I've had some spam heading out of my hosting server, in the logs I see a lot of ... Feb 9 06:32:01 hosting postfix/qmgr[3489]: AC826A57: from=<[email protected]>, size=12217, nrcpt=1 (queue active) I know that web37 is the user for a customers site, however I'm not able to find out what is being used to send the spam. I *assume* that because web37 is sending the spam, that it is a web form (or similar) on that site being used. The Apache logs haven't shed any light on what though. Any help would be great, thanks in advance.
edit the according php.ini and add/enable: Code: mail.add_x_header = On mail.log = /var/log/phpmail.log That should help. (Don't forget to restart apache)
Looks like a bunch of spam just went through. I have nothing in /var/log/phpmail.log I did verify with phpinfo.php that I am editing the correct php.ini.
take a look at the mail content with the postcat command, if the spam is sendt by a php srcript in website web37, which is very likely when web37 is the user, then you will find the name of the hacked script in the mail header. http://www.howtoforge.com/forums/showthread.php?t=64820
I just wanted to follow up and say thanks. The spam started again and while it had already left the queue and I couldn't postcat it, I was able to see from the logs that Amavis had quarantined some of the messages and I checked the virusmails directory and found that information.