Trying to find out what is sending mail on my server
For the past few months, I noticed my mail queue has been increasing in size to an average of about 50 undelivered mails. When I look at my mailqueue, I see entries like these:
Code:
E20C4229A7 1493 Tue Nov 6 09:58:13 www-data@<servername> I have a few websites running on this server, each has a forum running. So at first I thought these were spam signups but if I look at the forums' log files, I don't see the emails found in the queue. So it looks like it's not coming from the forums. The fact that postqueue only lists email that it fails to deliver to cmail.org/com, I believe this is only a small percentage of the true number of email this server sends out. Is there a way to find out where these emails come from? Which process/program is sending them? |
The fact that the logs are showing it coming from ww-data@<servername> suggests that it could be coming from your web server, or at least the web server user which could mean someone hijacking a process owned by that user. As you mention a forum, it is also possible that you have content that contains the code to send messages. This is a common trick. The first thing to check would be to see if the versions of software your running on your system have known vulnerabilities that could explain this.
Following that, your idea to try to track down the process is the way to go. However, this can be a little bit tricky, especially if your log files are not showing the process / user. Part of the problem will be to capture it happening as almost all of the tools used will give you static snapshots. You could try something like the following (borrowing from one of unSpawns posts): Code:
( \ps axfwwwe 2>&1; lsof -Pwln 2>&1; \ls -al /var/spool/cron 2>&1; netstat -anpe 2>&1; lastlog 2>&1; last 2>&1; who -a 2>&1 ) > /path/to/data.txt The next level up the difficulty chain would be to try to use a program like iftop, tcpdump to capture traffic on your local loopback interface and see what you can find making use of port 25. You could also try shutting down a service, like your web server, to see if it stops. However, given that your logs are showing the user being www-data and that you are running a user content forum system, I would start looking through the post content. |
Yes, www-data is the user apache runs as. So I know it's coming from one of the forums but I don't know which one. The largest is running on forum software I wrote myself and although I can never be 100% sure of course, I'm pretty sure I didn't leave some glaring holes open through which mail can be relayed.
Then there are a few smaller forums that run on phpBB. I don't know anything about that. Simplistically thinking, couldn't I just rename postfix (sendmail) to postfix2 and then write my own little script and call that postfix? That way intercept all outgoing email and log which process is calling postfix? |
Ah, never mind. I found out what was sending the emails. It's actually my honeypot forum sending out confirmation emails to fake email addresses used by the spammers. This forum was actually the first forum I checked but I was looking at the wrong database when I cross-referenced the email addresses... :o
|
All times are GMT -5. The time now is 08:08 PM. |