We have some servers hosting websites and email accounts for clients.
Today we found that one of our servers has a very heavy load and by looking at the maillog it is doing a lot of sending to strange email addresses. It looks like it is sending spam from our server. However, I couldn't find who the sending account is.
How can I find out the sender so that I can close that account down?
Here's an example of one of the outbound emails in the queue:
[root@server11 mqueue]# cat qfp96I9K1r020960
V8
T1317924562
K1318068176
N27
P3934747
I9/3/119387
MDeferred
Fws
$_localhost [127.0.0.1]
$rSMTP
$sUser
${daemon_flags}
${if_addr}127.0.0.1
S
rRFC822; jenners0223@aol.com
RPFD:
rRFC822; jennecho@aol.com
RPFD:
rRFC822; jennebarre@aol.com
RPFD:
rRFC822; jenndum@aol.com
RPFD:
rRFC822; jenncsh@aol.com
RPFD:
MDeferred
rRFC822; jennclemons@cs.com
RPFD:
rRFC822; jennesef@yahoo.com
RPFD:
rRFC822; jennerped@yahoo.com
RPFD:
rRFC822; jenneroutszong@yahoo.com
RPFD:
rRFC822; jennermills@yahoo.com
RPFD:
rRFC822; jennerbeez@yahoo.com
RPFD:
rRFC822; jennerate@yahoo.com
RPFD:
rRFC822; jenner_parker@yahoo.com
RPFD:
rRFC822; jennellsmilie@yahoo.com
RPFD:
rRFC822; jennellehuff@yahoo.com
RPFD:
rRFC822; jennel4eva@yahoo.com
RPFD:
rRFC822; jenneka.gaines@yahoo.com
RPFD:
rRFC822; jennejenkins@yahoo.com
RPFD:
rRFC822; jenneintenn@yahoo.com
RPFD:
rRFC822; jenneekay@yahoo.com
RPFD:
rRFC822; jennean.dickens@yahoo.com
RPFD:
rRFC822; jennduckworth@yahoo.com
RPFD:
rRFC822; jenndooley03@yahoo.com
RPFD:
rRFC822; jenndobscha@yahoo.com
RPFD:
rRFC822; jenndeemartin@yahoo.com
RPFD:
rRFC822; jenndannwill@yahoo.com
RPFD:
rRFC822; jennd926@yahoo.com
RPFD:
rRFC822; jenncummisky@yahoo.com
RPFD:
rRFC822; jenncradduck@yahoo.com
RPFD:
rRFC822; jenncoffin@yahoo.com
RPFD:
rRFC822; jennchrischristopher@yahoo.com
RPFD:
MDeferred
rRFC822; jenncepero@yahoo.com
RPFD:
H?P?Return-Path:
H??Received: from User (localhost [127.0.0.1])
by [server name] (8.13.1/8.13.1) with SMTP id p96I9K1r020960;
Fri, 7 Oct 2011 05:09:22 +1100
H?M?Message-Id:
H??From: "Match.com"
H??Subject: Your Match Account Has Been Hold - Re-Connect Now
H??Date: Thu, 6 Oct 2011 11:12:59 -0700
H??MIME-Version: 1.0
H??Content-Type: text/html;
charset="Windows-1251"
H??Content-Transfer-Encoding: 7bit
H??X-Priority: 3
H??X-MSMail-Priority: Normal
H??X-Mailer: Microsoft Outlook Express 6.00.2600.0000
H??X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Update 1:
Once I cleaned up /var/spool/mqueue folder, it quickly fills up with new spam emails.
Once I restarted sendmail service, it stopped filling up with spam emails, but it will come back later on in couple of hours. What does this indicate? Thanks.
Best Answer
Depending on the way your applications are set up, you may be able to see the offending user account by inspect all running processes on the server and see which user account(s) are hogging the CPU. Something like this:
ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10Hopefully it's as simple as a userspace process that's abusing known privileges and nothing like a rooted box that needs to be wiped down and rebuilt. Ready the flamethrower.