We have some servers hosting websites and email accounts for clients.
Today we found that one of our servers has a very heavy load and by looking at the maillog it is doing a lot of sending to strange email addresses. It looks like it is sending spam from our server. However, I couldn't find who the sending account is.
How can I find out the sender so that I can close that account down?
Here's an example of one of the outbound emails in the queue:
[root@server11 mqueue]# cat qfp96I9K1r020960 V8 T1317924562 K1318068176 N27 P3934747 I9/3/119387 MDeferred Fws $_localhost [127.0.0.1] $rSMTP $sUser ${daemon_flags} ${if_addr}127.0.0.1 S rRFC822; jenners0223@aol.com RPFD: rRFC822; jennecho@aol.com RPFD: rRFC822; jennebarre@aol.com RPFD: rRFC822; jenndum@aol.com RPFD: rRFC822; jenncsh@aol.com RPFD: MDeferred rRFC822; jennclemons@cs.com RPFD: rRFC822; jennesef@yahoo.com RPFD: rRFC822; jennerped@yahoo.com RPFD: rRFC822; jenneroutszong@yahoo.com RPFD: rRFC822; jennermills@yahoo.com RPFD: rRFC822; jennerbeez@yahoo.com RPFD: rRFC822; jennerate@yahoo.com RPFD: rRFC822; jenner_parker@yahoo.com RPFD: rRFC822; jennellsmilie@yahoo.com RPFD: rRFC822; jennellehuff@yahoo.com RPFD: rRFC822; jennel4eva@yahoo.com RPFD: rRFC822; jenneka.gaines@yahoo.com RPFD: rRFC822; jennejenkins@yahoo.com RPFD: rRFC822; jenneintenn@yahoo.com RPFD: rRFC822; jenneekay@yahoo.com RPFD: rRFC822; jennean.dickens@yahoo.com RPFD: rRFC822; jennduckworth@yahoo.com RPFD: rRFC822; jenndooley03@yahoo.com RPFD: rRFC822; jenndobscha@yahoo.com RPFD: rRFC822; jenndeemartin@yahoo.com RPFD: rRFC822; jenndannwill@yahoo.com RPFD: rRFC822; jennd926@yahoo.com RPFD: rRFC822; jenncummisky@yahoo.com RPFD: rRFC822; jenncradduck@yahoo.com RPFD: rRFC822; jenncoffin@yahoo.com RPFD: rRFC822; jennchrischristopher@yahoo.com RPFD: MDeferred rRFC822; jenncepero@yahoo.com RPFD: H?P?Return-Path: H??Received: from User (localhost [127.0.0.1]) by [server name] (8.13.1/8.13.1) with SMTP id p96I9K1r020960; Fri, 7 Oct 2011 05:09:22 +1100 H?M?Message-Id: H??From: "Match.com" H??Subject: Your Match Account Has Been Hold - Re-Connect Now H??Date: Thu, 6 Oct 2011 11:12:59 -0700 H??MIME-Version: 1.0 H??Content-Type: text/html; charset="Windows-1251" H??Content-Transfer-Encoding: 7bit H??X-Priority: 3 H??X-MSMail-Priority: Normal H??X-Mailer: Microsoft Outlook Express 6.00.2600.0000 H??X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Update 1:
Once I cleaned up /var/spool/mqueue folder, it quickly fills up with new spam emails.
Once I restarted sendmail service, it stopped filling up with spam emails, but it will come back later on in couple of hours. What does this indicate? Thanks.
Best Answer
Depending on the way your applications are set up, you may be able to see the offending user account by inspect all running processes on the server and see which user account(s) are hogging the CPU. Something like this:
ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10
Hopefully it's as simple as a userspace process that's abusing known privileges and nothing like a rooted box that needs to be wiped down and rebuilt. Ready the flamethrower.