Hello, Spam sending mailservers are the pain in the ass - i have some trouble with it myself and I really do not have any idea how to look any further in it. I already enabled the mail log within the php.ini files and restarted apache - so phhmailer function will write a log but the spam mails do not seem to take the phpmailer way so i really need some advice how to fix this. I am lucky that these mails are just 10 to 20 mails and not every hour - but if i take a look into the mail.log file for an example i get the following message: root@web:/var/log# grep 4B23BC0A93 /var/log/mail.log Jul 16 15:04:17 web postfix/smtpd[26617]: 4B23BC0A93: client=web.utopic.de[127.0.0.1] Jul 16 15:04:17 web postfix/cleanup[29960]: 4B23BC0A93: message-id=<[email protected]> Jul 16 15:04:17 web postfix/qmgr[27741]: 4B23BC0A93: from=<[email protected]>, size=2453, nrcpt=1 (queue active) Jul 16 15:04:17 web amavis[29969]: (29969-14) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1]:57664 [127.0.0.1] <[email protected]> -> <[email protected]>, Queue-ID: 4B23BC0A93, Message-ID: <[email protected]>, mail_id: TcugEK5WQG-H, Hits: 0.519, size: 2453, queued_as: 88D3FC0FD9, dkim_new=default:utopic.de, 166 ms Jul 16 15:04:17 web postfix/smtp[29961]: 4B23BC0A93: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.31, delays=0.14/0/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 88D3FC0FD9) Jul 16 15:04:17 web postfix/qmgr[27741]: 4B23BC0A93: removed It looks like my web server itself is generating these mails and I do not know how to handle it.
php should add a header which gives the script that sending them out. you could temporarily add a always_bcc = [email protected] option to your postfix main.cf. That would then send a copy of every email passing through the server to that address. Then you could check the header for the offending script.
Post the full message headers, and/or postcat output from such a message and it might hep with more clues. Also just to verify, you have a single server (ie. the web server isn't separate from the mail server)?
Hi Jesse, took me a bit time - my wife is pregnant and we are awaiting our little baby within the next days: here is a postcat of a mailq file: root@web:~# postcat -vq E91ECC063E postcat: name_mask: all postcat: inet_addr_local: configured 3 IPv4 addresses postcat: inet_addr_local: configured 3 IPv6 addresses *** ENVELOPE RECORDS deferred/E/E91ECC063E *** message_size: 2094 649 1 0 2094 message_arrival_time: Tue Jul 26 22:12:51 2016 create_time: Tue Jul 26 22:12:51 2016 named_attribute: log_ident=E91ECC063E named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=web.utopic.de named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=59580 named_attribute: log_message_origin=web.utopic.de[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=web.utopic.de named_attribute: reverse_client_name=web.utopic.de named_attribute: client_address=127.0.0.1 named_attribute: client_port=59580 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS deferred/E/E91ECC063E *** regular_text: Received: from localhost (web.utopic.de [127.0.0.1]) regular_text: by web.utopic.de (Postfix) with ESMTP id E91ECC063E regular_text: for <[email protected]>; Tue, 26 Jul 2016 22:12:51 +0200 (CEST) regular_text: X-Virus-Scanned: Debian amavisd-new at mail.utopic.de regular_text: Received: from web.utopic.de ([127.0.0.1]) regular_text: by localhost (mail.utopic.de [127.0.0.1]) (amavisd-new, port 10026) regular_text: with ESMTP id R7BOjKzOe681 for <[email protected]>; regular_text: Tue, 26 Jul 2016 22:12:51 +0200 (CEST) regular_text: Received: from avaron.de (web.utopic.de [127.0.0.1]) regular_text: by web.utopic.de (Postfix) with ESMTP id B730EC0231 regular_text: for <[email protected]>; Tue, 26 Jul 2016 22:12:51 +0200 (CEST) regular_text: Date: Tue, 26 Jul 2016 20:12:51 +0000 (UTC) regular_text: From: avaron <[email protected]> regular_text: To: [email protected] regular_text: Message-ID: <[email protected]> regular_text: Subject: Re: Hi nctarheels1 regular_text: MIME-Version: 1.0 regular_text: Content-Type: multipart/alternative; regular_text: boundary="----=_Part_1440252_1713270176.1469563971716" regular_text: X-mailer: Mailer v1.0 regular_text: regular_text: ------=_Part_1440252_1713270176.1469563971716 regular_text: Content-Type: text/plain; charset=utf-8 regular_text: Content-Transfer-Encoding: base64 regular_text: regular_text: ZnJvbSBhdmFyb24= regular_text: ------=_Part_1440252_1713270176.1469563971716 regular_text: Content-Type: text/html; charset=utf-8 regular_text: Content-Transfer-Encoding: base64 regular_text: regular_text: PGRpdiBzdHlsZT0nZm9udC1zaXplOiAxMjAlJz48c3Bhbj48c3BhbiBzdHlsZT0nZmxvYXQ6IHJp regular_text: Z2h0OyBtYXJnaW46IDBweDsgcGFkZGluZzogMHB4Oyc+IHRoYXQgPC9zcGFuPlBoPHNwYW4gc3R5 regular_text: bGU9J2Zsb2F0OiByaWdodDsgcGFkZGluZzogMHB4OyBtYXJnaW46IDBweDsnPiB0aGUgPC9zcGFu regular_text: PmFyPC9zcGFuPjxzcGFuPjxzcGFuIHN0eWxlPSdtYXJnaW46IDBweDsgZmxvYXQ6IHJpZ2h0OyBw regular_text: YWRkaW5nOiAwcHg7Jz4gZG8gPC9zcGFuPm1hYzxzcGFuIHN0eWxlPSdwYWRkaW5nOiAwcHg7IGZs regular_text: b2F0OiByaWdodDsgbWFyZ2luOiAwcHg7Jz4gYSA8L3NwYW4+eTwvc3Bhbj4gU3VwZXIgPHNwYW4+ regular_text: PHNwYW4gc3R5bGU9J3BhZGRpbmc6IDBweDsgZmxvYXQ6IHJpZ2h0OyBtYXJnaW46IDBweDsnPiBh regular_text: IDwvc3Bhbj5EaXNjb3U8c3BhbiBzdHlsZT0nZmxvYXQ6IHJpZ2h0OyBwYWRkaW5nOiAwcHg7IG1h regular_text: cmdpbjogMHB4Oyc+IGEgPC9zcGFuPm50PC9zcGFuPiBwYWNrIC0gc2F2ZSB1cCB0byA1MCU8L2Rp regular_text: dj48cD48YSBocmVmPSdodHRwOi8vbWFyZ2FyZXRoZWxhc2luZ2VyLmNvbS9mYXFyMmZ6b2x5L2hl regular_text: YWQvJz5jbGljayBoZXJlPC9hPjwvcD4= regular_text: ------=_Part_1440252_1713270176.1469563971716-- regular_text: *** HEADER EXTRACTED deferred/E/E91ECC063E *** named_attribute: encoding=7bit *** MESSAGE FILE END deferred/E/E91ECC063E ***
Well I don't see any clue as to specifically what is being abused there; check your php.ini to make sure you have mail.add_x_header = On and look for a X-PHP-Originating-Script header in future messages (which may or may not show up, depending on how the mail is being sent). In the mean time, scan your websites with maldet and ispprotect and see if you find anything obviously compromised. Other than that, the timestamps of when the spam comes in will probably correlate to entries in your web server log files; depending on your web traffic level, that might be a really easy thing to spot, or pretty difficult, as you only have a few every day.
