LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-08-2012, 06:01 AM   #1
Zippy1970
Member
 
Registered: Sep 2007
Posts: 118

Rep: Reputation: 17
Question Trying to find out what is sending mail on my server


For the past few months, I noticed my mail queue has been increasing in size to an average of about 50 undelivered mails. When I look at my mailqueue, I see entries like these:

Code:
E20C4229A7     1493 Tue Nov  6 09:58:13  www-data@<servername>
                    (connect to cmail.org[82.98.86.178]: Connection timed out)
                                         angelasyandety@cmail.org
Apparently, these emails are being sent locally and not through relaying. Besides I've tested the server many times and it's not an open relay.

I have a few websites running on this server, each has a forum running. So at first I thought these were spam signups but if I look at the forums' log files, I don't see the emails found in the queue. So it looks like it's not coming from the forums.

The fact that postqueue only lists email that it fails to deliver to cmail.org/com, I believe this is only a small percentage of the true number of email this server sends out.

Is there a way to find out where these emails come from? Which process/program is sending them?
 
Old 11-08-2012, 10:05 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
The fact that the logs are showing it coming from ww-data@<servername> suggests that it could be coming from your web server, or at least the web server user which could mean someone hijacking a process owned by that user. As you mention a forum, it is also possible that you have content that contains the code to send messages. This is a common trick. The first thing to check would be to see if the versions of software your running on your system have known vulnerabilities that could explain this.

Following that, your idea to try to track down the process is the way to go. However, this can be a little bit tricky, especially if your log files are not showing the process / user. Part of the problem will be to capture it happening as almost all of the tools used will give you static snapshots. You could try something like the following (borrowing from one of unSpawns posts):
Code:
( \ps axfwwwe 2>&1; lsof -Pwln 2>&1; \ls -al /var/spool/cron 2>&1; netstat -anpe 2>&1; lastlog 2>&1; last 2>&1; who -a 2>&1 ) > /path/to/data.txt
This will concatenate the process tree into a file called data.txt and should show if you have any rogue processes running.

The next level up the difficulty chain would be to try to use a program like iftop, tcpdump to capture traffic on your local loopback interface and see what you can find making use of port 25. You could also try shutting down a service, like your web server, to see if it stops.

However, given that your logs are showing the user being www-data and that you are running a user content forum system, I would start looking through the post content.
 
Old 11-08-2012, 02:57 PM   #3
Zippy1970
Member
 
Registered: Sep 2007
Posts: 118

Original Poster
Rep: Reputation: 17
Yes, www-data is the user apache runs as. So I know it's coming from one of the forums but I don't know which one. The largest is running on forum software I wrote myself and although I can never be 100% sure of course, I'm pretty sure I didn't leave some glaring holes open through which mail can be relayed.

Then there are a few smaller forums that run on phpBB. I don't know anything about that.

Simplistically thinking, couldn't I just rename postfix (sendmail) to postfix2 and then write my own little script and call that postfix? That way intercept all outgoing email and log which process is calling postfix?
 
Old 11-08-2012, 03:54 PM   #4
Zippy1970
Member
 
Registered: Sep 2007
Posts: 118

Original Poster
Rep: Reputation: 17
Ah, never mind. I found out what was sending the emails. It's actually my honeypot forum sending out confirmation emails to fake email addresses used by the spammers. This forum was actually the first forum I checked but I was looking at the wrong database when I cross-referenced the email addresses...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slowing the mail sending queue at mail server level Luna-tic Linux - Server 1 02-29-2012 11:04 AM
Mail server not sending mail to location defined in MX record modulaaron Linux - Software 3 12-19-2010 08:57 PM
sending mail from win xp to linux imap mail server cvdsamy Red Hat 2 05-30-2009 01:37 AM
Perl/Web (www) server needs to use mail server for sending forms. dskv Linux - Server 4 04-08-2008 01:34 PM
Cron mail sending using outside SMTP mail server Utah Linux - Software 6 08-24-2005 08:44 PM


All times are GMT -5. The time now is 06:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration