My VPS provider has flagged one of my ISPConfig servers as sending spam. I have seen the spam report and it does appear that it has come from my server. I have checked the usual auth logs and there have been no unauthorised access to the server. I checked the mail.log and found the offending message: Aug 7 02:01:22 myhostname postfix/qmgr[6770]: EF8BEE890: from=<[email protected]>, size=744, nrcpt=1 (queue active) Aug 7 02:01:22 myhostname postfix/qmgr[6770]: 5AF24E898: from=<[email protected]>, size=1207, nrcpt=1 (queue active) Aug 7 02:01:22 myhostname amavis[27049]: (27049-09) Passed CLEAN {RelayedOpenRelay}, [xxx.xxx.xxx.xxx]:21729 [xxx.xxx.xxx.xxx] <[email protected]> -> <[email protected]>, Queue-ID: EF8BEE890, Message-ID: <[email protected]>, mail_id: GfpdInFVAkoI, Hits: -1, size: 744, queued_as: 5AF24E898, 275 ms Aug 7 02:07:48 myhostname postfix/qmgr[6770]: 5AF24E898: from=<[email protected]>, size=1207, nrcpt=1 (queue active) Aug 7 02:17:48 myhostname postfix/qmgr[6770]: 5AF24E898: from=<[email protected]>, size=1207, nrcpt=1 (queue active) The email address of the sender does not exist on my system but the my domain.co.uk is an active domain with email accounts associated with it. The server passes the open relay tests and is not an open relay so I have no idea how this message managed to pass through. Any ideas on what I should do next? Thanks.
Check one of those massages. Run mailq to get the id and then use postcat -q ID to view the mail. It seems, that a website is infected.
Ahh. I just flushed the mail queue about 10 minutes before your reply! I'll wait a while and see if it fills up again. It had over 400 messages in it which seems to have started from the 04/08/15 so I don't think it will be long before it tops up again!
