One of my smaller webservers appears to be sending out spam. It is a Ubuntu 8.04 system with Plesk as a configutation interface and qmail as the mailserver.
How to I go about identifying the spam-source? The server itself is a fresh install and it "started spamming" as soon as I transfered domains, data and databases from the old server (which didn't spam). The SMTP server definately needs secure authentication (it is not an open relay). I also checked for rootkits using rkhunter and chkrootkit while the servers filesystem was mounted readonly from another machine and found none.
I'm out of ideas. Hope anyone has some pointers.
Best Answer
It's definitely being abused? First of all, disconnect it from the Web, and secure the logs. The source of the spam is either a) a local process that's been installed / compromised (like you say), b) or a bot somewhere using your server. In either case, the logs will tell you where to look next. I'd be worried either way, as this could be the thin end of the wedge.