I need to figure out where a bunch of SPAM is coming from so I can kill it. I have ran rkhunter and all is good. I guess I'm hoping that I can access a log that will show me exactly where the SPAM is coming from. We have a few forms on many sites on this server so it's hard to see where it is coming from, here is a snippet of the mail.log. Code: ep 18 08:50:14 debian-srv postfix/pickup[18542]: 6182146EA6: uid=33 from=<www-data> Sep 18 08:50:14 debian-srv postfix/cleanup[18448]: 6182146EA6: message-id=<[email protected]> Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: 6182146EA6: from=<[email protected]>, size=2332, nrcpt=1 (queue active) Sep 18 08:50:14 debian-srv postfix/pickup[18542]: 62E7D46C47: uid=33 from=<www-data> Sep 18 08:50:14 debian-srv postfix/cleanup[18404]: 62E7D46C47: message-id=<[email protected]> Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: 62E7D46C47: from=<[email protected]>, size=2317, nrcpt=1 (queue active) Sep 18 08:50:14 debian-srv postfix/pickup[18542]: 745A246EA7: uid=33 from=<www-data> Sep 18 08:50:14 debian-srv postfix/cleanup[18448]: 745A246EA7: message-id=<[email protected]> Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: 745A246EA7: from=<[email protected]>, size=2329, nrcpt=1 (queue active) Sep 18 08:50:14 debian-srv postfix/pickup[18542]: 917AD46EA9: uid=33 from=<www-data> Sep 18 08:50:14 debian-srv postfix/cleanup[18404]: 917AD46EA9: message-id=<[email protected]> Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: 917AD46EA9: from=<[email protected]>, size=2329, nrcpt=1 (queue active) Sep 18 08:50:14 debian-srv postfix/smtpd[23344]: connect from mmscan2.mc.net[209.172.128.30] Sep 18 08:50:14 debian-srv postfix/smtpd[9079]: B3E6946EA8: client=localhost.localdomain[127.0.0.1] Sep 18 08:50:14 debian-srv postfix/cleanup[18448]: B3E6946EA8: message-id=<[email protected]> Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: B3E6946EA8: from=<[email protected]>, size=2778, nrcpt=1 (queue active) Sep 18 08:50:14 debian-srv postfix/error[17354]: B3E6946EA8: to=<[email protected]>, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta7.am0.yahoodns.net[98.138.112.32] refused to talk to me: 421 4.7.0 [TS01] Messages from 74.100.192.220 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Sep 18 08:50:14 debian-srv amavis[18547]: (18547-01-13) Passed CLEAN, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: RvsGS7H7wDG2, Hits: 2.599, size: 2306, queued_as: B3E6946EA8, 711 ms Sep 18 08:50:14 debian-srv postfix/smtp[18466]: 9C1E146C4A: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=13, delay=132, delays=0.01/131/0/0.72, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=18547-01-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B3E6946EA8) Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: 9C1E146C4A: removed Sep 18 08:50:14 debian-srv postfix/smtpd[23344]: C39BB46C4A: client=mmscan2.mc.net[209.172.128.30] Sep 18 08:50:14 debian-srv postfix/cleanup[18404]: C39BB46C4A: message-id=<> Sep 18 08:50:14 debian-srv postfix/qmgr[5187]: C39BB46C4A: from=<>, size=4450, nrcpt=1 (queue active) Sep 18 08:50:15 debian-srv postfix/smtpd[23344]: disconnect from mmscan2.mc.net[209.172.128.30] Sep 18 08:50:15 debian-srv postfix/smtpd[9079]: 39EA846EAA: client=localhost.localdomain[127.0.0.1] Sep 18 08:50:15 debian-srv postfix/cleanup[18448]: 39EA846EAA: message-id=<[email protected]> Sep 18 08:50:15 debian-srv postfix/qmgr[5187]: 39EA846EAA: from=<[email protected]>, size=2803, nrcpt=1 (queue active) Sep 18 08:50:15 debian-srv amavis[18547]: (18547-01-14) Passed CLEAN, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: wvi65q9lOJqb, Hits: 2.599, size: 2321, queued_as: 39EA846EAA, 489 ms Sep 18 08:50:15 debian-srv postfix/smtp[18466]: EBE1346C4C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=14, delay=132, delays=0.02/132/0/0.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=18547-01-14, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 39EA846EAA) Sep 18 08:50:15 debian-srv postfix/qmgr[5187]: EBE1346C4C: removed
If you would have used php-fcgi and suexec, then you could see from were the spam is coming as each site has its own user and php runs under that user. As you use mod_php, another option is to inspect the emails in the deferred queue with postcat, current php versions are writing the name of the file which is sending the email in the mail header.
