Hi, i guess my server got hacked today - the load went to 60, and theres been some spam sent out. I can see there are mails send from / to random addresses not related to me or my clients. Is there a way of knowing which client/site was hacked and where exactly this sendout is happening?
Check if you still have mails in the mailqueue that you can look at: https://www.faqforge.com/linux/how-to-find-out-who-sent-a-email-in-postfix-mailqueue/
Follow the link, it explains which headers are relevant. eachw website has it own web user and a unique user id, so you can look the userid up in /etc/passwd and then you have the username like web33 and 33 is the ID of the website.
Thanks got it sorted, web form was compromised . Is there any barrier to prevent sendding more then XX emails per day ? (per client or globaly per server ? ) Maybe theres possibiity of pingin admin if more than XX emails where sent ? I mean next time how can i catch similar problem faster ? (seems my server was used for 3 days ans sent tons of emails
It would be best to disable sending mail through php with the mail() function and use SMTP accounts for all forms etc. And in rspamd you can configure ratelimiting.