I'm running Ubuntu with POSTFIX and I have spam mail continually trying to be sent out. I have blocked it all from the email server that they are going out on and now they are just continually being queued up. The server is running php/mysql with a number of websites on it. How can I tell where the messages are coming from? ie. from a php file on the server being executed or where?
example of mailq
2A8CA2D447 444542 Wed Feb 29 09:07:27 www-data@servername.com
(delivery temporarily suspended: lost connection with emailserver[emailserverip] while receiving the initial server greeting)
lilibetharias1011@hotmail.com
Any help would be appreciated
Best Answer
Sounds like you have someone who hacked the server. There could be rootkits, invisible processes...if you're lucky it's just a script generating it. If you disconnect the computer from the network is it still trying to send more new mails? Then it's something on the server generating the mail.
The problem is that even if you clean what you can, you can't be sure you entirely cleaned it up.
Best practice is to wipe the machine and rebuild, and go back through your PHP code and SQL (if you're using a database) and verify you have all patches and no SQL injections possible, auditing everything you can. Then verify that you don't have Postfix set up as a mail relay, only allowing your own machine or your own IP or own subnet to send mail.