Hello! One of my servers keeps getting listed on SpamHaus XBL list. How to know which mailbox is problematic?
Watch the mail queue, scan for malware (!), check for outdated software (e. g. wordpress, joomla etc.), check mail contents and headers of mails in the queue. As this is a continuous job, you may try using a service like http://ispprotect.com
And when you find that the mailqueue grows, you can inspect the content of the mails that stick in the queue with the postcat command to find out which account or website has sent them.
This means that the mailserver of the sender is blacklisted. Thats an issue on the sending server and not your server.
Ok. The you should check the link in the message to see when spam has been reported to be sent from your server. next check the mail.log to see if you find any unusual amount of mssages sent at that time in your log.
This is why I asked HERE if there is some kind of tool that can help me identify the amount of messages per mailbox. Is there? Because, then I would be able to look at some specific accounts and scan for viruses on the computers on which those accounts are configured.
You could start by doing a grep, e. g. Code: grep '[email protected]' /var/log/mail.log | grep 'sasl' This should list smtp logins from this login. This won't help if the mails are not sent via smtp but via php mail() or something like that. This will give you a quick overview of all senders in your mail.log (external and internal): Code: grep 'from=<' /var/log/mail.log | grep 'qmgr' | awk '{print $7}' | sed -r 's/^.*=<(.*?)>.*$/\1/' | sort | uniq -c | sort -n
To prevent outgoing connections on port 25 you can add a rule to your firewall to block those connections if the user is not your smtpd.
@Croydon That presumes that I know what logon is sending spam? But I do not know that, this is what I'm trying to find out. @florian030 I'm not sure what you mean. Could you, please, explain?
You can see the sending account in the mail headers. Get an suspicious mail ID from postqueue list and check it with postcat command: Example: postcat /var/spool/postfix/deferred/A/A4BB562D12DC