{"id":1558,"date":"2017-04-03T11:01:25","date_gmt":"2017-04-03T09:01:25","guid":{"rendered":"https:\/\/www.nullalo.com\/?p=1558"},"modified":"2025-10-22T10:15:33","modified_gmt":"2025-10-22T08:15:33","slug":"postfix-to-identify-php-script-sending-spam","status":"publish","type":"post","link":"https:\/\/www.nullalo.com\/en\/postfix-how-to-identify-a-php-script-sending-spam\/","title":{"rendered":"Postfix: How to identify a PHP script sending spam"},"content":{"rendered":"

<\/p>\n

Your domain is hosted on a Linux server using Postfix<\/strong>\u00a0to send emails and is blacklisted for spam<\/strong>?<\/p>\n

You probably have a malicious script<\/strong>\u00a0sending a large number of emails directly from the server … well, you get the enemy at home!<\/p>\n

If your outgoing mail daemon (ie the software used to send emails) is Postfix, you can identify the source of spam<\/strong> in just a few simple steps.<\/p>\n

The resolution of the problem<\/strong> can be just as easy, although in most cases needs further investigation.<\/p>\n

It is in fact necessary to prevent the situation from happening again, as if someone was able to load a script on your server, you may have some security flaw.<\/p>\n

The first thing to do is log on to your mail server with a user with administrative rights<\/strong> (sudo) and be sure that the php.ini file of your domain (and\/or the global server) contains the following line:<\/p>\n

mail.add_x_header = On<\/pre>\n
without which what we will do next will not produce any useful result.<\/p>\n
Once checked this, you will need to inspect the mail queue with the command:<\/p>\n
mailq<\/pre>\n
In the first column you will see the unique ID of each\u00a0outgoing email, for example:<\/p>\n
DA5E8647235C 369763 Wed Mar 29 16:30:19 someotheruser@someotherdomain.com\r\n (connect to somedomain.com[123.123.123.123]:25: Connection refused)\r\n someuser@somedomain.com<\/pre>\n
Once identified one of these emails that is obviously spam, we are going to examine its details with the command:<\/p>\n
postcat -q <ID><\/pre>\n
and we search for a line starting with “X-PHP-Originating-Script<\/strong>” (present thanks to the php.ini line mentioned above).<\/p>\n
For example, using grep to avoid having to manually scroll through the email content:<\/p>\n
postcat -q DA5E8647235C | grep X-PHP-Originating-Script<\/pre>\n
we could get an output like this:<\/p>\n
X-PHP-Originating-Script: 45:badmailer.php<\/pre>\n
The number 45 is the UID, which is the Linux user ID that ran the script, while badmailer.php is the script that is sending spam emails.<\/p>\n
At this point you’ll just have to locate badmailer.php file, delete it or clean it up, and above all to understand how it was uploaded to your server and executed from there.<\/p>\n
If your header does not contain the X-PHP-Originating-Script row, most likely your mail account has been hacked, and is used to “legitimately” send spam from your server. In this case, identified a spam outbound email, you should launch the following command to see which account was used for authentication:<\/p>\n
postcat -q DA5E8647235C | grep sasl_username<\/pre>\n
You’ll get an output like this:<\/p>\n
named_attribute: sasl_username=info@nullalo.com<\/pre>\n
In the example, you must immediately change info@nullalo.com account’s password with a stronger one (long, with special, uppercase and lowercase characters).<\/p>\n
Another thing you can do to contain the damage is flush your outgoing mail queue with the following command:<\/p>\n
postsuper -d ALL<\/pre>\n
If, however, important emails\u00a0are also queued in addition to spam emails, you’ll have to delete the unwanted emails individually with the command:<\/p>\n
postsuper -d <ID><\/pre>\n
So, in the example we will launch the following command:<\/p>\n
postsuper -d DA5E8647235C<\/pre>\n
That’s it … if you run into trouble, just add a comment to this article and we’ll try to help you!<\/p>\n
<\/p>","protected":false},"excerpt":{"rendered":"
Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here’s what to do.<\/p>\n","protected":false},"author":2,"featured_media":1561,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[129,130],"class_list":["post-1558","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-reviews","tag-postfix","tag-spam"],"yoast_head":"\nPostfix: How to identify a PHP script sending spam - Nullalo!<\/title>\n<meta name=\"description\" content=\"Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here's what to do.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nullalo.com\/?p=1558\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Postfix: How to identify a PHP script sending spam - Nullalo!\" \/>\n<meta property=\"og:description\" content=\"Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here's what to do.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.nullalo.com\/?p=1558\" \/>\n<meta property=\"og:site_name\" content=\"Nullalo!\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/nullalo\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/fulvio.sicurezza\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-03T09:01:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-22T08:15:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1140\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fulvio Sicurezza\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/FulvioSicurezza\" \/>\n<meta name=\"twitter:site\" content=\"@Nullalo\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fulvio Sicurezza\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nullalo.com\/?p=1558\",\"url\":\"https:\/\/www.nullalo.com\/?p=1558\",\"name\":\"[:it]Postfix: Come identificare uno script PHP che invia spam[:en]Postfix: How to identify a PHP script sending spam[:] - Nullalo!\",\"isPartOf\":{\"@id\":\"https:\/\/www.nullalo.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.nullalo.com\/?p=1558#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.nullalo.com\/?p=1558#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg\",\"datePublished\":\"2017-04-03T09:01:25+00:00\",\"dateModified\":\"2025-10-22T08:15:33+00:00\",\"author\":{\"@id\":\"https:\/\/www.nullalo.com\/#\/schema\/person\/fe9c2885376a6ab076e06461ae1b546c\"},\"description\":\"Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here's what to do.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.nullalo.com\/?p=1558#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nullalo.com\/?p=1558\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nullalo.com\/?p=1558#primaryimage\",\"url\":\"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg\",\"contentUrl\":\"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg\",\"width\":1140,\"height\":600},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.nullalo.com\/?p=1558#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.nullalo.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Postfix: Come identificare uno script PHP che invia spam\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nullalo.com\/#website\",\"url\":\"https:\/\/www.nullalo.com\/\",\"name\":\"Nullalo!\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nullalo.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nullalo.com\/#\/schema\/person\/fe9c2885376a6ab076e06461ae1b546c\",\"name\":\"Fulvio Sicurezza\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nullalo.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.nullalo.com\/wp-content\/uploads\/2015\/02\/Fulvio-Sicurezza_avatar_1424711147-96x96.jpg\",\"contentUrl\":\"https:\/\/www.nullalo.com\/wp-content\/uploads\/2015\/02\/Fulvio-Sicurezza_avatar_1424711147-96x96.jpg\",\"caption\":\"Fulvio Sicurezza\"},\"sameAs\":[\"http:\/\/www.generalservice.na.it\",\"https:\/\/www.facebook.com\/fulvio.sicurezza\",\"http:\/\/it.linkedin.com\/in\/fulviosicurezza\",\"https:\/\/x.com\/https:\/\/twitter.com\/FulvioSicurezza\",\"https:\/\/www.youtube.com\/c\/FulvioSicurezzaIT\"],\"url\":\"https:\/\/www.nullalo.com\/en\/author\/f-sicurezza\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Postfix: How to identify a PHP script sending spam - Nullalo!","description":"Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here's what to do.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nullalo.com\/?p=1558","og_locale":"en_US","og_type":"article","og_title":"Postfix: How to identify a PHP script sending spam - Nullalo!","og_description":"Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here's what to do.","og_url":"https:\/\/www.nullalo.com\/?p=1558","og_site_name":"Nullalo!","article_publisher":"https:\/\/www.facebook.com\/nullalo","article_author":"https:\/\/www.facebook.com\/fulvio.sicurezza","article_published_time":"2017-04-03T09:01:25+00:00","article_modified_time":"2025-10-22T08:15:33+00:00","og_image":[{"width":1140,"height":600,"url":"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg","type":"image\/jpeg"}],"author":"Fulvio Sicurezza","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/FulvioSicurezza","twitter_site":"@Nullalo","twitter_misc":{"Written by":"Fulvio Sicurezza","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.nullalo.com\/?p=1558","url":"https:\/\/www.nullalo.com\/?p=1558","name":"[:it]Postfix: Come identificare uno script PHP che invia spam[:en]Postfix: How to identify a PHP script sending spam[:] - Nullalo!","isPartOf":{"@id":"https:\/\/www.nullalo.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.nullalo.com\/?p=1558#primaryimage"},"image":{"@id":"https:\/\/www.nullalo.com\/?p=1558#primaryimage"},"thumbnailUrl":"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg","datePublished":"2017-04-03T09:01:25+00:00","dateModified":"2025-10-22T08:15:33+00:00","author":{"@id":"https:\/\/www.nullalo.com\/#\/schema\/person\/fe9c2885376a6ab076e06461ae1b546c"},"description":"Your domain is hosted on a Linux server using Postfix to send emails and is blacklisted for spam? Here's what to do.","breadcrumb":{"@id":"https:\/\/www.nullalo.com\/?p=1558#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nullalo.com\/?p=1558"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nullalo.com\/?p=1558#primaryimage","url":"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg","contentUrl":"https:\/\/www.nullalo.com\/wp-content\/uploads\/2017\/04\/no_spam.jpg","width":1140,"height":600},{"@type":"BreadcrumbList","@id":"https:\/\/www.nullalo.com\/?p=1558#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.nullalo.com\/"},{"@type":"ListItem","position":2,"name":"Postfix: Come identificare uno script PHP che invia spam"}]},{"@type":"WebSite","@id":"https:\/\/www.nullalo.com\/#website","url":"https:\/\/www.nullalo.com\/","name":"Nullalo!","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nullalo.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.nullalo.com\/#\/schema\/person\/fe9c2885376a6ab076e06461ae1b546c","name":"Fulvio Sicurezza","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nullalo.com\/#\/schema\/person\/image\/","url":"https:\/\/www.nullalo.com\/wp-content\/uploads\/2015\/02\/Fulvio-Sicurezza_avatar_1424711147-96x96.jpg","contentUrl":"https:\/\/www.nullalo.com\/wp-content\/uploads\/2015\/02\/Fulvio-Sicurezza_avatar_1424711147-96x96.jpg","caption":"Fulvio Sicurezza"},"sameAs":["http:\/\/www.generalservice.na.it","https:\/\/www.facebook.com\/fulvio.sicurezza","http:\/\/it.linkedin.com\/in\/fulviosicurezza","https:\/\/x.com\/https:\/\/twitter.com\/FulvioSicurezza","https:\/\/www.youtube.com\/c\/FulvioSicurezzaIT"],"url":"https:\/\/www.nullalo.com\/en\/author\/f-sicurezza\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/posts\/1558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/comments?post=1558"}],"version-history":[{"count":1,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/posts\/1558\/revisions"}],"predecessor-version":[{"id":1928,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/posts\/1558\/revisions\/1928"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/media\/1561"}],"wp:attachment":[{"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/media?parent=1558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/categories?post=1558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nullalo.com\/en\/wp-json\/wp\/v2\/tags?post=1558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}