Header from a deferred email follows, I can't see in my mail logs or my apache2 logs where these are being generated from. The sender domain myclient.com exists on my server but the info522@ (in this email) is not a valid email address on my server all sent emails have been in the format info[0-9][0-9][0-9]@myclient.com. I'm looking for clues, this started a couple of days ago, I'm running out of hair to pull. The server has been faultless for well over a year. I question whether my postfix conf could be an issue? *** ENVELOPE RECORDS deferred/0/004291940792 *** message_size: 1707 704 1 0 1707 message_arrival_time: Thu Dec 29 19:07:21 2016 create_time: Thu Dec 29 19:07:21 2016 named_attribute: log_ident=004291940792 named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost.localdomain named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=56312 named_attribute: log_message_origin=localhost.localdomain[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost.localdomain named_attribute: reverse_client_name=localhost.localdomain named_attribute: client_address=127.0.0.1 named_attribute: client_port=56312 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS deferred/0/004291940792 *** Received: from localhost (localhost.localdomain [127.0.0.1]) by server1.myclient.com (Postfix) with ESMTP id 004291940792 for <[email protected]>; Thu, 29 Dec 2016 19:07:21 +1100 (AEDT) X-Virus-Scanned: Debian amavisd-new at server1.myclient.com Received: from server1.myclient.com ([127.0.0.1]) by localhost (server1.myclient.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRUyANlrGrdN for <[email protected]>; Thu, 29 Dec 2016 19:07:21 +1100 (AEDT) Received: from myclient.com (localhost.localdomain [127.0.0.1]) by server1.myclient.com (Postfix) with ESMTP id 9C21919404FE for <[email protected]>; Thu, 29 Dec 2016 19:07:20 +1100 (AEDT) Date: Thu, 29 Dec 2016 08:07:19 +0000 (UTC) From: [email protected] To: [email protected] Message-ID: <[email protected]> Subject: Hey MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_19858808_291664055.1482998839470" ------=_Part_19858808_291664055.1482998839470 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable
The mails seem to be sent from localhost. Is this server a mail and webserver? if yes, then most likely the website of this client has been hacked. Check the access.log of that website for unusual POST requests and scan the website for malware.
Thanks Till, The server does host sites and does email. I have scanned with maldet and amavis but found nothing. The spam is coming in small amounts sometimes hours apart. I think it may be through some old phpmailer.php's that a few clients are using, looking further into it.
Maldet does not find that many malware, try to use the free scan from ispprotect to scan the server: https://ispprotect.com/
Hi Till, Thank you for the link, however, after I downloaded the file I started to run it for about a 30 seconds, and the I decided to stop it and read the docs first. Now it won't let me scan: Could not run scan with key TRIAL because of error: No more trials for this server left. I was so looking forward to it, as for the moment, I am 'discarding' the spam via 'blacklisting' and 'content filtering'
Thank you Till, I had success with ISPProtect, thank you. I have purchased 10 scan license, but will look at extending to a 12 month licence in the future. Again many thanks, for your great products and support.