0

I have a server running sendmail. It started sending out tons of spam. I went it, shutdown sendmail cleaned out the queue (removed everything in /var/spool/mqueue).

How-ever, as soon as I restart sendmail the queue starts filling up again with spam mails.

How can I find out where they are coming from?

Thanks

Kevin
  • 1
  • 1
  • 2
    Did you check the log file? – Khaled Aug 15 '12 at 06:53
  • if you mean /var/log/maillog yes, as soon as I restart sendmail it starts showing all the spam messages trying to go out. But I can't seem to find what is injecting the messages into the queue to stop it – Kevin Aug 15 '12 at 07:02
  • Did not you find a line like `Connect from ...`? – Khaled Aug 15 '12 at 07:03
  • Always the obvious one! I blocked incoming port 25, turned on sendmail and it looks like its ok. Thanks so much for the suggestion. It looks like either the server was reconfigured to be an open relay, or was never properly installed. In either case I know how to fix it now. Thanks so much for the help! – Kevin Aug 15 '12 at 07:11

1 Answers1

0

Check mailq -Ac — this is a separate queue for a locally submitted mail. I suppose a website on this server was compromised and this spam is going from this website.

Tometzky
  • 2,679
  • 4
  • 26
  • 32
  • Yep, I found more in there as well. I cleaned those out. I checked all the files modified in the last 7 days but haven't found a culprit yet as to how the mail was injected. But thanks for the suggestion – Kevin Aug 15 '12 at 07:22