Finding script trying send spam via postfix

Question

I have had this problem before with crap wordpress sites on my server but it was always easy to find the source, a php script by looking at the spam header and see the php scripts name. But this time I got something different.

The spam isn't being sent actually, it's being dropped by postfix but it originates from localhost and I need to find where it comes from.

Dec  8 13:02:29 myserver postfix/smtpd[22018]: NOQUEUE: reject: RCPT from myserver.local[127.0.0.1]: 550 5.1.0 <msg676@domainonmyserver.tld>: Sender address rejected: User unknown in virtual mailbox table; from=<msg676@domainonmyserver.tld> to=<rodrigo.menck@itelefonica.com.br> proto=ESMTP helo=<domainonmyserver.tld>

As you can see it tries to send under a phony account so it gets dropped. Before I fixed my postfix settings it was actually trying to send these out so I got a look at the spam itself and it didn't have a header in indicating a php script somewhere (that was a first, they always did before). Another strange thing is that it doesn't try to flood postfix with spam, instead it is sending them out one or two a minute.

Any idea how to track the source down would be appreciated. Thanks.

score 1 · Answer 1 · answered Dec 08 '16 at 14:59

Auditd Logging

Assuming this is not occuring through a network socket (given your php header is not working), I would log all access to postfix itself. Create auditd rules that log all access to the postfix binaries.

Get a list of all the postfix files

rpm -ql postfix | egrep "postfix|sendmail" | grep bin

then generate an audit.rules file (that will likely go in /etc/audit/audit.rules, but this varies from distro to distro) that looks something like

-w /usr/sbin/sendmail -p wra -k postfix_access
-w /usr/sbin/sendmail.postfix -p wra -k postfix_access

...etc

You may have to run this to update your rules:

augenrules

To send this output to syslog/splunk:

sed -i -e 's/^active.*/active = yes/g' /etc/audisp/plugins.d/syslog.conf

Then restart auditd.

This may give you more clues about what is calling postfix at the time the emails are being generated.

score 0 · Answer 2 · answered Dec 08 '16 at 12:15

0

First, you should add mail.add_x_header option to your php.ini

mail.add_x_header = On

It will add a header to your emails, which will contain name of the script that called mail() function.

If that won't help, you can follow this tutorial to create a wrapper to sendmail, which will also log everything.

answered Dec 08 '16 at 12:15

Anubioz

3,677
18
23

It is enabled, and it usually works too, but not this time as I said in the OP. – Saffer Dec 08 '16 at 12:24

Finding script trying send spam via postfix

2 Answers2