Hello, One of my users is usig his account to send spam, but the problem is that I do not how to spot him. When I pass this command "mailq | grep ^ [A-F0-9] | cut-c 42-80 | sort | uniq-c | sort-n | tail" it gives me: ****** MAILER-DAEMON 2 ***** 35 [email protected] But none of my users possess [email protected]. Thank you for helping !
Take a look into the email in your queue with postcat command, either you see trough which smtp account the emails have been send so that you can change the password or you see which php script in which website has sent the email.
Thanks Till, i tried and and it's give me a huge list : "[email protected]" none of my users possess "[email protected]"
You must use postcat, not postqueue. Postcat is a command to inspect the content of a email that is in the queue. example: your first email in the queue has the ID 520CB1B4C422, so you can see its content with: postcat /var/spool/postfix/deferred/5/520CB1B4C422 when the email is already in the deferred queue.
The email has been sent by the account: (Authenticated sender: [email protected]) with correct username and password. so all you have to do is to change the password of that account and then restart postfix, dovecot, courer-authdaemon and saslauthd (only the software that are installed on your server).
Thank you ! Do you have any suggestions to avoid this kind of problems? How to change / block the 25 port ?
You can not avoid this problem without shutting down your mailserver. The spam has been sent trough a legetimite account e.g. because the user of this account has a virus or trojan on his desktop. Another possibility is that the user of that account used his mail account in a internet cafe or open wlan without encryption. If this was the case, then you should tell the user to use smtps and pop3s/imaps instead of the unencrypted protocols to connect to your server.
