesystem somewhere in /var/spool.