Postfix: How to identify a PHP script sending spam
Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam?
You probably have a malicious script sending a large number of emails directly from the server … well, you get the enemy at home!
If your outgoing mail daemon (ie the software used to send emails) is Postfix, you can identify the source of spam in just a few simple steps.
The resolution of the problem can be just as easy, although in most cases needs further investigation.
It is in fact necessary to prevent the situation from happening again, as if someone was able to load a script on your server, you may have some security flaw.
The first thing to do is log on to your mail server with a user with administrative rights (sudo) and be sure that the php.ini file of your domain (and/or the global server) contains the following line:
mail.add_x_header = On
without which what we will do next will not produce any useful result.
Once checked this, you will need to inspect the mail queue with the command:
In the first column you will see the unique ID of each outgoing email, for example:
DA5E8647235C 369763 Wed Mar 29 16:30:19 firstname.lastname@example.org (connect to somedomain.com[18.104.22.168]:25: Connection refused) email@example.com
Once identified one of these emails that is obviously spam, we are going to examine its details with the command:
postcat -q <ID>
and we search for a line starting with “X-PHP-Originating-Script” (present thanks to the php.ini line mentioned above).
For example, using grep to avoid having to manually scroll through the email content:
postcat -q DA5E8647235C | grep X-PHP-Originating-Script
we could get an output like this:
The number 45 is the UID, which is the Linux user ID that ran the script, while badmailer.php is the script that is sending spam emails.
At this point you’ll just have to locate badmailer.php file, delete it or clean it up, and above all to understand how it was uploaded to your server and executed from there.
If your header does not contain the X-PHP-Originating-Script row, most likely your mail account has been hacked, and is used to “legitimately” send spam from your server. In this case, identified a spam outbound email, you should launch the following command to see which account was used for authentication:
postcat -q DA5E8647235C | grep sasl_username
You’ll get an output like this:
In the example, you must immediately change firstname.lastname@example.org account’s password with a stronger one (long, with special, uppercase and lowercase characters).
Another thing you can do to contain the damage is flush your outgoing mail queue with the following command:
postsuper -d ALL
If, however, important emails are also queued in addition to spam emails, you’ll have to delete the unwanted emails individually with the command:
postsuper -d <ID>
So, in the example we will launch the following command:
postsuper -d DA5E8647235C
That’s it … if you run into trouble, just add a comment to this article and we’ll try to help you!